{"avgDl":1378.2758620689656,"df":{"0":16,"00":6,"000":8,"00pm":1,"01":4,"02":2,"03":2,"04":2,"047":1,"05":5,"06":2,"07":1,"08":1,"09":3,"1":28,"10":15,"100":10,"1000":6,"101":1,"102":1,"1024":3,"103":1,"104":1,"10k":1,"11":4,"12":14,"128":3,"13":4,"137":1,"14":9,"14001":3,"145":1,"148":1,"15":8,"150":4,"15434":12,"155":1,"158":1,"16":1,"172":1,"173":1,"18":6,"180":1,"182":1,"186":1,"1976":1,"19795":9,"1982":1,"1988":1,"1995":1,"1997":1,"1999":1,"1m":2,"1s":1,"2":28,"2010":1,"2012":2,"2013":1,"2014":1,"2018":7,"2019":6,"2020":1,"2021":5,"2022":1,"2023":6,"2024":10,"2025":2,"2026":17,"2030":1,"2035":1,"21":2,"23":3,"23andme":2,"24":6,"240":3,"24h":1,"24x7":2,"25":1,"250":7,"256":6,"26":3,"2601":2,"27":2,"28":2,"29794":6,"2d":1,"3":27,"30":4,"30107":13,"31":4,"338":1,"339":1,"34":1,"35":1,"36":3,"374":1,"381":4,"3a":16,"3d":5,"4":27,"403":1,"42":3,"423":1,"43230000":1,"45":1,"468":1,"479":1,"48":1,"4a":13,"4b36":3,"5":23,"50":5,"500":2,"509":2,"51":2,"519":6,"53":1,"55":4,"5500":1,"556":1,"6":21,"60":5,"61":1,"647":1,"7":18,"709":1,"7500":1,"753":1,"758":1,"77":2,"8":17,"80":1,"8000":1,"824":1,"8500":1,"89":2,"8b48":3,"9":15,"90":6,"920":1,"9303":7,"95":8,"95m":1,"95th":2,"99":7,"a":27,"aa":13,"aadhaar":1,"abi":4,"abilities":2,"ability":6,"able":5,"abn":9,"abnormal":4,"about":9,"above":6,"abroad":1,"absolute":1,"ac1330062362":3,"academic":4,"accelerated":1,"accept":5,"acceptable":3,"acceptance":2,"accepted":2,"accepting":1,"accepts":2,"access":17,"accessed":2,"accessibility":12,"accessible":4,"accessing":2,"accompanies":1,"accordance":3,"according":1,"account":10,"accountability":2,"accounts":1,"accreditation":6,"accreditations":1,"accredited":7,"accrediting":1,"accrue":2,"accuracy":3,"accurate":4,"accurately":1,"achievable":1,"achieve":5,"achieves":2,"ack":1,"acknowledge":6,"acknowledged":1,"acknowledgement":2,"acknowledges":3,"acn":4,"acquire":5,"acquired":4,"acquisition":3,"across":12,"acsc":2,"act":19,"acting":1,"action":2,"actions":5,"active":4,"actively":1,"activities":6,"activity":9,"acts":1,"actual":4,"actually":2,"ad":1,"adapt":1,"adaptation":2,"adapted":2,"add":5,"added":2,"addenda":7,"addendum":10,"addition":6,"additional":10,"address":8,"addressable":1,"addressed":2,"addresses":5,"addressing":1,"adds":1,"adelaide":1,"adequate":1,"adhere":1,"adjacent":9,"admin":3,"administer":1,"administering":1,"administrative":3,"adopted":1,"adopter":4,"adopters":1,"adopting":1,"adoption":2,"advanced":1,"advancements":1,"advantage":1,"advantages":3,"adversary":1,"advice":1,"advised":1,"advisers":2,"advises":1,"advisor":4,"advisory":9,"aead":2,"aes":1,"affairs":2,"affect":2,"affected":1,"affecting":1,"affinity":5,"affirmative":1,"afp":1,"after":4,"afterwards":1,"ag":1,"again":1,"against":16,"agdis":1,"age":6,"agencies":5,"agency":14,"agenda":3,"agent":1,"agents":2,"aggregate":1,"aggregates":3,"aggressive":1,"aggressively":1,"agreed":4,"agreement":2,"agreements":1,"agsva":1,"ai":4,"aim":1,"aims":1,"al":6,"alb":2,"alert":2,"alerting":7,"alerts":4,"algorithm":4,"algorithms":3,"align":5,"aligned":7,"alignment":4,"aligns":4,"alison":4,"all":23,"allied":1,"allow":6,"allowable":1,"allows":1,"almost":1,"alone":1,"alongside":5,"already":5,"also":3,"alter":2,"altered":1,"alternative":8,"alternatives":3,"alters":1,"amazon":3,"ambient":1,"amend":1,"amended":1,"among":3,"amortised":1,"amount":1,"amounts":2,"an":17,"analogue":1,"analyses":1,"analysis":9,"analytics":1,"anchored":1,"and":26,"android":4,"annexures":1,"anniversary":2,"annual":3,"annually":2,"annum":1,"anomalies":2,"anomalous":3,"anomaly":1,"anon":1,"anonyome":1,"another":2,"answer":5,"answered":1,"anti":3,"anticipate":1,"anticipates":1,"anuna":14,"any":22,"anyone":1,"anywhere":1,"ap":2,"apache":12,"api":6,"apis":1,"app":12,"apparent":1,"appeal":2,"appear":2,"appendices":1,"appendix":1,"apple":2,"applicable":8,"application":4,"applied":5,"applies":2,"apply":3,"approach":13,"appropriate":7,"appropriately":1,"approval":4,"approve":1,"approved":6,"approximately":2,"apps":1,"apr":2,"april":1,"aps":1,"apsc":1,"ar":2,"arbn":2,"arcface":1,"architect":2,"architected":1,"architectural":5,"architecturally":4,"architecture":11,"architectures":2,"are":19,"area":1,"areas":3,"argument":1,"aria":2,"arise":1,"arises":1,"arithmetic":1,"around":1,"arrangement":7,"arrangements":5,"art":1,"artefact":1,"artefacts":1,"as":22,"asd":9,"asean":3,"asian":1,"asked":1,"asking":2,"asmade":1,"aspect":1,"aspects":2,"assembly":2,"assertable":1,"asserted":2,"asserting":1,"asserts":1,"assess":1,"assessed":4,"assessment":6,"assessor":5,"asset":1,"assets":1,"assist":1,"assistance":1,"associated":6,"associates":1,"assume":1,"assumed":1,"assumes":1,"assumptions":3,"assurance":5,"at":21,"atlassian":2,"atm":5,"ato":26,"atomic":2,"atomically":1,"attach":2,"attached":3,"attachment":12,"attachments":6,"attack":9,"attacker":1,"attacking":1,"attacks":4,"attempt":1,"attempted":1,"attempts":2,"attention":1,"attestation":1,"attested":3,"attracted":1,"attribute":3,"attributes":4,"au":11,"au10tix":1,"aud":7,"audio":2,"audit":10,"auditability":2,"auditable":3,"audited":5,"auditing":1,"auditor":2,"audits":1,"aug":1,"august":1,"ausgov":1,"austender":8,"austrac":1,"australia":12,"australian":20,"australians":2,"austria":1,"auth":1,"authenticated":4,"authenticates":1,"authenticating":1,"authentication":7,"authentications":1,"authorisation":3,"authorised":4,"authorises":1,"authoritative":1,"authority":4,"auto":2,"autodesk":8,"automated":5,"automatic":1,"automatically":1,"automation":2,"autonomous":7,"autoscaling":1,"availability":8,"available":14,"average":2,"award":1,"aware":4,"awareness":3,"aws":15,"axis":3,"az":2,"azure":1,"b":13,"bac":1,"back":1,"background":3,"backing":1,"backups":2,"backwards":1,"balanced":1,"balancer":1,"bangsamoro":7,"bank":1,"bar":1,"barmm":10,"barnes":2,"base":1,"based":15,"baseline":1,"basic":2,"basis":4,"bbs":9,"be":21,"beat":1,"because":4,"become":2,"becomes":7,"been":6,"before":17,"behalf":2,"behaviors":2,"behaviour":3,"behavioural":2,"behaviours":1,"behind":2,"being":6,"belief":2,"believes":1,"below":9,"benchmark":7,"benchmarking":4,"benchmarks":1,"beneficial":4,"benefit":2,"benefits":3,"best":6,"better":1,"between":4,"beyond":4,"bias":1,"bid":1,"bill":1,"binary":1,"bind":1,"binding":10,"bindings":13,"binds":4,"bio":1,"biometric":18,"biometrics":3,"biostar":2,"birth":2,"bit":3,"bits":1,"ble":2,"blinding":1,"block":3,"blockchain":1,"blockers":1,"blocks":1,"bls":2,"bls12":4,"blur":2,"bn254":1,"bodies":1,"body":2,"bond":1,"bonus":2,"both":7,"bottom":1,"bound":4,"boundary":3,"bounded":2,"box":2,"brand":1,"branded":1,"branding":3,"breach":5,"breaches":1,"breadth":1,"break":1,"breakdown":1,"breakpoints":1,"brief":2,"briefings":1,"bring":1,"brings":2,"brisbane":1,"broaden":1,"broader":3,"broadly":1,"browser":7,"browsers":3,"brute":2,"bsi":10,"buchanan":4,"bucket":1,"buckets":1,"budget":1,"budgets":1,"buffer":2,"bugs":1,"build":4,"building":5,"built":3,"bundesamt":6,"burst":1,"business":9,"businesses":1,"but":8,"buttons":1,"buying":2,"by":25,"c":5,"c2024a00025":1,"ca":1,"cadence":2,"calendar":1,"call":7,"camera":4,"can":16,"canberra":4,"cancellation":1,"cancelled":1,"candidate":9,"cannot":9,"canvas":2,"capabilities":5,"capability":16,"capable":5,"capacity":11,"capital":2,"capped":1,"capture":10,"captured":6,"captures":5,"carbon":1,"carries":1,"carry":1,"case":6,"cases":6,"cash":1,"catalogue":3,"categories":1,"category":4,"cbcl":1,"cbindgen":2,"cd":2,"cea1b989":3,"ceases":1,"ceb0":3,"celeb":2,"central":3,"centralised":1,"centrally":5,"centre":3,"ceremony":5,"cert":2,"certain":1,"certainly":1,"certifiable":1,"certificate":4,"certificates":2,"certification":17,"certifications":6,"certified":11,"cfrg":2,"chacha20":3,"chain":7,"challenge":3,"challenged":1,"challenges":1,"change":5,"changes":3,"channel":3,"channels":5,"characters":1,"charge":2,"charged":1,"charges":3,"chart":2,"charter":1,"check":5,"checked":1,"checking":4,"checklist":2,"checks":5,"chin":1,"chinese":1,"chose":1,"chosen":1,"chrome":6,"ci":4,"circuit":4,"circumstance":1,"circumstances":1,"citizen":8,"citizenship":3,"city":2,"claim":5,"claims":3,"claire":2,"clarification":2,"clarifications":7,"clarified":1,"clarifies":3,"clarify":2,"clarifying":1,"class":7,"classes":1,"classical":3,"classification":3,"classified":3,"clause":1,"clean":1,"cleanest":1,"clear":6,"clearance":4,"cleared":13,"clearly":2,"clerical":1,"client":9,"clients":2,"clinical":3,"close":8,"closed":1,"closes":2,"closest":3,"closing":6,"closure":4,"cloud":9,"cloudflare":1,"cloudfront":1,"cloudtrail":3,"cloudwatch":4,"cluster":2,"clusters":2,"co":4,"code":8,"codebase":4,"codeberg":5,"codes":3,"codifies":1,"coercion":5,"cognitive":1,"cohort":7,"collect":3,"collected":3,"collection":3,"collectively":1,"collector":1,"collusive":1,"colour":2,"colours":2,"column":3,"combination":2,"combine":5,"combined":4,"come":1,"comfortable":2,"coming":1,"commenced":5,"commencement":1,"commences":2,"comment":1,"commentary":3,"comments":3,"commercial":10,"commercially":4,"commission":1,"commissioner":1,"commit":3,"commitment":10,"commitments":6,"commits":3,"committed":5,"committee":2,"committing":1,"commodity":1,"common":1,"commonwealth":8,"communicate":1,"communication":2,"community":1,"company":5,"comparable":1,"comparatively":1,"compared":1,"comparing":1,"comparison":5,"compatibility":3,"compatible":3,"compel":1,"compensating":1,"compensation":1,"compete":1,"competition":1,"competitive":2,"competitor":2,"competitors":2,"complaint":1,"complaints":1,"complement":1,"complementary":3,"complements":1,"complete":12,"completed":4,"completely":1,"completes":1,"completing":3,"completion":3,"compliance":18,"compliant":12,"complies":3,"comply":6,"complying":4,"component":7,"components":9,"composite":3,"composition":1,"compounds":2,"comprehensive":2,"compressed":1,"comprises":1,"comprising":1,"compromise":2,"computer":2,"computing":1,"concept":9,"conceptually":1,"concern":1,"concerned":1,"concerning":1,"concerns":1,"concise":1,"concluded":1,"concrete":4,"condition":2,"conditions":9,"conduct":5,"conducted":1,"conducting":3,"confidence":5,"confidential":2,"confidentiality":8,"config":1,"configurable":5,"configuration":3,"confirm":8,"confirmation":2,"confirmed":2,"confirming":1,"confirms":1,"conflict":2,"conflicts":1,"conform":3,"conformance":1,"connected":5,"connection":1,"connectivity":12,"connects":3,"connor":5,"consent":2,"consequence":1,"consequences":1,"conservative":1,"consider":1,"consideration":2,"considered":2,"considers":1,"consistent":5,"console":1,"consolidated":4,"consortium":1,"constraints":2,"construction":10,"consultant":1,"consultation":1,"consume":1,"consumer":1,"contact":7,"contacts":1,"contain":1,"contained":2,"container":1,"contains":2,"content":4,"contents":2,"context":12,"contexts":5,"contingencies":1,"contingent":2,"continued":1,"continues":2,"continuity":1,"continuous":7,"continuously":4,"contract":12,"contracted":1,"contracting":4,"contractor":2,"contractors":3,"contracts":3,"contractual":3,"contrast":2,"contrasts":1,"contravened":1,"contravention":1,"contribution":1,"control":12,"controlled":5,"controls":10,"controversy":1,"conventional":1,"conversation":1,"conversations":2,"cookies":1,"cooperation":4,"cooperative":12,"coordinate":1,"coordinated":1,"coordination":1,"copied":1,"copy":6,"core":7,"corpora":1,"corporate":6,"corpus":6,"correct":2,"correction":2,"corrections":1,"correctness":1,"correspond":2,"cosine":1,"cost":11,"costs":7,"could":8,"count":2,"counter":1,"counterpart":1,"country":5,"counts":3,"coupled":3,"courier":1,"course":1,"courts":1,"covenant":2,"cover":7,"coverage":4,"covered":5,"covering":2,"covers":4,"cpi":2,"cprs":1,"crawl":3,"crawler":1,"creates":3,"creation":2,"credential":8,"credentials":7,"credibility":2,"credibly":2,"criminal":1,"criteria":11,"criterion":1,"critical":5,"criticality":1,"crl":4,"crls":2,"cross":6,"crosses":3,"crypto":2,"cryptographer":2,"cryptographic":13,"cryptographically":4,"cryptography":4,"cryptosystem":1,"crystals":4,"csca":1,"csiro":9,"cth":3,"curated":5,"currency":4,"current":19,"currently":13,"curve":2,"custom":2,"customer":2,"customers":2,"customisable":2,"customisation":1,"customise":5,"cutover":1,"cutting":4,"cve":4,"cyber":4,"cycle":2,"cycles":2,"d":10,"daily":4,"damage":2,"darwin":1,"dashboards":8,"data":17,"data61":9,"database":2,"datadog":2,"date":17,"dates":6,"dave":2,"day":5,"days":7,"db":1,"deadline":1,"deadlock":1,"deal":1,"dealing":1,"dealings":1,"dealt":1,"dear":1,"debriefed":1,"debriefing":1,"dec":2,"decade":1,"deceived":1,"december":1,"decision":1,"decisions":3,"decisive":6,"decisively":1,"declaration":6,"declarations":2,"declare":2,"decoupled":3,"decreases":1,"decrypted":1,"dedicated":6,"deemed":1,"deepfake":3,"deepfakes":4,"default":3,"defeasible":1,"defeats":2,"defence":4,"defences":1,"defensible":3,"deferral":2,"define":1,"defined":4,"defining":2,"definition":2,"definitions":3,"degraded":1,"delay":2,"delegate":1,"deliver":8,"deliverable":1,"delivered":7,"deliveries":1,"delivering":6,"delivers":1,"delivery":17,"delta":1,"demo":4,"demographic":1,"demonstrable":1,"demonstrate":7,"demonstrated":2,"demonstrates":1,"demonstrating":4,"demonstration":4,"demonstrations":1,"department":2,"departments":1,"dependabot":1,"dependence":2,"dependencies":5,"dependency":10,"dependent":1,"depends":4,"deploy":9,"deployable":1,"deployed":6,"deploying":1,"deployment":14,"deployments":7,"deprecation":1,"depth":3,"der":6,"deregistration":1,"deregulation":1,"derived":1,"derives":1,"describe":6,"described":4,"describes":2,"description":8,"descriptions":1,"design":13,"designed":2,"designs":3,"desirable":5,"desireable":1,"desktop":4,"desktops":2,"detail":7,"detailed":3,"details":10,"detect":4,"detected":1,"detection":15,"detects":1,"determine":4,"determines":1,"deterministic":1,"dev":4,"developed":4,"development":7,"developments":1,"device":12,"devices":3,"devrient":1,"dfat":2,"diagram":3,"diagrams":1,"dialogue":10,"diaspora":1,"differ":1,"differences":1,"different":3,"differential":1,"differently":3,"digital":14,"digitalidsystem":3,"diligence":2,"diligent":1,"diligently":1,"dilithium":4,"dim":2,"dimension":3,"direct":15,"directed":1,"direction":2,"directly":11,"directors":3,"directory":1,"disability":2,"disabling":1,"disaster":1,"discarded":1,"discipline":1,"disciplines":1,"disclose":2,"disclosed":4,"disclosing":1,"disclosure":14,"discontinue":1,"discount":2,"discounts":4,"discrete":1,"discretion":1,"discriminates":1,"discuss":1,"disp":3,"display":1,"displayed":2,"displays":1,"disrepute":1,"distance":2,"distinctive":6,"distinctiveness":1,"distributed":2,"distribution":2,"distributions":2,"diverse":5,"diversity":1,"division":1,"dns":4,"do":6,"dob":2,"doc":6,"docs":1,"document":15,"documentation":8,"documented":6,"documents":9,"docx":7,"does":13,"doesn":4,"dof":1,"doing":1,"dollars":2,"domain":1,"domestically":1,"domiciled":1,"don":1,"done":3,"down":5,"download":2,"downloaded":4,"downloads":2,"downstream":2,"draft":11,"drafts":1,"drift":1,"drill":3,"driven":4,"driver":2,"drop":4,"dry":1,"dta":1,"dual":1,"due":3,"duration":2,"during":8,"duties":3,"dvs":6,"dynamic":3,"e":14,"each":11,"eal":11,"early":15,"easy":1,"ebs":1,"ec2":1,"ecdh":2,"economic":1,"economy":1,"ecosystems