top of page

New Security Standards for NZ Government Agencies

24 June 2025

New Zealand's National Cyber Security Centre (NCSC) has drafted Cyber Security Standards which government agencies will be required to adopt and implement later this year.


The new standards outline the minimum cybersecurity practices that agencies must adopt for their business-critical and external-facing systems.  In general terms, they require that cyber security policies, capabilities, controls, and practices must be well-formed and repeatable. 


The Standards

10 draft Standards are currently being discussed with agencies and industry partners as part of pre-implementation consultation and feedback gathering.  They are:


1.      Security Awareness

2.      Risk Management

3.      Assets and their Importance

4.      Secure Software Configuration

5.      Patching

6.      Multi-factor Authentication

7.      Detect Unusual Behaviour

8.      Least Privilege

9.      Data Recovery

10.  Response Planning


Maturity Model

The draft Standards feature a built-in Capability Maturity Model (CMM) to help agencies standardise how they measure, track and improve their cyber risk management over time.  


CMM1 “Informal”: Security capability may be ad-hoc, unmanaged or unpredictable. Success may rely on individuals rather than institutional capability.


CMM2 “Planned and Tracked”: Security capability is well formed in designated business units. The security policies, capabilities, control and practices are in place and repeatable. They are designed to meet the organisation’s core security requirements.


CMM3 “Standardised”: Security capability is standardised, integrated, understood and followed consistently across the enterprise. Security is well-governed and managed at an enterprise level.


CMM4 “Quantitatively Controlled”: Security capability and performance is measured, monitored and objectively and quantitively controlled. Security measures are hardened in response to performance alerts. Security is a strategic focus for the organisation.


CMM5 “Optimising”: Security capability adapts to a dynamic, high risk operating environment. Practices are generally recognised as world-leading and have near real-time measurement and response mechanisms.


Agencies will be required to meet at least Capability Maturity Model level two (CMM2) for their business-critical and external-facing systems. 


Consultation Phase underway

The NCSC began consulting with affected agencies and industry partners on 16 June.  Discussions will continue until 4 July 2025, with final Standards planned for publication in October 2025.


Agencies will be required to report on their implementation of the standards as part of Protective Security Requirements reporting process (a framework for managing security within NZ government organisations) in April 2026.


The initial draft of the NCSC’s Minimum Cyber Security Standards are available for download from the NCSC website.


MFT as a Baseline Protection Tactic

NZ organisations seeking to step up to the new minimum standards should carefully consider installing a Managed File Transfer (MFT) solution as an initial step.


This relatively simple enhancement to IT systems puts organisations miles ahead of businesses still using risky and outdated FTP (File Transfer Protocol) or email to transfer files. MFT centralises data transfer and - more importantly - applies policies to data to protect it from threats such as inbound malware and employees sending files via ad hoc platforms outside the defensive perimeter (e.g. Google Drive and Dropbox).


MFT has the built-in advantage of “forcing” the application of policies designed to better protect data such as encryption, monitoring, and auditing.


Expertise Close at Hand

No-one better understands local MFT needs and best practices than Generic Systems Australia. Our team has decades of experience helping organisations implement the world’s leading MFT solution.  Our Migration Service makes the transition even easier for busy agencies who would rather focus on their core mission than their IT systems.


If you’d like a no-cost, no-obligation discussion about how we could help you simply and affordably adopt an advanced MFT solution, please feel welcome to get in touch.


At Generic Systems Australia, we’re your local experts in Secure Managed File Transfer.

bottom of page