":1,"edge":9,"edit":1,"edited":1,"effect":1,"effective":5,"effectively":2,"effectiveness":1,"efficient":1,"effort":4,"efforts":1,"egov":10,"egress":3,"eight":1,"either":11,"eks":3,"elaborates":1,"elapsed":3,"electronic":2,"electronically":4,"elements":5,"eligibility":1,"eliminates":1,"eliminating":1,"elliptic":1,"else":1,"email":12,"embarrass":1,"embedded":2,"embedding":3,"embeddings":2,"emerging":6,"emf":1,"empirically":1,"employ":3,"employee":4,"employees":1,"employer":4,"employers":1,"employment":2,"employs":1,"ems":2,"enable":5,"enabled":3,"enables":2,"enabling":2,"enclave":1,"encourage":1,"encrypted":2,"encryption":5,"end":11,"endeavour":3,"endpoint":6,"energy":1,"enforce":1,"enforced":4,"engage":6,"engaged":1,"engagement":10,"engagements":7,"engaging":4,"engine":1,"engineer":4,"engineering":7,"engineers":4,"english":1,"enhance":2,"enhanced":2,"enhancement":1,"enhancements":2,"enjoy":1,"enquiries":1,"enquiry":1,"enrol":4,"enrolled":1,"enrolment":5,"enrolments":1,"enrols":1,"ensure":7,"ensuring":2,"enter":2,"entered":1,"entering":2,"enterprise":3,"enters":1,"entire":3,"entirely":4,"entities":3,"entitlements":3,"entity":11,"entra":1,"entrepreneurship":2,"entrust":1,"entrusted":1,"entry":3,"envelope":2,"environment":12,"environmental":2,"environmentally":1,"environments":10,"epassport":8,"epassports":3,"ephemeral":2,"equal":1,"equality":3,"equitable":1,"equivalent":5,"equivalents":1,"error":4,"errors":1,"escalation":2,"escalations":1,"escrow":3,"especially":2,"essential":7,"establish":2,"establishement":1,"estimate":1,"estimated":4,"estoppel":1,"et":6,"etc":7,"eth":1,"ethereum":2,"ethical":3,"ethics":2,"ethnicity":2,"eu":1,"european":6,"evaluate":1,"evaluated":1,"evaluating":4,"evaluation":16,"evaluator":2,"even":4,"event":5,"eventbridge":2,"events":4,"eventuate":1,"ever":3,"every":14,"evidence":17,"evidenced":1,"evidencing":1,"evolution":3,"evolve":2,"evolved":2,"evolves":2,"ex":2,"exact":3,"exactly":2,"examination":1,"examining":1,"example":3,"exceed":4,"exceeds":2,"excel":4,"except":3,"exchange":3,"exchanged":1,"excise":1,"exclude":1,"excluded":1,"excluding":2,"exclusions":1,"exclusive":5,"exclusivity":1,"execute":3,"executes":1,"executive":4,"executives":2,"exempt":1,"exercise":2,"exercising":1,"exfiltrate":1,"exfiltrated":1,"exif":1,"exist":5,"existing":13,"exists":5,"expansion":1,"expat":1,"expect":1,"expectations":3,"expected":4,"expects":1,"expense":1,"expenses":2,"expensive":1,"experience":8,"experienced":3,"experiences":3,"expertise":1,"explain":1,"explanation":2,"explicit":4,"explicitly":4,"exploitation":3,"explore":1,"exploring":1,"export":3,"expose":1,"exposed":6,"exposes":2,"exposing":3,"exposure":2,"exposures":1,"express":1,"expressed":1,"expressly":1,"extend":2,"extends":1,"extension":12,"extent":2,"extract":2,"extractions":2,"extractor":2,"extracts":4,"f":1,"face":6,"facetec":1,"facial":7,"facility":2,"facing":5,"factor":4,"fail":4,"failed":1,"fails":2,"failure":7,"failures":5,"fallback":2,"false":3,"familiarise":1,"familiarised":1,"far":3,"faster":1,"fatf":1,"favour":1,"favourably":1,"feasibility":1,"feasible":1,"feature":5,"features":4,"federal":5,"federated":1,"fee":4,"feed":2,"fees":2,"few":1,"ffi":3,"field":3,"fields":4,"figma":3,"figure":2,"file":3,"filename":1,"filepath":1,"files":4,"fill":1,"filled":1,"final":8,"finance":3,"financial":11,"financially":2,"financials":1,"findings":1,"fingerprint":1,"fingerprints":3,"firefox":6,"firehose":2,"firm":6,"firms":1,"first":12,"fit":13,"fits":6,"five":3,"fixed":2,"flagship":1,"flash":8,"flashes":3,"flashing":1,"flashmark":1,"flat":3,"flight":1,"flow":9,"flowing":1,"flows":2,"fmr":12,"fnmr":12,"foci":13,"focused":2,"folder":1,"follow":2,"following":8,"follows":3,"fonts":2,"footprint":2,"for":27,"force":3,"forecast":3,"forehead":1,"foreign":13,"form":17,"formal":7,"formally":1,"format":3,"formed":1,"former":1,"forms":7,"forward":2,"forwarder":1,"found":1,"foundational":1,"founded":1,"founder":6,"four":6,"frame":3,"frames":3,"framework":9,"frameworks":5,"framing":3,"france":1,"fraud":5,"free":3,"freedom":1,"freely":5,"frequency":1,"fresh":1,"friendly":5,"from":22,"front":2,"frontend":2,"frr":1,"frt":1,"fulfilling":1,"full":12,"fully":7,"function":5,"functional":1,"functions":1,"fund":1,"funded":5,"funding":2,"funds":4,"furnish":1,"further":2,"future":16,"fvs":8,"fy2024":1,"fy2025":1,"fy24":1,"fy25":1,"für":6,"g":12,"gain":1,"galxe":1,"gap":13,"gaps":13,"gateway":2,"gating":1,"gcm":1,"gemalto":1,"gen":1,"gender":5,"general":10,"generate":5,"generated":4,"generates":1,"generating":4,"generation":4,"genetic":1,"genuine":1,"genuinely":1,"geographic":2,"geometry":1,"german":1,"germany":10,"getusermedia":1,"giesecke":1,"github":3,"gitignored":1,"gitops":1,"give":1,"given":2,"gives":3,"global":2,"globally":1,"globals":1,"go":10,"goes":1,"going":2,"good":4,"goods":5,"google":1,"gov":9,"governance":8,"government":18,"governmental":1,"governments":6,"govuk":10,"grade":1,"grafana":3,"grant":1,"granted":2,"grants":2,"graviton3":2,"greater":3,"grounds":1,"group":5,"groups":1,"growing":1,"growth":2,"gst":7,"guarantee":5,"guarantees":2,"guardduty":3,"guidance":6,"guide":1,"guidelines":2,"guides":3,"h":10,"hace":6,"had":1,"halo2":9,"hamming":2,"hand":2,"handles":4,"handling":4,"handover":2,"happens":1,"happy":1,"hard":3,"hardening":2,"harder":1,"hardware":7,"harness":1,"has":16,"hash":5,"hashed":2,"hashes":2,"hashing":1,"have":15,"having":1,"hcf":3,"head":1,"headcount":1,"heading":4,"headings":5,"headline":3,"headquarters":1,"headroom":4,"health":7,"healthcare":5,"heavy":1,"hec":2,"held":11,"hello":2,"helm":1,"helpdesk":7,"hence":2,"her":1,"heroic":1,"hid":1,"hidden":3,"hide":1,"hiding":1,"high":9,"higher":2,"highest":2,"highly":1,"his":1,"histogram":1,"histograms":1,"historical":1,"history":1,"hit":2,"hkdf":1,"hobart":1,"hoc":1,"hold":4,"holder":1,"holders":1,"holding":3,"holds":9,"holiday":1,"home":1,"homomorphic":1,"honest":6,"honestly":1,"honesty":1,"horizon":1,"horizontal":1,"horizontally":2,"hosted":8,"hosting":12,"hosts":1,"hot":1,"hour":9,"hourly":1,"hours":3,"house":1,"how":11,"however":2,"hr":2,"hrv":1,"http":4,"https":11,"hugo":7,"human":4,"humanity":1,"humans":1,"hyperlinked":1,"hyperscalers":1,"i":7,"iaas":3,"iac":4,"iag":8,"iam":4,"ibeta":2,"icao":7,"iconography":1,"ict":1,"id":15,"ideal":1,"idemia":1,"identically":2,"identification":3,"identified":3,"identifier":4,"identifies":2,"identify":8,"identity":14,"idverse":1,"ie":1,"iec":14,"ies":1,"ietf":2,"if":15,"ii":5,"iii":5,"ijb":2,"ilac":6,"illumination":2,"image":8,"image1":4,"image3":4,"image4":1,"imaged":1,"images":5,"immediate":4,"immediately":4,"immutability":2,"impact":4,"impair":1,"impartial":1,"impede":1,"implement":4,"implementation":12,"implementations":2,"implementing":2,"implications":2,"implicit":1,"implied":1,"importance":1,"impose":1,"imposes":1,"impossible":2,"improper":1,"improperly":1,"improve":1,"improved":2,"improvement":1,"improvements":1,"improves":2,"in":25,"inaccurate":1,"inc":1,"incident":9,"incidental":1,"incidentals":1,"incidents":4,"incl":1,"include":13,"included":1,"includes":11,"including":13,"inclusive":3,"inclusivity":5,"incomplete":2,"inconsistency":1,"incorporate":1,"incorporated":5,"incorporates":1,"incorporating":1,"incorporation":4,"incorrect":1,"increase":1,"increasing":3,"incremental":2,"incumbent":2,"incumbents":1,"incurred":1,"indefinitely":1,"indemnity":1,"independent":1,"independently":2,"index":4,"indexation":3,"indexed":1,"indicate":3,"indicated":2,"indication":1,"indicative":5,"indicators":3,"indigenous":4,"individual":3,"individuals":3,"indo":3,"inducements":1,"industry":5,"influence":5,"info":1,"inform":4,"information":18,"informationstechnik":6,"informative":1,"informed":1,"informs":1,"infrastructure":14,"inherent":1,"initial":4,"initiatives":1,"injunction":1,"innovation":1,"innovative":2,"insert":5,"inside":7,"insider":5,"insights":3,"inspect":1,"installed":2,"instance":6,"instances":1,"instead":1,"instructions":6,"instrument":1,"insurance":2,"integratable":3,"integrated":2,"integrates":2,"integrating":2,"integration":15,"integrations":3,"integrator":5,"integrity":7,"intel":1,"intelligence":4,"intend":1,"intended":1,"intends":2,"intent":2,"inter":3,"interacting":3,"interest":3,"interested":1,"interface":2,"interim":2,"internal":13,"internally":2,"international":8,"internationally":2,"internet":9,"interoperability":1,"interoperable":1,"intersection":1,"interval":4,"into":15,"introduce":1,"introduction":3,"invalidates":2,"inversion":1,"investigate":1,"investigated":1,"investigations":1,"investing":1,"investment":4,"invitation":1,"invite":2,"invited":1,"invites":3,"invoice":1,"invoicing":1,"invoke":2,"involve":1,"involved":2,"involves":2,"involving":2,"io":5,"ios":4,"ip":8,"ip1":2,"ip2":2,"ip3":7,"ipp":3,"iproov":1,"ir":2,"irap":15,"iris":1,"iron":1,"is":27,"island":2,"ism":9,"isn":1,"iso":15,"isolated":3,"isolates":1,"isolation":1,"israel":1,"issue":4,"issued":8,"issues":2,"it":16,"item":5,"items":5,"its":12,"itself":11,"iv":1,"japan":1,"javascript":1,"jmrtd":3,"jni":4,"joint":3,"jointly":1,"journalist":1,"journey":1,"judicial":5,"july":10,"jumio":1,"jun":6,"june":4,"jurisdiction":2,"jurisdictional":1,"jurisdictions":1,"just":2,"k":5,"kb":5,"keep":5,"kellogg":6,"kept":2,"key":12,"keys":3,"keystore":1,"kind":2,"kinesis":2,"kms":2,"know":2,"knowingly":1,"knowledge":13,"known":2,"knows":2,"kotlin":1,"kudelski":1,"kyber":1,"kyc":2,"l":1,"l2":6,"l3":6,"l4":2,"lab":4,"labels":2,"laboratory":6,"labour":5,"labs":1,"lambda":2,"landing":3,"lands":1,"landscape":3,"language":4,"large":6,"larger":4,"largest":1,"last":6,"late":1,"latencies":1,"latency":5,"later":5,"latitude":3,"launch":2,"law":4,"laws":5,"layer":4,"layers":1,"layout":2,"lead":4,"leader":1,"leading":2,"learn":1,"learning":1,"learns":1,"lease":1,"leasing":1,"least":5,"leaves":8,"legacy":1,"legal":9,"legislation":3,"legislative":1,"less":1,"lesser":1,"let":3,"lets":1,"letter":4,"letterhead":2,"letters":1,"level":17,"levels":4,"leverage":2,"lexisnexis":1,"lfw":1,"liabilities":1,"liability":3,"liable":1,"libicaocertificate":1,"libraries":3,"library":12,"libs":1,"licence":9,"licences":2,"license":1,"licensed":6,"licenses":1,"licensing":6,"life":1,"lifecycle":3,"light":2,"like":1,"likely":3,"limit":1,"limitation":1,"limitations":2,"limited":9,"limits":1,"line":3,"linearly":3,"lingers":1,"linked":8,"list":9,"listed":5,"listing":3,"lists":1,"litigation":1,"live":12,"liveness":15,"lives":1,"living":4,"ll":1,"load":4,"loads":2,"loan":1,"lobbying":1,"local":3,"localisation":1,"localised":4,"locally":1,"located":2,"location":2,"locations":1,"lock":7,"lodge":2,"lodged":3,"lodgement":12,"lodges":1,"lodging":1,"log":7,"logged":3,"logging":7,"logic":1,"login":5,"logins":1,"logon":1,"logos":2,"logs":7,"long":1,"longer":2,"longest":1,"looking":3,"lose":3,"loss":7,"low":6,"lower":3,"lowest":1,"lr5":1,"lt":3,"ltd":1,"lv":12,"m":14,"made":4,"magface":1,"magnitude":2,"maint":1,"maintain":4,"maintainability":6,"maintainable":3,"maintained":2,"maintaining":1,"maintenance":10,"major":2,"majority":2,"make":2,"makes":2,"making":1,"malicious":1,"manage":2,"managed":8,"management":10,"manager":2,"managing":1,"mandated":1,"mandatory":8,"manner":1,"manual":3,"manuals":3,"many":1,"mapped":1,"mapping":5,"mappings":3,"maps":2,"march":1,"marginal":3,"markdown":3,"marked":1,"market":9,"mask":1,"masks":2,"master":2,"match":9,"matcher":1,"matches":2,"matching":9,"material":6,"materially":7,"materials":7,"mathew":2,"matrix":6,"matter":1,"matters":4,"maturation":2,"mature":2,"maturing":3,"maturity":1,"maui":15,"maximum":1,"may":9,"maybe":1,"mean":1,"means":5,"measure":2,"measured":3,"measurement":2,"measures":1,"mechanical":2,"mechanisms":3,"media":4,"medibank":3,"medium":2,"meet":5,"meeting":5,"meetings":1,"meets":6,"megabyte":1,"megabytes":1,"melbourne":1,"member":7,"members":3,"membership":3,"memory":2,"mention":1,"menu":2,"merely":1,"merge":1,"merges":2,"meruit":1,"met":4,"meta":1,"metadata":5,"methodologies":3,"methodology":5,"methods":4,"metric":1,"metrics":7,"mgt":2,"microsoft":15,"mid":1,"migration":6,"milestone":1,"milestones":5,"military":1,"million":5,"millions":1,"min":1,"mindanao":7,"minimal":4,"minimisation":7,"minimised":2,"minimum":9,"minister":1,"minor":2,"minute":2,"minutes":1,"mirror":2,"mishandling":1,"misleading":1,"mission":3,"mit":1,"mitek":1,"mitigate":1,"mitigated":1,"mitigation":5,"mmr":2,"mobile":7,"mode":5,"model":11,"models":4,"modern":3,"modifications":2,"module":4,"modules":2,"moment":1,"mon":1,"money":5,"monitor":3,"monitored":1,"monitoring":11,"monitors":1,"monotonic":1,"month":4,"monthly":4,"months":12,"more":7,"most":8,"motion":2,"motor":1,"moved":2,"moving":1,"ms":9,"mtls":3,"multi":5,"multiple":4,"muslim":7,"must":14,"my":2,"myid":20,"myids":1,"mytka":2,"n":2,"name":11,"named":6,"names":2,"naming":1,"narellan":2,"narrative":5,"nation":1,"national":6,"nationality":1,"nations":2,"native":4,"natural":9,"nature":3,"nbsp":1,"ndss":6,"nec":1,"necessarily":1,"necessary":2,"need":4,"needed":3,"needing":1,"needs":8,"negligence":1,"negligible":1,"negotiable":1,"negotiate":1,"negotiated":1,"neither":3,"net":6,"network":5,"networks":3,"neutrality":1,"never":9,"new":6,"newcomer":1,"next":5,"nfc":11,"nhs":1,"niaa":2,"nist":6,"no":23,"node":1,"nominate":1,"nominated":3,"non":14,"nonce":3,"nonces":2,"none":7,"nor":2,"normal":1,"not":22,"note":9,"noted":1,"notes":12,"nothing":2,"notice":2,"notices":1,"notifiable":1,"notification":2,"notifications":1,"notified":1,"notifies":1,"notify":1,"noting":1,"now":5,"nsw":1,"nt":1,"nuget":2,"number":2,"numbers":6,"nv1":12,"o":9,"oaic":1,"object":2,"objectives":6,"obligation":2,"obligations":6,"obliged":1,"observability":2,"observed":1,"obtain":3,"obtainable":1,"obtained":1,"obtaining":1,"obviated":2,"occlusion":1,"occur":2,"october":1,"oecd":3,"of":29,"off":10,"offence":1,"offer":11,"offered":3,"offering":5,"offers":4,"office":8,"officer":3,"officers":1,"official":2,"offline":8,"offshore":8,"ok":1,"older":1,"ombudsman":1,"on":23,"onboarding":2,"once":4,"one":14,"onfido":1,"ongoing":11,"online":8,"only":18,"op":13,"open":14,"openly":1,"opentelemetry":1,"operate":4,"operated":1,"operates":4,"operating":6,"operation":10,"operational":12,"operationalised":1,"operationally":1,"operations":9,"operative":1,"operatives":1,"operator":1,"opinion":1,"opm":1,"opportunities":1,"opportunity":6,"opposed":1,"ops":4,"option":3,"optional":6,"optionally":4,"options":8,"optus":3,"or":24,"oral":1,"orb":1,"order":6,"orders":3,"org":3,"organisation":2,"organisational":6,"organisations":1,"organizations":1,"origin":1,"original":3,"originally":1,"originals":1,"originates":3,"os":1,"oses":1,"oss":1,"other":14,"others":3,"otherwise":4,"ought":1,"our":11,"out":7,"outcome":3,"outcomes":2,"outlined":1,"outlines":2,"output":2,"outside":9,"oval":1,"over":12,"overhead":1,"overlaps":1,"overseas":1,"overview":9,"own":4,"owned":2,"owner":4,"owners":1,"ownership":7,"owns":1,"p":11,"p1":3,"p2":2,"p2019":1,"p2p":5,"p3":2,"p4":2,"p95":4,"p99":1,"pace":2,"pacific":7,"pacing":1,"pack":1,"package":3,"packaged":1,"packaging":2,"pad":16,"page":12,"pagerduty":2,"pages":2,"paging":2,"paid":7,"pair":2,"pairing":1,"palette":1,"panel":1,"paper":1,"paragraph":4,"parallel":3,"parameter":1,"parameters":3,"parent":1,"parliament":1,"parliamentary":3,"part":21,"part1":1,"part2":1,"part3":1,"part3a":1,"part4":1,"part4a":1,"partially":8,"participate":2,"participating":2,"participation":6,"particular":1,"particularly":2,"parties":1,"partner":7,"partnering":1,"partners":2,"partnership":4,"parts":3,"party":13,"pass":8,"passing":5,"passport":3,"passports":1,"past":3,"patch":2,"patches":4,"patching":7,"patented":1,"path":5,"paths":2,"pathway":3,"pathways":2,"patient":2,"pattern":4,"patterns":4,"payloads":4,"payment":4,"pd":3,"pdf":2,"pdfs":1,"peak":8,"pedersen":4,"peer":7,"pending":1,"penetration":1,"peps":3,"per":19,"perceived":1,"percentile":2,"percentiles":1,"perform":2,"performance":11,"performed":1,"performing":1,"performs":1,"period":3,"permits":1,"permitted":1,"perpetual":4,"person":3,"personal":6,"personnel":9,"persons":3,"perspective":1,"perth":1,"phase":3,"phased":2,"philippines":7,"philosophy":1,"phone":6,"phones":2,"photo":5,"photos":3,"physical":2,"pi":7,"pic":1,"piece":1,"piggy":1,"pii":1,"pillar":1,"pillars":2,"pilot":1,"pilots":1,"pipeline":6,"pipelines":3,"pki":6,"place":11,"placed":1,"placeholders":1,"placing":1,"plain":1,"plan":13,"plane":4,"planned":7,"planning":1,"plans":2,"platform":10,"platforms":5,"plausible":3,"play":1,"players":1,"playwright":1,"please":2,"pleased":1,"plus":7,"pm":2,"png":4,"poc":9,"pod":2,"pods":2,"point":7,"policies":4,"policy":12,"political":1,"politically":4,"poly1305":3,"polygon":1,"pool":3,"poor":1,"population":1,"portal":7,"portals":1,"portfolio":1,"portfolios":1,"pose":1,"poseidon":3,"position":12,"positioning":2,"positions":5,"possession":1,"possible":5,"post":12,"postal":1,"posting":1,"posture":2,"potential":8,"potentially":1,"pq":1,"pqc":3,"pr":2,"practice":5,"practices":4,"practitioner":8,"practitioners":1,"pragmatic":1,"pre":5,"precedence":1,"precisely":1,"preclude":1,"predicate":2,"predicates":7,"predicting":1,"preferential":2,"preferred":1,"prejudice":1,"preparation":1,"prepared":1,"preparing":2,"prepay":1,"prescribed":1,"prescription":2,"presence":1,"present":5,"presentation":7,"presentations":1,"presented":3,"presents":1,"preserved":1,"preserving":4,"pressure":1,"prevail":1,"prevent":5,"preventing":2,"prevention":5,"previous":1,"previously":2,"price":6,"priced":1,"prices":2,"pricing":16,"primarily":1,"primary":2,"prime":2,"primitive":2,"primitives":6,"principal":4,"principles":7,"print":1,"printed":5,"prior":11,"priorities":2,"prioritisation":1,"prioritised":1,"priority":2,"privacy":14,"privado":1,"private":5,"privatelink":12,"privately":1,"privilege":2,"privileged":7,"privileges":1,"probable":1,"probity":1,"problem":2,"problems":1,"procedural":1,"procedures":3,"proceed":5,"proceedings":1,"proceeds":1,"process":7,"processes":6,"processing":5,"processor":1,"processors":2,"procure":1,"procured":4,"procurement":17,"procures":1,"prod":1,"produced":3,"producing":1,"product":6,"production":16,"products":7,"professional":2,"profile":7,"profiles":2,"program":3,"programme":9,"programmes":2,"programming":2,"progress":2,"progresses":3,"progressive":1,"project":4,"projected":1,"projecting":1,"projection":1,"projections":1,"projects":3,"promise":3,"promissory":1,"promote":1,"promptly":1,"prompts":2,"proof":13,"proofing":4,"proofs":7,"proper":1,"properly":2,"properties":5,"property":5,"proportion":1,"proportionate":1,"proposal":1,"proposals":1,"propose":5,"proposed":11,"proposes":4,"proposing":1,"proprietary":1,"protect":1,"protected":16,"protection":2,"protects":1,"protocol":4,"provable":2,"prove":5,"proven":5,"provenance":1,"proves":2,"provide":13,"provided":11,"provider":9,"providers":8,"provides":8,"providing":6,"proving":2,"provision":3,"provisioning":1,"provisions":4,"pse":2,"pspf":4,"public":14,"publication":2,"publications":1,"publicly":4,"publish":3,"published":12,"publishes":2,"publishing":1,"pulled":1,"purchase":1,"pure":3,"purpose":2,"purposes":6,"push":1,"q":2,"q1":2,"q10":2,"q11":2,"q12":1,"q13":1,"q14":3,"q15":2,"q2":2,"q3":2,"q4":1,"q5":1,"q6":1,"q7":1,"q8":1,"q9":2,"qld":1,"quad":3,"qualifications":1,"qualified":4,"quality":8,"quantitative":2,"quantity":2,"quantum":6,"quarter":1,"quarterly":3,"quasi":1,"queries":4,"query":1,"question":5,"questions":7,"quick":2,"quotation":1,"quote":2,"r":1,"random":1,"range":4,"ranges":5,"rate":9,"rates":12,"rather":3,"ratios":2,"raw":3,"rds":1,"re":8,"reach":2,"reaches":2,"read":6,"readable":4,"reader":1,"readiness":4,"reading":6,"ready":3,"real":6,"realistic":1,"reasonable":1,"reasonably":1,"reasons":2,"reauthentication":1,"rebuild":1,"recaptures":1,"receipt":3,"receive":1,"received":1,"receives":4,"recently":1,"recognition":2,"recommendations":7,"recommended":2,"reconciliation":1,"reconstruct":1,"record":10,"recorded":1,"recordkeeping":1,"records":2,"recovery":6,"rectify":1,"recurring":1,"red":2,"reduce":1,"reducing":1,"reduction":1,"ref141431744":1,"ref141431774":2,"ref141431793":2,"refer":2,"reference":8,"referenced":1,"references":7,"referral":1,"referred":1,"refine":3,"refined":1,"reflect":2,"reflectance":3,"reflecting":1,"reflections":1,"reflects":4,"reframed":1,"refresh":2,"refresher":1,"refuse":1,"regard":1,"regarding":2,"regardless":1,"regime":1,"regimes":3,"region":8,"regional":5,"regionally":4,"regions":3,"register":2,"registered":4,"registration":1,"registry":1,"regular":4,"regulating":1,"regulation":1,"regulatory":1,"reinforced":1,"reinforces":1,"reject":2,"rejection":1,"rejects":2,"rekognition":1,"relate":1,"related":2,"relates":1,"relating":3,"relation":5,"relationship":6,"relationships":2,"release":3,"relevant":14,"reliability":2,"reliably":1,"rely":1,"remain":3,"remains":4,"remedial":1,"remediate":1,"remediation":8,"remote":5,"remove":1,"removes":3,"removing":1,"render":1,"renewal":1,"renewed":1,"renovate":1,"replacement":2,"replaces":1,"replacing":1,"replay":4,"replayed":4,"replays":3,"replicated":1,"replication":3,"report":8,"reported":2,"reporting":10,"reports":1,"repositories":1,"repository":2,"represent":2,"representation":2,"representative":8,"represented":1,"represents":2,"reputational":1,"request":13,"requested":5,"requests":5,"require":8,"required":17,"requirement":19,"requirements":18,"requires":7,"requiring":6,"research":14,"reserves":1,"residency":1,"resident":1,"residual":2,"resilience":3,"resistance":1,"resolution":1,"resolve":1,"resolved":1,"resolver":2,"resource":2,"resources":4,"respect":3,"respond":6,"respondent":10,"respondents":7,"responding":4,"responds":2,"response":22,"responselodgeform":1,"responses":10,"responsibility":2,"responsible":6,"responsive":5,"rest":5,"restarts":1,"restitutionary":1,"restricted":3,"restriction":1,"restrictive":1,"resubmission":1,"result":4,"resultant":2,"results":2,"retain":1,"retained":2,"retains":1,"retention":1,"retire":2,"retirement":1,"retires":3,"retrievable":2,"retrieval":1,"retrieve":1,"retrofit":1,"return":2,"returned":1,"returns":2,"reveal":1,"revealed":1,"revealing":4,"reveals":2,"revenue":3,"reverification":2,"reverifications":1,"review":12,"reviewed":4,"reviewers":1,"reviews":1,"revised":1,"revisions":3,"revocation":1,"rfi":26,"rfi15434":3,"rfp":1,"rfq":5,"rft":5,"rhetorically":1,"right":4,"rights":2,"rigorous":1,"rise":1,"risk":15,"risks":13,"risky":1,"rm":9,"rmg":1,"roadmap":9,"roadmaps":3,"role":9,"roles":3,"rollout":2,"rota":1,"round":3,"rounds":3,"route":1,"router":1,"routine":1,"row":4,"rows":1,"rpo":2,"rto":2,"rules":3,"run":6,"runbook":4,"runbooks":3,"running":3,"runs":6,"runtime":1,"rust":1,"rustcrypto":2,"s":23,"s3":1,"sa":1,"saas":14,"sable":18,"safari":6,"safeguards":2,"safety":4,"same":11,"sample":8,"sanctions":1,"santuario":1,"satisfaction":1,"satisfactory":2,"satisfied":1,"satisfies":2,"satisfy":1,"satisfying":1,"save":1,"say":2,"says":1,"sbom":3,"sc":12,"scalability":6,"scalable":7,"scale":13,"scaled":2,"scales":3,"scaling":4,"scanned":1,"scenario":2,"scenarios":1,"schedule":3,"scheme":1,"school":1,"scope":8,"scoped":2,"scoping":3,"score":1,"scores":1,"scoring":2,"scp":2,"scps":3,"screen":9,"scrutiny":2,"sdk":3,"sea":4,"sealed":1,"seamless":4,"seamlessly":1,"seat":4,"sec":1,"second":8,"seconds":3,"secrets":1,"section":7,"sections":4,"sector":8,"secure":9,"securely":1,"security":15,"see":17,"seek":1,"seeking":4,"seen":1,"sees":1,"segregation":2,"select":3,"selected":2,"selection":4,"selective":10,"selectively":3,"self":6,"selling":1,"senate":1,"sending":1,"sends":2,"senior":5,"sense":3,"sensitive":7,"sensor":2,"sensors":2,"sent":1,"sentence":1,"sentinel":1,"separate":3,"separately":3,"separation":6,"seperate":1,"september":1,"sequencing":1,"server":7,"servers":1,"service":14,"servicenow":1,"services":17,"serving":1,"session":6,"sessions":3,"set":4,"sets":2,"setting":2,"settings":1,"setup":12,"several":2,"severally":1,"severity":4,"sha":5,"shadow":1,"shape":3,"shaped":1,"shared":2,"shares":1,"sharpen":1,"sharpening":1,"sharpness":1,"shas":1,"shell":4,"shipped":4,"shipping":5,"shops":1,"short":3,"shortlist":5,"shortlisted":1,"shortlisting":2,"should":9,"show":4,"showing":1,"shown":5,"si":1,"sicherheit":6,"side":4,"siem":2,"sign":2,"signal":1,"signals":2,"signatories":1,"signatory":5,"signature":3,"signatures":2,"signed":6,"signer":1,"significant":2,"significantly":2,"signing":2,"signpost":1,"signposts":1,"silent":5,"silicon":2,"similar":7,"similarity":1,"simple":2,"simplifies":2,"simultaneously":1,"since":3,"sincerely":1,"single":10,"site":6,"sits":1,"six":1,"size":5,"sized":5,"sizing":2,"sla":8,"slas":3,"slot":1,"small":2,"smaller":1,"smart":2,"smartphone":4,"snapshot":1,"sns":2,"so":9,"soak":3,"soc":4,"social":3,"software":12,"sold":1,"sole":2,"solely":1,"solicited":2,"solution":11,"solutions":8,"solves":1,"some":2,"somebody":1,"sometimes":2,"sor":2,"soundness":1,"source":21,"sourced":1,"sources":2,"sourcing":1,"southeast":3,"sovereign":3,"sovereignty":9,"sp1":3,"sp2":1,"space":1,"spanning":2,"spatial":8,"spec":2,"special":10,"specialist":5,"specific":12,"specifically":8,"specifications":3,"specified":3,"specifies":1,"specify":2,"spectral":2,"speculate":1,"spend":4,"sphincs":1,"spillover":2,"spin":2,"spindle":1,"split":4,"splunk":2,"sponsor":3,"sponsored":1,"sponsorship":2,"spoofing":4,"spreadsheet":5,"src":2,"ss2":1,"ss3":1,"ssm":1,"sso":1,"stable":1,"stack":6,"stacking":1,"stacks":2,"staff":5,"staffing":1,"stage":12,"stages":1,"staging":4,"stakeholder":1,"stakeholders":3,"standalone":1,"standard":13,"standardised":1,"standards":10,"standby":1,"standing":1,"start":2,"starts":1,"state":8,"stated":5,"stateless":4,"statement":12,"statements":2,"states":4,"static":1,"stating":1,"statistical":3,"statistics":3,"status":14,"stays":1,"step":5,"steps":3,"sticky":2,"stig":1,"stimulate":1,"stock":1,"storage":2,"store":4,"stored":5,"stores":2,"storing":1,"str":2,"strategic":14,"strategically":2,"strategies":2,"stream":1,"streamline":1,"streams":4,"street":2,"strength":1,"strengthen":1,"strengthens":2,"stress":3,"strict":2,"strictly":1,"strings":1,"strong":4,"stronger":5,"strongest":2,"structural":5,"structurally":7,"structure":9,"structured":1,"studies":3,"stuffing":1,"style":2,"sub":2,"subcontract":1,"subcontracting":3,"subcontractor":8,"subcontractors":8,"subject":9,"submission":4,"submissions":1,"submit":7,"submitted":10,"subscription":6,"subsequent":1,"subsets":1,"subsidiaries":1,"subsidiary":1,"substitution":1,"subsystem":4,"successful":5,"successfully":1,"such":9,"sudden":1,"sufficiency":1,"sufficient":6,"suggested":1,"suitable":1,"suitably":1,"suite":1,"summarised":1,"summary":6,"suncorp":8,"super":1,"superannuation":1,"supersede":2,"supervised":2,"supervision":2,"supplement":1,"supplementing":1,"supplements":1,"supplied":2,"supplier":10,"suppliers":6,"supplies":3,"supply":7,"support":21,"supported":1,"supporting":3,"supports":1,"suprema":3,"surface":3,"surfaces":1,"suspects":1,"suspend":1,"suspending":1,"suspends":1,"suspicion":1,"sustainable":3,"svg":3,"swift":4,"sydney":11,"synchronous":1,"synthesis":1,"system":13,"systems":15,"t":5,"t1":5,"t2":5,"t3":6,"t369466":1,"t4":5,"t5":5,"table":9,"tables":7,"tablets":2,"tags":1,"tail":1,"take":1,"taken":2,"takes":2,"taking":1,"talked":1,"tampering":2,"tang":6,"target":5,"targets":3,"tas":1,"task":1,"tax":6,"taxation":6,"taxes":1,"tbc":1,"tbd":4,"tdif":1,"team":11,"teardown":1,"tech":4,"techincal":1,"technical":21,"technically":1,"technique":3,"techniques":1,"technologies":3,"technology":6,"telefónica":8,"telehealth":2,"telemetry":5,"telus":8,"template":6,"templates":5,"tender":6,"tenderer":3,"tenderers":1,"tendering":1,"tenders":5,"term":10,"terminate":1,"terminates":1,"terminating":1,"termination":2,"terms":8,"terraform":2,"territory":1,"test":13,"tested":5,"testing":11,"tests":8,"text":4,"thales":1,"than":11,"that":21,"the":28,"their":13,"them":5,"themselves":1,"then":4,"there":10,"thereafter":1,"thereby":1,"therefore":1,"these":12,"they":9,"thin":1,"thing":1,"think":1,"thinking":1,"thinks":1,"third":10,"this":24,"those":6,"though":2,"threaded":1,"threat":1,"threatened":1,"threats":2,"three":6,"threshold":4,"thresholds":1,"through":12,"throughout":2,"throughput":1,"thursday":1,"ticket":3,"ticketing":1,"tickets":1,"tier":7,"tiered":10,"tiering":1,"tiers":2,"ties":1,"tightness":1,"time":17,"timeframe":3,"timeline":6,"timelines":5,"times":4,"timetable":1,"timing":3,"title":2,"tls":2,"to":27,"today":11,"together":1,"too":2,"tool":1,"tooling":3,"tools":2,"top":4,"total":9,"totals":1,"touch":1,"touches":1,"touching":2,"touchpoints":1,"toxic":1,"track":8,"tracked":2,"tracking":2,"trading":3,"traditional":2,"traffic":1,"trail":2,"trailing":1,"training":6,"transcribe":6,"transcribed":1,"transcribing":1,"transcription":1,"transcripts":1,"transfer":5,"transformation":5,"transformative":2,"transformed":2,"transit":2,"transition":2,"transits":1,"transmission":1,"transmit":1,"transmits":2,"transmitted":4,"transmitting":1,"transparent":9,"travel":2,"traversal":1,"traverse":2,"traverses":1,"treasury":1,"tree":1,"trends":1,"triage":2,"trial":3,"trigger":1,"triggers":2,"trip":2,"trips":1,"trivially":1,"troubleshooting":4,"true":4,"trust":5,"trusted":6,"trusts":1,"trustworthy":3,"truth":2,"ts":9,"tue":1,"tuned":1,"tv":10,"two":9,"type":6,"types":1,"typical":1,"typically":1,"typography":1,"uat":2,"ubo":2,"ubos":2,"ui":6,"uk":6,"ultimate":3,"ultimately":1,"unalterable":1,"unauthorised":1,"unavailable":1,"unbeatable":1,"uncertainty":1,"unclassified":1,"uncleared":1,"uncomplicated":1,"under":17,"undercut":1,"underlying":9,"underpins":1,"underprice":1,"understand":4,"understanding":2,"understands":1,"understood":1,"undertake":2,"undertaken":4,"undertaking":1,"undertakings":1,"unexpected":1,"unfairness":1,"unified":2,"uniformity":1,"uniformly":1,"unintentional":1,"unique":1,"unit":3,"units":2,"university":3,"unlawfully":1,"unless":4,"unlimited":2,"unpaid":2,"unpredictable":1,"unprofessional":1,"unrelated":1,"unsecured":1,"unsuccessful":1,"untested":1,"until":2,"untrusted":1,"unusual":2,"unviable":2,"up":9,"update":2,"updated":1,"updates":6,"upgrade":2,"uplift":3,"upload":3,"uploaded":1,"uploading":1,"uploads":1,"upon":1,"upper":3,"uptime":3,"url":3,"us":4,"usability":2,"usage":4,"use":14,"used":7,"user":13,"users":11,"uses":5,"using":8,"utilised":1,"ux":15,"v":1,"v1":4,"valid":4,"validate":1,"validated":4,"validates":1,"validation":5,"validations":1,"validly":1,"valuable":3,"value":12,"valued":1,"values":2,"variable":3,"variation":1,"variations":2,"varies":1,"various":1,"vary":2,"varying":1,"vector":1,"vectors":1,"vehicle":2,"vendor":12,"vendors":1,"venture":1,"verbatim":3,"veridos":1,"verifaction":1,"verifiable":6,"verifiably":1,"verification":20,"verifications":8,"verified":6,"verifier":2,"verifies":2,"verify":3,"version":6,"versions":1,"very":1,"vetting":5,"via":19,"viability":4,"viable":2,"vibe":1,"vic":1,"video":4,"view":8,"viewport":1,"violate":1,"violating":3,"virtue":1,"virus":1,"viruses":1,"visa":1,"visibility":4,"vision":3,"visit":2,"visits":1,"vism":11,"visual":1,"visualisations":3,"viveka":2,"volume":7,"volumes":3,"vote":1,"voting":1,"vpc":4,"vs":6,"vulnerabilities":1,"vulnerable":1,"wa":1,"waf":1,"walkthrough":2,"warrants":4,"warranty":1,"was":4,"wasm":3,"way":4,"ways":1,"wcag":13,"we":14,"web":9,"website":3,"wed":1,"week":4,"weekly":3,"weeks":6,"weigh":3,"weight":1,"weiley":2,"welcome":1,"welfare":4,"well":5,"wge":1,"wgea":2,"wh":1,"what":13,"whatsoever":1,"when":6,"where":17,"wherever":2,"whether":8,"which":8,"whichever":1,"while":3,"who":7,"whole":1,"whose":1,"why":7,"wide":4,"widely":3,"wider":1,"wifi":2,"wiki":1,"will":12,"win":1,"window":2,"wins":1,"wires":1,"wiring":3,"wish":2,"wishes":1,"with":24,"withhold":1,"within":9,"without":11,"wollongong":3,"word":1,"work":15,"workflow":5,"working":8,"workplace":3,"works":3,"workshops":2,"worldcoin":1,"worm":1,"worms":1,"worth":2,"would":11,"wrapped":2,"wrapper":4,"wraps":2,"writer":1,"writes":1,"writing":1,"written":2,"www":8,"x":3,"x25519":2,"xeon":1,"xlsx":8,"xxxxx":1,"y":1,"year":6,"years":4,"yes":4,"yet":8,"yields":1,"you":3,"your":2,"yours":1,"yr":1,"zcash":4,"zero":7,"zetl":1,"zipped":1,"zk":11,"zkpass":1,"zones":1,"zoom":1,"zurich":1},"docs":[{"dl":158,"n":"INDEX","s":"attachments/index","secs":[{"h":"RFI-15434 — Attachments Index","l":1,"t":"Downloaded 2026-05-31 from `https://www.tenders.gov.au` via authenticated Playwright session (login `hugo@anuna.io`). | # | Local filename | Size | SHA-256 (head) | Original AusTender filename | |---|---|---:|---|---| | 1 | `01-part1-conditions.docx` | 173 339 B | `ac70a5dfdd5bc08e…` | RFI-15434_ Part 1_Conditions of Request for Information_Final.docx | | 2 | `02-part2-statement-of-requirements.docx` | 479 709 B | `7f49b6f753dabbba…` | RFI-15434_Part 2_ Statement of Requirements_Final.docx | | 3 | `03-part3-response-general.docx` | 172 374 B | `e0f98c67d7139ead…` | RFI-15434_Part 3 - Response Form_General Response_Final.docx | | 4 | `04-part3a-response-technical.xlsx` | 35 047 B | `dddd71f6a4a4f0b9…` | RFI-15434_Part 3a - Response Form_Technical.xlsx | | 5 | `05-part4-response-financial.docx` | 148 758 B | `61c97b3b13f5479d…` | RFI-15434_Part 4 - Response Form_Financial_Final.docx | | 6 | `06-part4a-response-pricing.xlsx` | 186 148 B | `8319fe96c6ce473f…` | RFI-15434_Part 4a - Response Form_Pricing_Final.xlsx | | 7 | `07-foci-information-form.docx` | 103 647 B | `3e4cd87b9e3d9aec…` | RFI-15434_ATO Supplier FOCI Information Form_v1.0.docx | | 8 | `08-addendum-1.pdf` | 158 920 B | `01ae20f61bb7f4f5…` | RFI-15434_Addendum 1_FINAL VERSION.pdf | | 9 | `09-addendum-2.pdf` | 104 338 B | `45434bebf18520f5…` | RFI-15434 - Addendum 2_FINAL.pdf | **Provenance:** every URL uses `?docType=Atm&fileName=…&location=s3Restricted` (or `docType=Addenda` for addenda); see `.crawl/downloads-output.jsonl` for raw session transcripts and `_meta.json` for HTTP status / Content-Type per file."}],"tf":{"0":1,"047":1,"05":1,"1":3,"103":1,"104":1,"148":2,"15434":10,"158":1,"172":1,"173":1,"186":1,"2":3,"2026":1,"256":1,"3":2,"31":1,"338":1,"339":1,"35":1,"374":1,"3a":1,"4":2,"479":1,"4a":1,"5":1,"6":1,"647":1,"7":1,"709":1,"758":1,"8":1,"9":1,"920":1,"addenda":1,"addendum":2,"and":1,"ato":1,"attachments":1,"austender":1,"authenticated":1,"b":9,"conditions":1,"content":1,"docx":5,"downloaded":1,"every":1,"file":1,"filename":2,"final":7,"financial":1,"foci":1,"for":4,"form":5,"from":1,"general":1,"head":1,"http":1,"index":1,"information":2,"local":1,"login":1,"of":2,"or":1,"original":1,"part":6,"pdf":2,"per":1,"playwright":1,"pricing":1,"provenance":1,"raw":1,"request":1,"requirements":1,"response":5,"rfi":10,"see":1,"session":2,"sha":1,"size":1,"statement":1,"status":1,"supplier":1,"technical":1,"transcripts":1,"type":1,"url":1,"uses":1,"v1":1,"version":1,"via":1,"xlsx":2}},{"dl":243,"n":"README","s":"draft/readme","secs":[{"h":"Draft Response — RFI-15434","l":1,"t":"This folder holds the **markdown draft** of every document we lodge against AusTender RFI-15434. The native templates (DOCX / XLSX in `../attachments/`) are filled by transcribing from these drafts; markdown is the source of truth for content review."},{"h":"Files","l":5,"t":"| Lodged form | Draft | Status | |---|---|---| | Part 3 — Response Form (General) | `part3-general.md` | draft v1 — needs ABN, executive bio, ownership block, signed declaration | | Part 3a — Response Form (Technical Compliance Matrix) | `part3a-technical-compliance-matrix.md` | draft v1 — content complete; transcribe into XLSX before lodgement | | Part 4 — Response Form (Financial) | `part4-financial.md` | draft v1 — needs FY24 / FY25 financial summary attached | | Part 4a — Pricing Tables | `part4a-pricing.md` | draft v1 — pricing model proposed; refine Year 1 / Year 2 / Year 3 numbers with co-signatory | | Attachment A — FOCI | `attachment-a-foci.md` | draft v1 — needs UBO % confirmation | | Cover letter | `cover-letter.md` | draft v1 | | Compliance matrix summary | `compliance-summary.md` | auto-generated from [[sable-fit]] |"},{"h":"Workflow to lodgement","l":17,"t":"1. Internal review of all drafts in this folder 2. Transcribe to native templates in `../attachments-filled/` (new folder, copied from `../attachments/` then edited) 3. Sign declarations (Hugo O'Connor as authorised representative) 4. Upload via AusTender Lodgement Page (https://www.tenders.gov.au/Atm/ResponseLodgeForm/cea1b989-ceb0-4b36-8b48-ac1330062362) 5. Confirmation email retained as evidence of lodgement **Hard deadline:** 4-Jun-2026 14:00 ACT (Canberra). Plan to lodge by 09:00 ACT for buffer."},{"h":"Authority & sign-off","l":27,"t":"- **Authorised representative:** Hugo O'Connor, founder, Anuna Research Cooperative - **Co-signatory required:** none for the RFI (no binding offer; no contract terms agreed) - **Internal review:** all drafts read end-to-end before transcription"}],"tf":{"00":2,"09":1,"1":2,"14":1,"15434":2,"2":2,"2026":1,"3":3,"3a":1,"4":3,"4a":1,"4b36":1,"5":1,"8b48":1,"a":1,"abn":1,"ac1330062362":1,"act":2,"against":1,"agreed":1,"all":2,"anuna":1,"are":1,"as":2,"atm":1,"attached":1,"attachment":1,"au":1,"austender":2,"authorised":2,"authority":1,"auto":1,"before":2,"binding":1,"bio":1,"block":1,"buffer":1,"by":2,"canberra":1,"cea1b989":1,"ceb0":1,"co":2,"complete":1,"compliance":2,"confirmation":2,"connor":2,"content":2,"contract":1,"cooperative":1,"copied":1,"cover":1,"deadline":1,"declaration":1,"declarations":1,"document":1,"docx":1,"draft":9,"drafts":3,"edited":1,"email":1,"end":2,"every":1,"evidence":1,"executive":1,"files":1,"filled":1,"financial":2,"fit":1,"foci":1,"folder":3,"for":3,"form":4,"founder":1,"from":3,"fy24":1,"fy25":1,"general":1,"generated":1,"gov":1,"hard":1,"holds":1,"https":1,"hugo":2,"in":3,"internal":2,"into":1,"is":1,"jun":1,"letter":1,"lodge":2,"lodged":1,"lodgement":4,"markdown":2,"matrix":2,"model":1,"native":2,"needs":3,"new":1,"no":2,"none":1,"numbers":1,"o":2,"of":4,"off":1,"offer":1,"ownership":1,"page":1,"part":4,"plan":1,"pricing":2,"proposed":1,"read":1,"refine":1,"representative":2,"required":1,"research":1,"response":4,"responselodgeform":1,"retained":1,"review":3,"rfi":3,"sable":1,"sign":2,"signatory":2,"signed":1,"source":1,"status":1,"summary":2,"tables":1,"technical":1,"templates":2,"tenders":1,"terms":1,"the":4,"then":1,"these":1,"this":2,"to":4,"transcribe":2,"transcribing":1,"transcription":1,"truth":1,"ubo":1,"upload":1,"v1":6,"via":1,"we":1,"with":1,"workflow":1,"www":1,"xlsx":2,"year":3}},{"dl":1184,"n":"attachment-a-foci","s":"draft/attachment-a-foci","secs":[{"h":"Attachment A — Foreign Ownership, Control or Influence (FOCI) Information Form — DRAFT","l":1,"t":"> Transcribe into the DOCX template `../attachments/07-foci-information-form.docx`. ---"},{"h":"Supplier Details","l":7,"t":"| Term | Definition | |---|---| | **Legal entity name** | Anuna Research Cooperative *[confirm exact registered entity name before lodgement]* | | **ABN / ACN** | *[insert — confirm before lodgement]* | | **Country of Incorporation** | Australia | | **Entity structure** | Australian cooperative | | **Contact name / Position** | Hugo O'Connor / Trust Engineering | | **Email / Phone** | hugo@anuna.io / *[insert before lodgement]* | ---"},{"h":"FOCI Information Questions","l":20,"t":""},{"h":"1. Defence Industry Security Program (DISP) or Hosting Certification Framework (HCF) Status","l":22,"t":"> *Are you currently a member of the DISP or certified under the HCF?* **☒ No** — Anuna Research Cooperative is not currently a DISP member or HCF certified. If a future procurement progresses to a stage requiring DISP membership, Anuna Research Cooperative will apply for DISP entry-level membership. If the procurement involves hosting data for the ATO at a level requiring HCF certification of the underlying hosting provider, AWS Sydney (`ap-southeast-2`) holds the **Certified Strategic Hosting Provider** classification under the HCF."},{"h":"2. Ultimate Ownership and Structure","l":32,"t":"> *Identify your organisation's Ultimate Beneficial Owner(s) (UBOs).* Anuna Research Cooperative is an **Australian cooperative**. Under cooperative structure, member-practitioners hold equal voting rights (\"one member, one vote\") regardless of capital contribution. Ultimate beneficial ownership in the standard corporate sense does not directly apply; for FOCI purposes the **practitioner members** of the cooperative are listed below. | Member Full Legal Name | Role | Country of Citizenship | |---|---|---| | Hugo O'Connor | Trust Engineering | Australia | | Mathew Mytka | Transformative Adaptation | *[confirm before lodgement]* | | Claire Barnes | Systems Engineering | *[confirm before lodgement]* | | Dave Factor | Automation Engineering | *[confirm before lodgement]* | | Viveka Weiley | Strategic Design | *[confirm before lodgement]* | Corporate structure: **single-tier Australian cooperative** — no parent company, no subsidiaries, no holding entity. A current corporate-structure diagram can be provided on request; under cooperative law, the structure is uncomplicated."},{"h":"3. State Ownership or Control","l":48,"t":"> *Is your organisation or any of its UBOs state-controlled, majority funded by, or financially connected to a foreign government or sovereign entity?* **☒ No** No state ownership, no state control, no majority funding from any foreign government, no special relationship with a foreign government providing preferential contracts or state funding. All revenue is from commercial sources and (where applicable) Australian-government research grants."},{"h":"4. Politically Exposed Persons (PEPs)","l":56,"t":"> *Are any of your organisation's senior executives, directors or UBOs classified as PEPs?* **☒ No** — none of Anuna Research Cooperative's member-practitioners or directors are Politically Exposed Persons per the standard FATF / AUSTRAC definitions (no senior political positions, no senior judicial / military / state-enterprise positions, in Australia or any foreign jurisdiction). *[confirm before lodgement with each member]*"},{"h":"5. Access to ATO Systems, Networks or Data","l":62,"t":"> *Will your organisation, or any personnel or systems involved in delivering the proposed goods or services, have access or connectivity to ATO systems, networks or data?* **☒ Yes** *(if a procurement progresses past the RFI stage and Anuna Research Cooperative is engaged)* **5.1 Description of access / connectivity:** The proposed SABLE SaaS Verification Service connects to ATO systems via **AWS PrivateLink** (VPC Endpoint Service in `ap-southeast-2`). Specifically: - ATO myID infrastructure (in the ATO AWS environment) sends ZK verification requests to the SABLE Verification API endpoint via PrivateLink - No internet egress; no public endpoint; no transit through Transit Gateway - Anuna Research Cooperative L2/L3 support engineers have read-only access to operational dashboards (Amazon CloudWatch metrics, structured logs) via federated SSO from Anuna Research Cooperative's AWS account — **no access to ATO's underlying systems or any production PI** - Anuna Research Cooperative engineers do **not** have access to ATO's production AWS account, to any ATO user data, or to any ATO operational systems beyond the SABLE Verification Service operational telemetry **5.2 ATO information accessed, stored, transformed or transmitted:** - **Biometric data: never** — by architectural design (Halo2 ZK proofs keep biometric data on the user's device; only the proof + minimal metadata reach the SaaS) - **Personal Information: never** — the SaaS receives no PI of any kind - **Operational telemetry** (verification counts, latencies, error rates, ATO-account-ID-scoped metrics) — stored in `ap-southeast-2` AWS region only, never replicated outside Australia - **Audit logs** (administrative actions, verification request metadata excluding PI) — stored in `ap-southeast-2` with Object Lock for immutability **5.3 Access restriction and safeguards:** - **Authentication:** mTLS client-certificate authentication between ATO infrastructure and the SABLE Verification API; per-environment certificates; certificate lifecycle managed via AWS Certificate Manager Private CA - **Authorisation:** IAM least-privilege; cross-account roles scoped to specific read-only operations - **Encryption:** TLS 1.3 in transit; AES-256-GCM at rest (KMS customer-managed keys); envelope encryption for sensitive operational data - **Network segregation:** AWS PrivateLink endpoint isolates the ATO–Anuna Research Cooperative data plane from the public internet - **Monitoring:** Amazon GuardDuty + CloudTrail across the entire SABLE AWS account; alerting on any anomalous access pattern - **Personnel:** all access by Anuna Research Cooperative staff logged, audited, and time-bound; named-engineer access for production troubleshooting only"},{"h":"6. Cloud / Hosting Providers and Data Flows","l":93,"t":"| Provider | Role | Region | Data flowing through | |---|---|---|---| | **Amazon Web Services** | Primary cloud infrastructure | `ap-southeast-2` (Sydney) | All operational data (no PI) | | **CloudFlare** *(optional)* | DNS for non-production status page only | Global edge | Public status page only — no ATO data | | **GitHub** | Source code repository (open-source SABLE library) | US-based | Open-source code only — no ATO data | | **Codeberg** | Source code repository (open-source SABLE library, mirror) | EU-based | Open-source code only — no ATO data | | **PagerDuty** | On-call paging | Australia region | Alert metadata only — no ATO data | | **Atlassian / GitHub Issues** | Internal ticket tracking | Australia / US | Internal Anuna Research Cooperative engineering tickets — no ATO data | If the ATO requires a more restrictive provider list for any provider above (e.g. PagerDuty replacement with Australia-only on-call solution; private GitHub Enterprise instance), Anuna Research Cooperative will adapt to ATO requirements as part of a procurement-stage architecture review."},{"h":"7. Subcontractors and Supply-Chain Risk","l":106,"t":"At the RFI stage, **no subcontractors are named and no partner arrangements are in place**. In a procurement stage involving a contract, Anuna Research Cooperative anticipates engaging the following classes of Australian subcontractor; partner identification, due diligence, and contracting would be a procurement-stage activity: - **Australian Security Vetting Agency–cleared support partner** for NV1-cleared L2 / L3 support — required for OP-9 compliance - **Australian managed-SOC provider** for managed insider-risk monitoring — for OP-6 if scale warrants - **ILAC-accredited PAD testing laboratory** for ISO/IEC 30107-3 EAL-2 testing — one-off engagement for LV-5 / LV-6 evidence - **IRAP-assessed Australian incident management portal** — for OP-9 - **Accredited Australian accessibility audit firm** — one-off engagement for UX-3 - **Registered IRAP assessor** — for SC-1 / SC-6 evidence - *Optionally*, an **Australian systems-integrator partner** for delivery scale if the procurement scope warrants it All subcontractors selected will be Australian-incorporated or hold Australian operating subsidiaries with Australian-cleared personnel for any ATO-data-touching work. ---"},{"h":"Declaration","l":122,"t":"I, **Hugo O'Connor**, in my capacity as authorised representative of Anuna Research Cooperative (Trust Engineering), **declare** that the information provided in this FOCI Form is, to the best of my knowledge and belief, **true, accurate, and complete** as at the date of this Response. Signed: ____________________________ **Hugo O'Connor** — Trust Engineering, Anuna Research Cooperative Date: 4 June 2026 --- > *End of FOCI draft.*"}],"tf":{"1":4,"2":3,"2026":1,"256":1,"3":5,"30107":1,"4":2,"5":5,"6":4,"7":1,"9":2,"a":15,"abn":1,"above":1,"access":10,"accessed":1,"accessibility":1,"account":5,"accredited":2,"accurate":1,"acn":1,"across":1,"actions":1,"activity":1,"adapt":1,"adaptation":1,"administrative":1,"aes":1,"agency":1,"alert":1,"alerting":1,"all":4,"amazon":3,"an":2,"and":12,"anomalous":1,"anticipates":1,"anuna":17,"any":12,"api":2,"applicable":1,"apply":2,"architectural":1,"architecture":1,"are":6,"arrangements":1,"as":4,"assessed":1,"assessor":1,"at":4,"atlassian":1,"ato":22,"attachment":1,"audit":2,"audited":1,"austrac":1,"australia":7,"australian":13,"authentication":2,"authorisation":1,"authorised":1,"automation":1,"aws":9,"barnes":1,"based":2,"be":3,"before":8,"belief":1,"below":1,"beneficial":2,"best":1,"between":1,"beyond":1,"biometric":2,"bound":1,"by":3,"ca":1,"call":2,"can":1,"capacity":1,"capital":1,"certificate":3,"certificates":1,"certification":2,"certified":3,"chain":1,"citizenship":1,"claire":1,"classes":1,"classification":1,"classified":1,"cleared":3,"client":1,"cloud":2,"cloudflare":1,"cloudtrail":1,"cloudwatch":1,"code":4,"codeberg":1,"commercial":1,"company":1,"complete":1,"compliance":1,"confirm":7,"connected":1,"connectivity":2,"connects":1,"connor":4,"contact":1,"contract":1,"contracting":1,"contracts":1,"contribution":1,"control":3,"controlled":1,"cooperative":22,"corporate":3,"country":2,"counts":1,"cross":1,"current":1,"currently":2,"customer":1,"dashboards":1,"data":17,"date":2,"dave":1,"declaration":1,"declare":1,"defence":1,"definition":1,"definitions":1,"delivering":1,"delivery":1,"description":1,"design":2,"details":1,"device":1,"diagram":1,"diligence":1,"directly":1,"directors":2,"disp":5,"dns":1,"do":1,"docx":1,"does":1,"draft":2,"due":1,"e":1,"each":1,"eal":1,"edge":1,"egress":1,"email":1,"encryption":2,"end":1,"endpoint":4,"engaged":1,"engagement":2,"engaging":1,"engineer":1,"engineering":7,"engineers":2,"enterprise":2,"entire":1,"entity":5,"entry":1,"envelope":1,"environment":2,"equal":1,"error":1,"eu":1,"evidence":2,"exact":1,"excluding":1,"executives":1,"exposed":2,"factor":1,"fatf":1,"federated":1,"financially":1,"firm":1,"flowing":1,"flows":1,"foci":5,"following":1,"for":19,"foreign":5,"form":2,"framework":1,"from":4,"full":1,"funded":1,"funding":2,"future":1,"g":1,"gateway":1,"gcm":1,"github":3,"global":1,"goods":1,"government":4,"grants":1,"guardduty":1,"halo2":1,"have":3,"hcf":5,"hold":2,"holding":1,"holds":1,"hosting":5,"hugo":5,"i":1,"iam":1,"id":1,"identification":1,"identify":1,"iec":1,"if":6,"ilac":1,"immutability":1,"in":12,"incident":1,"incorporated":1,"incorporation":1,"industry":1,"influence":1,"information":5,"infrastructure":3,"insert":2,"insider":1,"instance":1,"integrator":1,"internal":2,"internet":2,"into":1,"involved":1,"involves":1,"involving":1,"io":1,"irap":2,"is":7,"iso":1,"isolates":1,"issues":1,"it":1,"its":1,"judicial":1,"june":1,"jurisdiction":1,"keep":1,"keys":1,"kind":1,"kms":1,"knowledge":1,"l2":2,"l3":2,"laboratory":1,"latencies":1,"law":1,"least":1,"legal":2,"level":2,"library":2,"lifecycle":1,"list":1,"listed":1,"lock":1,"lodgement":8,"logged":1,"logs":2,"lv":2,"majority":2,"managed":4,"management":1,"manager":1,"mathew":1,"member":7,"members":1,"membership":2,"metadata":3,"metrics":2,"military":1,"minimal":1,"mirror":1,"monitoring":2,"more":1,"mtls":1,"my":2,"myid":1,"mytka":1,"name":4,"named":2,"network":1,"networks":2,"never":3,"no":25,"non":1,"none":1,"not":3,"nv1":1,"o":4,"object":1,"of":17,"off":2,"on":5,"one":4,"only":11,"op":3,"open":4,"operating":1,"operational":6,"operations":1,"optional":1,"optionally":1,"or":22,"organisation":4,"outside":1,"owner":1,"ownership":5,"pad":1,"page":2,"pagerduty":2,"paging":1,"parent":1,"part":1,"partner":4,"past":1,"pattern":1,"peps":2,"per":2,"personal":1,"personnel":3,"persons":2,"phone":1,"pi":4,"place":1,"plane":1,"political":1,"politically":2,"portal":1,"position":1,"positions":2,"practitioner":1,"practitioners":2,"preferential":1,"primary":1,"private":2,"privatelink":3,"privilege":1,"procurement":7,"production":4,"program":1,"progresses":2,"proof":1,"proofs":1,"proposed":2,"provided":2,"provider":6,"providers":1,"providing":1,"public":3,"purposes":1,"questions":1,"rates":1,"reach":1,"read":2,"receives":1,"regardless":1,"region":3,"registered":2,"relationship":1,"replacement":1,"replicated":1,"repository":2,"representative":1,"request":2,"requests":1,"required":1,"requirements":1,"requires":1,"requiring":2,"research":17,"response":1,"rest":1,"restriction":1,"restrictive":1,"revenue":1,"review":1,"rfi":2,"rights":1,"risk":2,"role":2,"roles":1,"s":8,"saas":3,"sable":7,"safeguards":1,"sc":2,"scale":2,"scope":1,"scoped":2,"security":2,"segregation":1,"selected":1,"sends":1,"senior":3,"sense":1,"sensitive":1,"service":3,"services":2,"signed":1,"single":1,"soc":1,"solution":1,"source":6,"sources":1,"sovereign":1,"special":1,"specific":1,"specifically":1,"sso":1,"staff":1,"stage":6,"standard":2,"state":6,"status":3,"stored":3,"strategic":2,"structure":6,"structured":1,"subcontractor":1,"subcontractors":3,"subsidiaries":2,"supplier":1,"supply":1,"support":3,"sydney":2,"systems":8,"telemetry":2,"template":1,"term":1,"testing":2,"that":1,"the":34,"this":2,"through":2,"ticket":1,"tickets":1,"tier":1,"time":1,"tls":1,"to":14,"touching":1,"tracking":1,"transcribe":1,"transformative":1,"transformed":1,"transit":3,"transmitted":1,"troubleshooting":1,"true":1,"trust":4,"ubos":3,"ultimate":3,"uncomplicated":1,"under":4,"underlying":2,"us":2,"user":2,"ux":1,"verification":7,"vetting":1,"via":4,"viveka":1,"vote":1,"voting":1,"vpc":1,"warrants":2,"web":1,"weiley":1,"where":1,"will":4,"with":5,"work":1,"would":1,"yes":1,"you":1,"your":4,"zk":2}},{"dl":769,"n":"compliance-summary","s":"draft/compliance-summary","secs":[{"h":"Compliance Summary — RFI-15434","l":1,"t":"One-page executive view of how SABLE meets the ATO's Statement of Requirements. Reflects Addendum 1 clarifications."},{"h":"Headline","l":5,"t":"- **42 / 55** requirements: **Compliant** today - **13 / 55** requirements: **Partially Compliant** — all have explicit remediation paths with timelines - **0 / 55** requirements: **Non-Compliant**"},{"h":"By category","l":11,"t":"| Category | Compliant | Partially | Total | |---|---:|---:|---:| | LV (Biometric Capture & Liveness Detection) | 4 | 2 | 6 | | TV (Technical Verification & Biometric Binding) | 1 | 2 | 3 | | S / P / A (Scalability / Performance / Availability) | 5 | 0 | 5 | | H / IN (Hosting / Integration) | 5 | 2 | 7 | | SC (Security & Confidentiality) | 5 | 3 | 8 | | OP / VISM / M (Operations / Vendor Implementation / Maintainability) | 15 | 3 | 18 | | RM (Reporting & Monitoring) | 4 | 0 | 4 | | UX (User Experience & Accessibility) | 3 | 1 | 4 | | **Total** | **42** | **13** | **55** |"},{"h":"Where SABLE wins decisively","l":25,"t":"- **SC-2 (APPs), SC-5 (no PI offshore)** — biometric data never leaves the device. Privacy is structural, not procedural. *No other respondent of statistical-match architecture can match this guarantee.* - **LV-3 / LV-4 (PAD + single-pipeline)** — Halo2 composite proof binds capture, PAD, and proof generation cryptographically. Cannot be decoupled or replayed. - **TV-2 (online biometric binding)** — single continuous on-device workflow binds biometric, PAD, and credential. - **P-1 (10 k verifications/hr @ p95 ≤ 1000 ms)** — three orders of magnitude headroom at ~1.8 ms verification. - **S-1 / S-2 / H-1 / H-2 / IN-3 / IN-4** — clean stateless SaaS on AWS Sydney with PrivateLink + IaC deployment. - **SC-7 (Australian data residency)** — AWS `ap-southeast-2` only, enforced by SCPs. - **UX-1 / UX-2 / UX-4** — mobile-first, customisable, Figma library."},{"h":"Where SABLE has known gaps (with timelines)","l":35,"t":"| Gap | Effort | Spend (indicative AUD) | |---|---|---| | ISO/IEC 30107-3 EAL-2 (L) PAD test (LV-5/6) | 3-4 months | 60-100 k | | FMR/FNMR benchmark (TV-3) | 4-6 weeks | self-funded | | ICAO 9303 ePassport NFC (TV-1) | 8-12 weeks | self-funded | | MAUI bindings (IN-1) | 4-6 weeks | self-funded | | WCAG 2.1 AA audit (UX-3) | 4-6 weeks | self-funded + audit fee | | HACE alternative crypto path (SC-3) | 4-8 weeks | self-funded | | IRAP PROTECTED certification (SC-1/6) | 6-8 months | 150-250 k | | NV1-cleared Australian support (OP-9) | 12+ months for direct / immediate via partner | partner cost | | Insider-risk monitoring (OP-6) | partner integration | partner cost | | Government track record (IN-5 / VISM-6 / OP-10) | Paid PoC against ATO myID cohort | TBD | **Total remediation programme:** ~12 months elapsed across the longest dependencies, ~AUD 250-500 k in pass-through certification spend, plus internal engineering."},{"h":"The four distinctive pillars","l":52,"t":"1. **Privacy by construction** — biometric data never leaves the user's device; cryptographic guarantee, not policy promise. Structurally fits Digital ID Act 2024 data-minimisation. 2. **Selective disclosure via BBS+** — predicates provable without exposing underlying credential fields. 3. **Offline P2P operation** — capture / liveness / proof runs entirely on-device with no internet dependency; addresses inclusivity for low-connectivity / offshore users. 4. **Open-source public good** — Apache 2.0 library; investment in maturing SABLE becomes freely available to any other government adopter at zero marginal cost. Candidate future deployment contexts: Anuna's existing BARMM (Philippines) eGov engagement (natural extension; SABLE not yet deployed there), European public-sector identity (early dialogue with Germany's BSI), other Pacific / SEA governments, and adjacent use cases (age verification, healthcare, building access). Aligns with Pacific Step-Up, Indo-Pacific Endeavour, ASEAN digital cooperation, and the Quad's cyber resilience agenda — additional public value the ATO can claim from the procurement spend. To our knowledge SABLE is the **first open-source library to combine all four** alongside transparent ZK setup (no trusted ceremony) and no special hardware requirement."},{"h":"Other strategic value beyond the requirements","l":61,"t":"- **Post-quantum roadmap** — CRYSTALS-Dilithium / hash-based commitment migration path published - **Open-source auditability** — full source review available; no vendor lock-in; source-escrow obviated"},{"h":"Recommended next step (suggested to the ATO)","l":66,"t":"A **paid 8-week Proof-of-Concept** against the ATO's existing myID IP3 test cohort, evaluating: 1. PAD performance against a curated attack corpus (printed photos, phone screen replays, video replays, 3D masks) 2. FMR/FNMR against a representative Australian population sample 3. End-to-end UX of the spatial-flash liveness flow (capture time, completion rate, accessibility) 4. Integration latency to ATO's existing FVS / DVS infrastructure via PrivateLink 5. Operational soak test at 10× the current peak-hour verification load This is the most decisive evidence either party can generate inside the RFI's question of \"what new capabilities exist in the market that could enhance the security, scalability, and inclusivity of myID\". --- *See [[sable-fit]] for the per-requirement detail, [[gaps-and-risks]] for the consolidated remediation plan, [[ato-myid-context]] for the strategic framing.*"}],"tf":{"0":4,"1":14,"10":3,"100":1,"1000":1,"12":3,"13":2,"15":1,"150":1,"15434":1,"18":1,"2":13,"2024":1,"250":2,"3":13,"30107":1,"3d":1,"4":14,"42":2,"5":8,"500":1,"55":4,"6":9,"60":1,"7":2,"8":6,"9":1,"9303":1,"a":4,"aa":1,"access":1,"accessibility":2,"across":1,"act":1,"addendum":1,"additional":1,"addresses":1,"adjacent":1,"adopter":1,"against":4,"age":1,"agenda":1,"aligns":1,"all":2,"alongside":1,"alternative":1,"and":7,"anuna":1,"any":1,"apache":1,"apps":1,"architecture":1,"asean":1,"at":3,"ato":7,"attack":1,"aud":2,"audit":2,"auditability":1,"australian":3,"availability":1,"available":2,"aws":2,"barmm":1,"based":1,"bbs":1,"be":1,"becomes":1,"benchmark":1,"beyond":1,"binding":2,"bindings":1,"binds":2,"biometric":6,"bsi":1,"building":1,"by":3,"can":3,"candidate":1,"cannot":1,"capabilities":1,"capture":4,"cases":1,"category":2,"ceremony":1,"certification":2,"claim":1,"clarifications":1,"clean":1,"cleared":1,"cohort":2,"combine":1,"commitment":1,"completion":1,"compliance":1,"compliant":4,"composite":1,"concept":1,"confidentiality":1,"connectivity":1,"consolidated":1,"construction":1,"context":1,"contexts":1,"continuous":1,"cooperation":1,"corpus":1,"cost":3,"could":1,"credential":2,"crypto":1,"cryptographic":1,"cryptographically":1,"crystals":1,"curated":1,"current":1,"customisable":1,"cyber":1,"data":4,"decisive":1,"decisively":1,"decoupled":1,"dependencies":1,"dependency":1,"deployed":1,"deployment":2,"detail":1,"detection":1,"device":4,"dialogue":1,"digital":2,"dilithium":1,"direct":1,"disclosure":1,"distinctive":1,"dvs":1,"eal":1,"early":1,"effort":1,"egov":1,"either":1,"elapsed":1,"end":2,"endeavour":1,"enforced":1,"engagement":1,"engineering":1,"enhance":1,"entirely":1,"epassport":1,"escrow":1,"european":1,"evaluating":1,"evidence":1,"executive":1,"exist":1,"existing":3,"experience":1,"explicit":1,"exposing":1,"extension":1,"fee":1,"fields":1,"figma":1,"first":2,"fit":1,"fits":1,"flash":1,"flow":1,"fmr":2,"fnmr":2,"for":5,"four":2,"framing":1,"freely":1,"from":1,"full":1,"funded":5,"future":1,"fvs":1,"gap":1,"gaps":2,"generate":1,"generation":1,"germany":1,"good":1,"government":2,"governments":1,"guarantee":2,"h":3,"hace":1,"halo2":1,"hardware":1,"has":1,"hash":1,"have":1,"headline":1,"headroom":1,"healthcare":1,"hosting":1,"hour":1,"how":1,"hr":1,"iac":1,"icao":1,"id":1,"identity":1,"iec":1,"immediate":1,"implementation":1,"in":9,"inclusivity":2,"indicative":1,"indo":1,"infrastructure":1,"inside":1,"insider":1,"integration":3,"internal":1,"internet":1,"investment":1,"ip3":1,"irap":1,"is":3,"iso":1,"k":4,"knowledge":1,"known":1,"l":1,"latency":1,"leaves":2,"library":3,"liveness":3,"load":1,"lock":1,"longest":1,"low":1,"lv":4,"m":1,"magnitude":1,"maintainability":1,"marginal":1,"market":1,"masks":1,"match":2,"maturing":1,"maui":1,"meets":1,"migration":1,"minimisation":1,"mobile":1,"monitoring":2,"months":4,"most":1,"ms":2,"myid":4,"natural":1,"never":2,"new":1,"next":1,"nfc":1,"no":6,"non":1,"not":3,"nv1":1,"obviated":1,"of":8,"offline":1,"offshore":2,"on":3,"one":1,"online":1,"only":1,"op":4,"open":3,"operation":1,"operational":1,"operations":1,"or":1,"orders":1,"other":4,"our":1,"p":2,"p2p":1,"p95":1,"pacific":3,"pad":5,"page":1,"paid":2,"partially":2,"partner":4,"party":1,"pass":1,"path":2,"paths":1,"peak":1,"per":1,"performance":2,"philippines":1,"phone":1,"photos":1,"pi":1,"pillars":1,"pipeline":1,"plan":1,"plus":1,"poc":1,"policy":1,"population":1,"post":1,"predicates":1,"printed":1,"privacy":2,"privatelink":2,"procedural":1,"procurement":1,"programme":1,"promise":1,"proof":4,"protected":1,"provable":1,"public":3,"published":1,"quad":1,"quantum":1,"question":1,"rate":1,"recommended":1,"record":1,"reflects":1,"remediation":3,"replayed":1,"replays":2,"reporting":1,"representative":1,"requirement":2,"requirements":5,"residency":1,"resilience":1,"respondent":1,"review":1,"rfi":2,"risk":1,"risks":1,"rm":1,"roadmap":1,"runs":1,"s":11,"saas":1,"sable":7,"sample":1,"sc":6,"scalability":2,"scps":1,"screen":1,"sea":1,"sector":1,"security":2,"see":1,"selective":1,"self":5,"setup":1,"single":2,"soak":1,"source":5,"spatial":1,"special":1,"spend":3,"stateless":1,"statement":1,"statistical":1,"step":2,"strategic":2,"structural":1,"structurally":1,"suggested":1,"summary":1,"support":1,"sydney":1,"tbd":1,"technical":1,"test":3,"that":1,"the":21,"there":1,"this":2,"three":1,"through":1,"time":1,"timelines":2,"to":6,"today":1,"total":3,"track":1,"transparent":1,"trusted":1,"tv":4,"underlying":1,"up":1,"use":1,"user":2,"users":1,"ux":6,"value":2,"vendor":2,"verification":4,"verifications":1,"via":3,"video":1,"view":1,"vism":2,"wcag":1,"week":1,"weeks":5,"what":1,"where":2,"wins":1,"with":6,"without":1,"workflow":1,"yet":1,"zero":1,"zk":1}},{"dl":787,"n":"cover-letter","s":"draft/cover-letter","secs":[{"h":"Cover Letter — RFI-15434","l":1,"t":"> *On Anuna Research Cooperative letterhead. ~1 page; signposts the five forms; commits to a concrete next step.* --- **To:** Alison Buchanan, Procurement Officer **Email:** RFI15434@ato.gov.au **Re:** Anuna Research Cooperative response to RFI-15434 — *Biometric Verification Capability* **Date:** 4 June 2026 Dear Alison, **Anuna Research Cooperative** is pleased to respond to **RFI-15434** for a Biometric Liveness Detection Solution to support the strategic objectives of the myID app. Our response covers all five required forms (Parts 3, 3a, 4, 4a, and Attachment A) submitted via the AusTender Lodgement Page. Anuna is an Australian cooperative working on **trustworthy AI systems**. Prior and current engagements include Microsoft, Autodesk, CSIRO Data61, Telus, Suncorp, IAG, the UK Government Digital Service (GovUK), Kellogg, and Telefónica. The most directly relevant *delivery-capability* reference is Anuna's current eGov programme for the **Bangsamoro Autonomous Region in Muslim Mindanao (BARMM)**, Philippines — digital identity, citizen-facing services, and transformation advisory; production go-live July 2026. BARMM does not currently deploy SABLE; SABLE deployment there is a candidate natural extension. We respond with **SABLE — Secure Attested Biometric Library for Edge**, our open-source (Apache 2.0) library for privacy-preserving biometric verification. SABLE captures, performs presentation-attack detection, and proves a match entirely on the user's device. The zero-knowledge proof — not the biometric — traverses the network. (See Part 3 §3 for the concrete walkthrough.) Four properties make SABLE distinctive for the ATO's stated needs: 1. **Privacy by construction** — biometric data never leaves the user's device. This is a cryptographic guarantee, not a policy promise; structurally fits the Digital ID Act 2024's data-minimisation provisions. Any system that aggregates biometric or identity-document data into a central store creates a structural risk class — Suprema BioStar 2, US OPM, 23andMe internationally; Optus, Medibank, Latitude domestically. **SABLE retires the target class by design.** 2. **Selective disclosure via BBS+** — users prove credential predicates (\"over 18\", \"Australian citizen\") without exposing underlying fields. 3. **Offline P2P operation** — capture / liveness / proof runs entirely on-device with no internet dependency; addresses inclusivity for low-connectivity users and the offshore-verification gap. 4. **Open-source public good** — Apache 2.0; investment in maturing SABLE for myID becomes freely available to any other government adopter at zero marginal cost. Candidate future deployment contexts include the BARMM engagement (natural extension), Pacific / SEA governments, and European public-sector identity — Anuna is in early dialogue with **Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI)** about the SABLE approach. To our knowledge, SABLE is the first open-source library to combine all of these properties alongside transparent ZK setup (no trusted-ceremony risk) and no special hardware requirement. We respond with full honesty about where SABLE is today: a pre-production library with 519 tests passing and a public demo, with no live government deployment yet — an ATO engagement would be SABLE's first. The certification gaps SABLE acknowledges (ISO/IEC 30107-3 EAL-2 PAD testing, IRAP PROTECTED, MAUI bindings, WCAG 2.1 AA audit, NV1-cleared Australian support) are **time-bounded remediation work**, sized in Part 3a. The architectural advantages SABLE offers are **not retrievable by alternative architectures inside any procurement timeline**. We invite the ATO to weigh these properties on a strategic horizon, not only on a present-state readiness checklist. **Proof-of-Concept.** We propose a **paid 8-week Proof-of-Concept** against the ATO's existing myID IP3 test cohort, evaluating: (i) PAD performance against a curated attack corpus; (ii) FMR / FNMR against a representative diverse Australian sample per the Digital ID Accreditation Data Standards; (iii) end-to-end UX of the spatial-flash liveness flow; (iv) PrivateLink integration latency to the existing FVS / DVS infrastructure; (v) operational soak at 10× current peak load. This is the most decisive evidence either party can generate inside this RFI's stated question. **Sovereignty.** SABLE is Australian-developed Apache 2.0 IP; cryptographic primitives are open standards; cloud hosting is AWS Sydney with SCP-enforced no-replication-out; IP control sits with Anuna and the open-source community, not any foreign commercial entity. For a national identity capability of myID's scale, this matters. We would welcome the opportunity to discuss the proposed PoC and to demonstrate SABLE to the ATO's identity team. Yours sincerely, **Hugo O'Connor** Trust Engineering — Anuna Research Cooperative hugo@anuna.io · hello@anuna.io +61 [TBC] ABN: [TBC — confirm before lodgement] [address TBC — confirm before lodgement] --- *Anuna Research Cooperative (\"Anuna\") is an Australian cooperative working on trustworthy AI systems, transformation advisory for AI adoption, and practitioner-team assembly for client engagements. SABLE is one of Anuna's open-source projects, publicly available at [codeberg.org/anuna/sable](https://codeberg.org/anuna/sable).*"}],"tf":{"0":3,"1":3,"10":1,"15434":3,"18":1,"2":7,"2024":1,"2026":2,"23andme":1,"3":5,"30107":1,"3a":2,"4":3,"4a":1,"519":1,"61":1,"8":1,"a":17,"aa":1,"abn":1,"about":2,"accreditation":1,"acknowledges":1,"act":1,"address":1,"addresses":1,"adopter":1,"adoption":1,"advantages":1,"advisory":2,"against":3,"aggregates":1,"ai":3,"alison":2,"all":2,"alongside":1,"alternative":1,"an":3,"and":12,"anuna":15,"any":4,"apache":3,"app":1,"approach":1,"architectural":1,"architectures":1,"are":3,"assembly":1,"at":3,"ato":6,"attachment":1,"attack":2,"attested":1,"au":1,"audit":1,"austender":1,"australian":6,"autodesk":1,"autonomous":1,"available":2,"aws":1,"bangsamoro":1,"barmm":3,"bbs":1,"be":1,"becomes":1,"before":2,"bindings":1,"biometric":7,"biostar":1,"bounded":1,"bsi":1,"buchanan":1,"bundesamt":1,"by":3,"can":1,"candidate":2,"capability":3,"capture":1,"captures":1,"central":1,"ceremony":1,"certification":1,"checklist":1,"citizen":2,"class":2,"cleared":1,"client":1,"cloud":1,"codeberg":2,"cohort":1,"combine":1,"commercial":1,"commits":1,"community":1,"concept":2,"concrete":2,"confirm":2,"connectivity":1,"connor":1,"construction":1,"contexts":1,"control":1,"cooperative":7,"corpus":1,"cost":1,"cover":1,"covers":1,"creates":1,"credential":1,"cryptographic":2,"csiro":1,"curated":1,"current":3,"currently":1,"data":4,"data61":1,"date":1,"dear":1,"decisive":1,"delivery":1,"demo":1,"demonstrate":1,"dependency":1,"deploy":1,"deployment":3,"der":1,"design":1,"detection":2,"developed":1,"device":3,"dialogue":1,"digital":4,"directly":1,"disclosure":1,"discuss":1,"distinctive":1,"diverse":1,"document":1,"does":1,"domestically":1,"dvs":1,"eal":1,"early":1,"edge":1,"egov":1,"either":1,"email":1,"end":2,"enforced":1,"engagement":2,"engagements":2,"engineering":1,"entirely":2,"entity":1,"european":1,"evaluating":1,"evidence":1,"existing":2,"exposing":1,"extension":2,"facing":1,"fields":1,"first":2,"fits":1,"five":2,"flash":1,"flow":1,"fmr":1,"fnmr":1,"for":11,"foreign":1,"forms":2,"four":1,"freely":1,"full":1,"future":1,"fvs":1,"für":1,"gap":1,"gaps":1,"generate":1,"germany":1,"go":1,"good":1,"gov":1,"government":3,"governments":1,"govuk":1,"guarantee":1,"hardware":1,"hello":1,"honesty":1,"horizon":1,"hosting":1,"https":1,"hugo":2,"i":1,"iag":1,"id":2,"identity":5,"iec":1,"ii":1,"iii":1,"in":5,"include":2,"inclusivity":1,"informationstechnik":1,"infrastructure":1,"inside":2,"integration":1,"internationally":1,"internet":1,"into":1,"investment":1,"invite":1,"io":2,"ip":2,"ip3":1,"irap":1,"is":13,"iso":1,"iv":1,"july":1,"june":1,"kellogg":1,"knowledge":2,"latency":1,"latitude":1,"leaves":1,"letter":1,"letterhead":1,"library":4,"live":2,"liveness":3,"load":1,"lodgement":3,"low":1,"make":1,"marginal":1,"match":1,"matters":1,"maturing":1,"maui":1,"medibank":1,"microsoft":1,"mindanao":1,"minimisation":1,"most":2,"muslim":1,"myid":4,"national":1,"natural":2,"needs":1,"network":1,"never":1,"next":1,"no":5,"not":6,"nv1":1,"o":1,"objectives":1,"of":7,"offers":1,"officer":1,"offline":1,"offshore":1,"on":7,"one":1,"only":1,"open":6,"operation":1,"operational":1,"opm":1,"opportunity":1,"optus":1,"or":1,"org":2,"other":1,"our":3,"out":1,"over":1,"p2p":1,"pacific":1,"pad":2,"page":2,"paid":1,"part":2,"parts":1,"party":1,"passing":1,"peak":1,"per":1,"performance":1,"performs":1,"philippines":1,"pleased":1,"poc":1,"policy":1,"practitioner":1,"pre":1,"predicates":1,"present":1,"presentation":1,"preserving":1,"primitives":1,"prior":1,"privacy":2,"privatelink":1,"procurement":2,"production":2,"programme":1,"projects":1,"promise":1,"proof":4,"properties":3,"propose":1,"proposed":1,"protected":1,"prove":1,"proves":1,"provisions":1,"public":3,"publicly":1,"question":1,"re":1,"readiness":1,"reference":1,"region":1,"relevant":1,"remediation":1,"replication":1,"representative":1,"required":1,"requirement":1,"research":5,"respond":3,"response":2,"retires":1,"retrievable":1,"rfi":4,"rfi15434":1,"risk":2,"runs":1,"s":12,"sable":18,"sample":1,"scale":1,"scp":1,"sea":1,"sector":1,"secure":1,"see":1,"selective":1,"service":1,"services":1,"setup":1,"sicherheit":1,"signposts":1,"sincerely":1,"sits":1,"sized":1,"soak":1,"solution":1,"source":5,"sovereignty":1,"spatial":1,"special":1,"standards":2,"state":1,"stated":2,"step":1,"store":1,"strategic":2,"structural":1,"structurally":1,"submitted":1,"suncorp":1,"support":2,"suprema":1,"sydney":1,"system":1,"systems":2,"target":1,"tbc":3,"team":2,"telefónica":1,"telus":1,"test":1,"testing":1,"tests":1,"that":1,"the":32,"there":1,"these":2,"this":4,"time":1,"timeline":1,"to":15,"today":1,"transformation":2,"transparent":1,"traverses":1,"trust":1,"trusted":1,"trustworthy":2,"uk":1,"underlying":1,"us":1,"user":2,"users":2,"ux":1,"v":1,"verification":3,"via":2,"walkthrough":1,"wcag":1,"we":5,"week":1,"weigh":1,"welcome":1,"where":1,"with":8,"without":1,"work":1,"working":2,"would":2,"yet":1,"yours":1,"zero":2,"zk":1}},{"dl":3722,"n":"part3-general","s":"draft/part3-general","secs":[{"h":"Part 3 — RFI Response Form — General — DRAFT","l":1,"t":"> Transcribe into the DOCX template in `../attachments/03-part3-response-general.docx`. Section structure and headings preserved exactly. ---"},{"h":"Section 1 — The Conditions for Participation","l":7,"t":""},{"h":"Judicial decisions relating to employee entitlements","l":9,"t":"Anuna Research Cooperative confirms that **neither it nor any subcontractor identified in this Response has any unpaid claims** in respect of judicial decisions (other than decisions subject to appeal) made against it relating to employee entitlements. > *In the event of a future procurement stage, evidence will be provided on request.*"},{"h":"Workplace Gender Equality","l":15,"t":"Anuna Research Cooperative is **not a \"relevant employer\"** for the purposes of the *Workplace Gender Equality Act 2012* (Cth) — its employee headcount is below the 100-employee threshold that triggers WGEA reporting. We confirm we comply with all applicable workplace gender equality obligations."},{"h":"Satisfactory Statement of Tax Record","l":19,"t":"Anuna Research Cooperative confirms that it will hold a valid and satisfactory **Statement of Tax Record (STR)** by the Closing Time of any future procurement process (or receipt of an STR request from the ATO, with a valid STR within 4 business days). Where any subcontractor proposed for a future stage delivers Required Supplies valued over $4 million GST-inclusive, an STR for that subcontractor will be provided at that time."},{"h":"Indigenous Procurement Policy","l":23,"t":"Anuna Research Cooperative acknowledges the **Indigenous Procurement Policy** (IPP) and Commonwealth commitment to Indigenous entrepreneurship. In the event of a future procurement stage: - **Current Indigenous employment rate:** to be reported accurately at that time (Anuna Research Cooperative is a small company; the figure will be reported precisely) - **Current Indigenous supplier use:** as above - **Proposed Indigenous Participation Plan:** Anuna Research Cooperative will commit to an Indigenous Participation Plan addressing the IPP's minimum mandatory requirements (MMR) appropriate to the scale of the engagement, including subcontracting to Indigenous-owned firms (e.g. via Supply Nation) for delivery components where capability exists - **Prior MMR exposure:** Anuna Research Cooperative has not previously been subject to MMR targets"},{"h":"Commonwealth Supplier Code of Conduct","l":32,"t":"Anuna Research Cooperative acknowledges the **Commonwealth Supplier Code of Conduct** and confirms it has — and will maintain — policies, frameworks and governance practices appropriate to its size that comply with the Code's expectations on ethics, corporate governance, business practices, and health, safety and employee welfare. We undertake to extend these expectations to all subcontractors."},{"h":"ISO 14001 Environmental Management System","l":36,"t":"(Addendum 1 Q15.) Anuna Research Cooperative **does not currently hold ISO 14001 certification** and does not currently operate a formally aligned Environmental Management System. Anuna Research Cooperative is **able to align business processes to ISO 14001 within six months of contract signing** and to maintain that alignment for the term of any contract. **Planned uplift activities:** engage an Australian ISO 14001 consultant for gap assessment + EMS framework development; document environmental aspects (energy use of cloud infrastructure, business travel, hardware lifecycle); set environmental objectives (carbon-aware cloud deployments via AWS Customer Carbon Footprint Tool; reduction of physical travel via remote-first operations); implement monitoring + measurement (annual carbon assessment); internal audit + management review cycle. **Responsible owner:** Founder. **Expected timeframe:** alignment within 6 months of contract signing; certification within 12-18 months if required by procurement scope. Anuna Research Cooperative will be a **signatory to the Australian Packaging Covenant** or will comply with the National Environment Protection (used packaging materials) measure if a procurement progresses to a contract — noting that SABLE is software, with negligible physical packaging exposure."},{"h":"Outcome of this RFI Process","l":42,"t":"Anuna Research Cooperative acknowledges that the ATO may proceed with a second stage including Shortlist / RFT / RFQ / Limited Tender / Proof of Concept / Product Demonstration / RFI closure, and confirms our interest in participating in any such second stage. ---"},{"h":"Section 2 — Respondent's Details","l":48,"t":""},{"h":"Information about the Respondent","l":50,"t":"| Field | Value | |---|---| | Full legal name | Anuna Research Cooperative *[confirm exact registered entity name before lodgement — e.g. \"Anuna Co-operative Ltd\" if separately registered under Australian co-operatives legislation]* | | Trading name | Anuna / Anuna Research / Anuna Research Cooperative | | Entity structure | Australian cooperative | | Entity identifier (ABN) | *[insert ABN — confirm before lodgement]* | | Country of incorporation | Australia | | Principal place of business | *[insert — Australia]* | | Postal address | *[insert before lodgement]* | | Phone | *[insert before lodgement]* | | Email | hello@anuna.io | | Website | https://anuna.io | | Code repositories | https://codeberg.org/anuna | | Primary contact for this Response | Hugo O'Connor — Trust Engineering |"},{"h":"Respondents' compliance with conditions","l":67,"t":"| Condition | Status | |---|---| | Judicial decisions / employee entitlements | Compliant (see §1) | | Workplace Gender Equality | Not a relevant employer (see §1) | | Statement of Tax Record | Will hold valid STR at any future procurement closing time (see §1) | | Indigenous Procurement Policy | Acknowledged (see §1) | | Commonwealth Supplier Code of Conduct | Acknowledged and compliant (see §1) |"},{"h":"General information about the Response","l":77,"t":"| Field | Value | |---|---| | Is this Response submitted by a Responding Group? | No — single respondent (Anuna Research Cooperative) | | Are there any subcontractors to be named at this stage? | No subcontractors named at the RFI stage. In a future procurement stage we anticipate engaging: (a) an Australian Security Vetting Agency–cleared partner for NV1-cleared L2/L3 support; (b) an Australian SOC partner for managed insider-risk monitoring; (c) an Australian systems-integrator partner for delivery scale (TBD by procurement context) | | Are there material confidentiality claims over this Response? | Yes — see \"Confidential Information\" disclosure in our covering material | | Are there any conflicts of interest? | None disclosed | ---"},{"h":"Section 3 — Respondent Information","l":88,"t":""},{"h":"Details of Response","l":90,"t":""},{"h":"About Anuna","l":92,"t":"**Anuna Research Cooperative** (*\"Anuna\"*) is an Australian cooperative working on **trustworthy AI systems**. Anuna positions as *\"applied AI research, done through the work itself\"* — integrating AI engineering, organisational design and governance as one unified practice, and conducting research through live client engagements so that each piece of work improves our tools and methods. Anuna's practitioner team holds a small set of complementary disciplines: | Practitioner | Discipline | |---|---| | **Hugo O'Connor** *(primary contact for this Response)* | Trust engineering — cryptographic systems, identity, zero-knowledge proofs, privacy architecture | | **Mathew Mytka** | Transformative adaptation — organisational change, AI governance | | **Claire Barnes** | Systems engineering — distributed-systems and platform design | | **Dave Factor** | Automation engineering — pipelines, deployment, observability | | **Viveka Weiley** | Strategic design — user experience, service design, accessibility | Anuna's prior client engagements (representative, in addition to others not listed): **Microsoft, Autodesk, CSIRO Data61, Telus, Kellogg School of Management, Suncorp, IAG, the UK Government Digital Service (GovUK), Telefónica, University of Wollongong**. **Directly-relevant current engagement (delivery-capability reference): Bangsamoro Autonomous Region in Muslim Mindanao (BARMM), Philippines** — Anuna is the delivery partner building eGov services for the BARMM regional government, with scope spanning digital identity, citizen-facing eGov service delivery (forms, portals), and transformation advisory. **Production go-live: July 2026.** This is the most directly relevant reference for RFI-15434 *as a delivery-capability proof*: a government-of-government digital identity and eGov programme delivered end-to-end by Anuna with the same cooperative practitioner team that would deliver any ATO SABLE engagement. By the time any post-RFI ATO procurement stage commences, BARMM will be in production with months of operational track record available as direct evidence of delivery capability. **Note: BARMM does not currently deploy SABLE**; future SABLE deployment at BARMM is a candidate natural extension of the existing engagement. The GovUK and CSIRO Data61 engagements provide complementary OECD-grade public-sector context — UK government digital service work shares the standards bar, public-sector data sovereignty constraints, and accessibility requirements that the ATO operates under. **International interest in SABLE and adjacent use cases.** The SABLE open-source library has attracted interest from public-sector stakeholders beyond the Pacific / Southeast Asian context. Anuna is in **early dialogue with Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI)** — the German federal cyber-security authority and natural OECD counterpart to ASD / ACSC — about the SABLE approach for European public-sector identity. Other plausible deployment contexts include other Pacific island nations, ASEAN member states, and OECD-allied digital-sovereignty initiatives. Beyond national digital identity, the underlying privacy-by-construction architecture extends to **adjacent use cases**: age verification for online services, healthcare patient verification (telehealth, prescription authorisation), building / facility access control, employer / contractor on-site identity, and peer-to-peer credential verification — wherever holding biometric or identity-document data centrally is a liability that an architectural alternative could retire. Anuna's open-source projects (publicly available at [codeberg.org/anuna](https://codeberg.org/anuna)) include: - **SABLE** — zero-knowledge biometric proofs *(the subject of this Response)* - **hence** — defeasible logic for agent planning *(used internally to coordinate this Response)* - **spindle** — non-monotonic logic engine in Rust - **sense** — ambient retrieval across portfolios - **vibe harness** — AI pacing to humans - **ebs** — HRV research instrument - **cbcl** — agent communication language - **cbcl-runtime** — process-to-agent router - **zetl** — sourced wiki for agents - **ar-crawl** — agent-focused web crawler *(used to retrieve the RFI documents in preparing this Response)* The breadth across cryptography, agent systems, knowledge representation, organisational design and adaptation reflects the cooperative's practice of working across the full stack of trustworthy-AI delivery rather than operating as a point-solution vendor."},{"h":"About SABLE","l":129,"t":"**SABLE — Secure Attested Biometric Library for Edge** is Anuna's open-source (Apache 2.0) library for privacy-preserving biometric verification using Halo2 zero-knowledge proofs and active spatial-flash liveness detection. **Headline numbers for SABLE:** - **519 tests passing** in the core library (89 % code coverage); 77 Halo2-specific tests - **~250 ms** proof generation on a modern smartphone; **~1.8 ms** verification; **2 KB** proof size - **Apache 2.0** licensed; full source publicly available at [codeberg.org/anuna/sable](https://codeberg.org/anuna/sable) - Built on **transparent-setup Halo2** (no trusted setup ceremony — eliminating a major class of cryptographic risk associated with older ZK systems), BLS12-381 / BN254, Poseidon hash, Pedersen commitments - Active spatial-flash liveness detection adapted from the published Tang et al. NDSS 2018 methodology To our knowledge, SABLE is the first open-source library to combine all of: true zero-knowledge proofs over biometric data, fully offline capable operation, no special hardware required, selective credential disclosure via BBS+ Verifiable Credentials, transparent ZK setup, and an Apache 2.0 licence."},{"h":"How SABLE works — concrete walkthrough","l":143,"t":"This section gives a plain-language model of what SABLE is and how it works end-to-end. It is intended to be readable by an evaluator who is not a cryptographer; the underlying cryptographic primitives are summarised in the *Technical building blocks* table below, and documented in detail in the public SABLE codebase at [codeberg.org/anuna/sable](https://codeberg.org/anuna/sable)."},{"h":"Components and where they run","l":147,"t":""},{"h":"What is actually proven (plain language)","l":194,"t":"When a user authenticates, SABLE generates a single proof asserting **all of the following at once**: 1. The person in front of the camera right now has the same face as the person originally enrolled 2. The person is a real living human present at the point of capture — not a printed photo, a video replay, or a screen replay of a previously-captured face 3. The proof is cryptographically bound to this specific verification session and cannot be replayed against another session 4. (Optionally, if a Verifiable Credential is presented) the selectively-disclosed credential attributes are validly issued and correspond to the same person who enrolled the biometric The verifier learns the outcome (pass / fail) plus any attributes the user explicitly chose to disclose. The verifier does *not* learn the face image, the face embedding, the enrolled template, or any credential attribute the user chose to hide."},{"h":"The user journey — enrolment","l":205,"t":"The user enrols once. From the user's perspective: 1. Open the myID app (SABLE embedded), select \"Enrol biometric\" 2. Frame face within the on-screen oval; the app guides re-capture if image quality is below threshold (ISO/IEC 29794-5 profile) 3. App captures the face image, extracts a 1024-dimension feature embedding on-device, hashes it with a ZK-friendly hash function (Poseidon), and generates a Pedersen commitment to the hash 4. App stores the cryptographic blinding factor (the \"private side\" of the commitment) in the device secure enclave / Android Keystore 5. App publishes the public Pedersen commitment as the user's \"biometric public key\" 6. Original image and embedding are discarded; only the secure-enclave blinding factor and the public commitment remain Total time: ~30 seconds. Nothing leaves the device except the public commitment."},{"h":"The user journey — authentication","l":218,"t":"When the user later authenticates to a service: 1. Open the myID app, select \"Verify identity for [service]\" 2. App receives a verification challenge from the verifier (random session nonce) 3. App generates its own random nonce, commits to it (commit-reveal protocol), sends commitment to verifier 4. Verifier reveals its session nonce; combined HKDF derives a deterministic but unpredictable spatial-flash pattern 5. App displays 3 rounds of split-screen colour flashes (top vs bottom colour, ~2.5 s each); camera captures the user's face under each flash 6. App detects 3D geometry by comparing how upper vs lower face regions reflect each flash colour; a real 3D face responds differently to the split pattern, a flat photo or screen replay responds uniformly 7. App recaptures a fresh face embedding, generates a Halo2 zero-knowledge proof in ~250 ms that simultaneously asserts all four claims above 8. App sends the ~2 KB proof + nonce + (optional) selectively-disclosed credential predicates to the verifier 9. Verifier checks the proof in ~1.8 ms, validates the nonce binding, learns only the pass/fail outcome + disclosed attributes Total user-perceived time: ~10 seconds (3 spatial-flash rounds + proof generation + network round-trip). The full flow runs on-device; the only network traffic is the challenge / response and the final proof."},{"h":"Selective disclosure example","l":234,"t":"If the user holds a Verifiable Credential (BBS+) issued by, say, the Australian Passport Office, the user controls exactly what the verifier learns: | Credential field | Verifier sees | |---|---| | Full name | (hidden) | | Date of birth | (hidden) | | Age ≥ 18 | ✓ (proven by predicate, no DOB revealed) | | Nationality | Valid Australian (proven, document number hidden) | | ID number | (hidden) | | Biometric match | ✓ (zero-knowledge proof against enrolment) | The same Halo2 proof binds the biometric match *and* the credential predicate, so the verifier knows the predicates relate to the *same person* who is currently authenticating, not somebody else's credential."},{"h":"What is in scope of SABLE / what is in scope of integration","l":249,"t":"**In scope of the SABLE library (Anuna's open-source offering, what the ATO would consume):** - Capture pipeline (camera access, image-quality control, frame validation) - Spatial-flash liveness protocol (challenge generation, flash display, reflectance analysis) - Cryptographic primitives (Halo2 proving system, Pedersen commitments, Poseidon hash, BLS12-381 curve operations, BBS+ selective-disclosure layer) - ZK proof generation (on-device) - ZK proof verification (server-side) - Cross-platform bindings (Android JNI, iOS Swift; MAUI bindings to be delivered per IN-1) - Web build via WASM for browser-based verification **In scope of the proposed SABLE Verification SaaS (Anuna's commercial wrapper):** - Hosted verification endpoint on AWS Sydney (`ap-southeast-2`) - AWS PrivateLink endpoint for ATO connectivity - Operational telemetry, audit logging, metrics dashboards (Amazon CloudWatch + Grafana) - IRAP / PROTECTED-level certification (to be undertaken per SC-1 / SC-6) - 24×7 monitoring, tiered support, SLA management - Release management, dependency patching, CVE response **In scope of integration work (joint Anuna + ATO during procurement):** - Embedding SABLE in the myID app build (engineering integration) - Wiring the SaaS endpoint to ATO's existing FVS / DVS infrastructure - Joint UAT, runbook handover, operational onboarding - ATO branding of capture UI, copy localisation, accessibility-mode customisation **Out of scope (ATO retains):** - The myID app itself and the broader IP3 identity-proofing flow - The Document Verification Service (DVS) and Face Verification Service (FVS) integrations to source agencies - User account management, session handling, downstream service authentication - Helpdesk for end-user identity queries unrelated to biometric verification"},{"h":"The trust model","l":280,"t":"| Party | What they trust | |---|---| | **User** | Their own device's secure enclave / Android Keystore; the SABLE open-source code (auditable); the spatial-flash protocol (commit-reveal nonces prevent the verifier predicting the flash pattern) | | **Verifier (ATO)** | The cryptographic primitives (BLS12-381, Halo2, Poseidon — all peer-reviewed, transparent setup); AWS Sydney as a Certified Strategic Hosting Provider; the ZK proof system's soundness | | **Structurally not trusted** | The SaaS verification endpoint with the biometric data (it doesn't have it); any party in the delivery chain with PI (no party in the chain has PI); the network channel with the biometric data (only the proof transits) | This is the structural inversion of conventional biometric verification: in the standard model, the user trusts the verifier with their biometric data and trusts the verifier's data-handling practices; in SABLE, the verifier trusts the cryptographic system and *cannot* be entrusted with biometric data because there is none to entrust."},{"h":"Technical building blocks","l":290,"t":"| Primitive | Role in SABLE | What it gives | |---|---|---| | **Halo2** | Zero-knowledge proof system | Transparent setup (no trusted ceremony); ~250 ms proof generation, ~1.8 ms verification, ~2 KB proof size; composite proof binds biometric match + PAD + nonce + (optional) BBS+ credential predicates atomically | | **BLS12-381** (pairing-friendly curve) | Elliptic-curve operations underlying Halo2 and BBS+ | 128-bit security level; widely deployed (Zcash, Ethereum BLS signatures); aligned with NIST and IETF CFRG positions | | **Pedersen commitments** | Hiding commitment to the biometric hash | Acts as the user's \"biometric public key\": the verifier can check membership proofs without learning the underlying biometric | | **Poseidon** | ZK-friendly hash function | Hashes the 1024-dim biometric feature embedding inside the ZK circuit ~10× faster than SHA-256 in circuit-arithmetic terms | | **BBS+ signatures** | Selective-disclosure layer for Verifiable Credentials | Holder can prove possession of a credential and disclose only chosen attributes / predicates (\"≥ 18\") without revealing hidden fields | | **Spatial-flash liveness** | Active PAD via split-screen colour challenge | Detects 3D face geometry via differential reflectance across upper / lower face regions; adapted from Tang et al., NDSS 2018 | | **Face embedding** | 1024-dim biometric feature vector | Stable representation of facial features suitable for hashing and matching inside the ZK circuit | | **X25519 ECDH** | Key exchange for P2P verification | NIST / ISM-listed; underpins peer-to-peer session keys for NFC / BLE / WiFi Direct verification | | **ChaCha20-Poly1305** | Authenticated encryption for P2P traffic | NIST / ISM-listed AEAD; protects session payloads on peer-to-peer channels | All primitives are peer-reviewed, transparent (no trusted setup), and either NIST/IETF-standardised or aligned with NIST PQC and IETF CFRG positions. Implementations are pure-Rust (no FFI dependencies on untrusted third-party crypto libraries) and audited via the public test suite (519 tests, 89 % coverage). **What SABLE proposes for myID:** A **two-component deployment**: 1. **On-device** — SABLE library embedded in the myID app handles biometric capture, image-quality control (ISO/IEC 29794-5), presentation-attack detection (single-continuous-pipeline spatial flash liveness), and Halo2 ZK proof generation. Biometric data **never leaves the device.** 2. **SaaS** — A hosted verification endpoint on AWS Sydney (`ap-southeast-2`) verifies the ZK proof in ~1.8 ms; integrates via AWS PrivateLink to the ATO's existing infrastructure; provides metrics, logging, alerting, and ongoing platform maintenance. The technical compliance matrix for every requirement (LV-1..6, TV-1..3, S-1..2, P-1..2, A-1, H-1..2, IN-1..5, SC-1..8, OP-1..10, VISM-1..7, M-1, RM-1..4, UX-1..4) is set out in **Part 3a — Response Form (Technical)** and accompanies this submission."},{"h":"Respondent's responses in relation to Part 2 — Statement of Requirements","l":315,"t":"**(See Part 3a — Response Form (Technical) — the technical-compliance matrix is provided in the requested XLSX form, with one row per requirement.)** For the cross-cutting business requirements: - **Secure** — Halo2 ZK proofs provide cryptographic guarantees stronger than statistical match-rate thresholds. Spatial-flash PAD defeats common photo / video / screen-replay attacks; FMR/FNMR benchmarking against ISO/IEC TS 19795-9 committed. - **User-friendly** — ~10-second capture flow; no special device; no internet dependency for capture; biometric data never leaves device. - **Device-compatible** — iOS 14+, Android 9+; Chrome, Safari, Edge, Firefox on desktop and mobile via the WASM build. - **Accessible** — WCAG 2.1 AA commitment (audit + remediation in 4-6 weeks); accessibility-mode liveness alternative on roadmap. - **Scalable** — stateless verification at ~1.8 ms; capacity scales linearly with EKS pods. - **Cost-effective** — open-source library means no per-seat ZK-proof licence; commercial scope is SaaS shell, integration, and ongoing operations. - **Compliant** — privacy by construction directly aligns with Digital ID Act 2024 data-minimisation; ISM / Essential 8 / Australian Privacy Principles roadmap mapped requirement-by-requirement in Part 3a. - **Integratable and maintainable** — MAUI bindings sized at 4-6 weeks; IaC deployment; public SBOM; documented patching SLA. - **Value for money** — privacy-by-construction architecture removes the ongoing cost of breach mitigation, data-sovereignty auditing, and consent management that statistical-match biometric stacks accrue. **Additional public value:** SABLE is Apache 2.0 open-source — any work the ATO funds to mature it (third-party PAD certification, FMR/FNMR benchmarking, MAUI bindings, IRAP/PROTECTED assessment, ASD-HACE-compliant crypto pathway, WCAG 2.1 AA audit) becomes immediately freely available to any other government adopter. Candidate future deployment contexts include Anuna's existing BARMM (Philippines) engagement as a natural extension, early-dialogue with Germany's BSI for European public-sector identity, other Pacific / Southeast Asian governments, and adjacent use cases beyond national digital identity (age verification, healthcare patient verification, building access). ATO investment compounds across this surface at zero marginal cost — aligned with the Commonwealth's Pacific Step-Up, Indo-Pacific Endeavour, ASEAN digital cooperation, and the Quad's cyber resilience agenda. ---"},{"h":"Section 4 — Respondent's Declaration","l":333,"t":"> *On Anuna Research Cooperative letterhead, signed by Hugo O'Connor as authorised representative.* **I, Hugo O'Connor**, in my capacity as authorised representative of Anuna Research Cooperative (Trust Engineering), declare on behalf of Anuna Research Cooperative that: 1. The information contained in this Response is, to the best of our knowledge and belief, **true, accurate, and complete**. 2. We have read, understand, and accept the **Conditions for Participation** set out in Part 1 of RFI-15434. 3. We acknowledge that this Response is **not a binding offer** and that no contract is formed by submission or evaluation of this Response. 4. We have **no actual or perceived conflict of interest** in relation to this RFI. 5. We will **comply with the Commonwealth Supplier Code of Conduct** in any future contractual relationship with the ATO. 6. We **consent to the ATO's use** of the information in this Response for the purposes stated in Part 1, including disclosure to ATO staff, advisers, and other Commonwealth agencies where required. 7. We **acknowledge the confidentiality regime** described in Part 1 and have separately identified any Confidential Information. Signed: ____________________________ **Hugo O'Connor** — Trust Engineering, Anuna Research Cooperative Date: 4 June 2026 --- > *End of Part 3 draft.*"}],"tf":{"0":4,"1":37,"10":4,"100":1,"1024":3,"12":1,"128":1,"14":1,"14001":4,"15434":2,"18":3,"19795":1,"2":20,"2012":1,"2018":2,"2024":1,"2026":2,"24":1,"250":3,"256":1,"29794":2,"3":10,"30":1,"381":4,"3a":3,"3d":3,"4":12,"5":7,"519":2,"6":8,"7":4,"77":1,"8":8,"89":2,"9":3,"a":52,"aa":2,"able":1,"abn":2,"about":5,"above":2,"accept":1,"access":3,"accessibility":4,"accessible":1,"accompanies":1,"account":1,"accrue":1,"accurate":1,"accurately":1,"acknowledge":2,"acknowledged":2,"acknowledges":3,"across":5,"acsc":1,"act":2,"active":3,"activities":1,"acts":1,"actual":1,"actually":1,"adaptation":2,"adapted":2,"addendum":1,"addition":1,"additional":1,"address":1,"addressing":1,"adjacent":3,"adopter":1,"advisers":1,"advisory":1,"aead":1,"against":4,"age":3,"agencies":2,"agency":1,"agenda":1,"agent":5,"agents":1,"ai":6,"al":2,"alerting":1,"align":1,"aligned":4,"alignment":2,"aligns":1,"all":7,"allied":1,"alternative":2,"amazon":1,"ambient":1,"an":11,"analysis":1,"and":63,"android":4,"annual":1,"another":1,"anticipate":1,"anuna":46,"any":18,"apache":4,"app":15,"appeal":1,"applicable":1,"applied":1,"approach":1,"appropriate":2,"ar":1,"architectural":1,"architecture":3,"are":8,"arithmetic":1,"as":13,"asd":2,"asean":2,"asian":2,"aspects":1,"asserting":1,"asserts":1,"assessment":3,"associated":1,"at":14,"ato":18,"atomically":1,"attack":1,"attacks":1,"attested":1,"attracted":1,"attribute":1,"attributes":4,"audit":4,"auditable":1,"audited":1,"auditing":1,"australia":2,"australian":11,"authenticated":1,"authenticates":2,"authenticating":1,"authentication":2,"authorisation":1,"authorised":2,"authority":1,"autodesk":1,"automation":1,"autonomous":1,"available":4,"aware":1,"aws":6,"b":1,"bangsamoro":1,"bar":1,"barmm":6,"barnes":1,"based":1,"bbs":6,"be":12,"because":1,"becomes":1,"been":1,"before":4,"behalf":1,"belief":1,"below":3,"benchmarking":2,"best":1,"beyond":3,"binding":2,"bindings":4,"binds":2,"biometric":26,"birth":1,"bit":1,"ble":1,"blinding":2,"blocks":2,"bls":1,"bls12":4,"bn254":1,"bottom":1,"bound":1,"branding":1,"breach":1,"breadth":1,"broader":1,"browser":1,"bsi":2,"build":3,"building":5,"built":1,"bundesamt":1,"business":6,"but":1,"by":16,"c":1,"camera":3,"can":2,"candidate":2,"cannot":2,"capability":4,"capable":1,"capacity":2,"capture":7,"captured":1,"captures":2,"carbon":3,"cases":3,"cbcl":2,"centrally":1,"ceremony":2,"certification":4,"certified":1,"cfrg":2,"chacha20":1,"chain":2,"challenge":4,"change":1,"channel":1,"channels":1,"check":1,"checks":1,"chose":2,"chosen":1,"chrome":1,"circuit":3,"citizen":1,"claims":3,"claire":1,"class":1,"cleared":2,"client":2,"closing":2,"closure":1,"cloud":2,"cloudwatch":1,"co":2,"code":8,"codebase":1,"codeberg":7,"colour":4,"combine":1,"combined":1,"commences":1,"commercial":2,"commit":3,"commitment":9,"commitments":3,"commits":1,"committed":1,"common":1,"commonwealth":7,"communication":1,"company":1,"comparing":1,"compatible":1,"complementary":2,"complete":1,"compliance":3,"compliant":4,"comply":4,"component":1,"components":2,"composite":1,"compounds":1,"concept":1,"concrete":1,"condition":1,"conditions":3,"conduct":4,"conducting":1,"confidential":2,"confidentiality":2,"confirm":3,"confirms":4,"conflict":1,"conflicts":1,"connectivity":1,"connor":5,"consent":2,"constraints":1,"construction":3,"consultant":1,"consume":1,"contact":2,"contained":1,"context":3,"contexts":2,"continuous":1,"contract":5,"contractor":1,"contractual":1,"control":3,"controls":1,"conventional":1,"cooperation":1,"cooperative":24,"coordinate":1,"copy":1,"core":1,"corporate":1,"correspond":1,"cost":3,"could":1,"counterpart":1,"country":1,"covenant":1,"coverage":2,"covering":1,"crawl":1,"crawler":1,"credential":12,"credentials":2,"cross":2,"crypto":2,"cryptographer":1,"cryptographic":8,"cryptographically":1,"cryptography":1,"csiro":2,"cth":1,"current":3,"currently":4,"curve":3,"customer":1,"customisation":1,"cutting":1,"cve":1,"cyber":2,"cycle":1,"dashboards":1,"data":12,"data61":2,"date":2,"dave":1,"days":1,"decisions":4,"declaration":1,"declare":1,"defeasible":1,"defeats":1,"deliver":1,"delivered":2,"delivers":1,"delivery":9,"demonstration":1,"dependencies":1,"dependency":2,"deploy":1,"deployed":1,"deployment":6,"deployments":1,"der":1,"derives":1,"described":1,"design":5,"desktop":1,"detail":1,"details":2,"detection":3,"detects":2,"deterministic":1,"development":1,"device":11,"dialogue":2,"differential":1,"differently":1,"digital":9,"dim":2,"dimension":1,"direct":2,"directly":3,"discarded":1,"discipline":1,"disciplines":1,"disclose":2,"disclosed":4,"disclosure":6,"display":1,"displays":1,"distributed":1,"dob":1,"document":4,"documented":2,"documents":1,"docx":1,"does":4,"doesn":1,"done":1,"downstream":1,"draft":2,"during":1,"dvs":2,"e":2,"each":4,"early":2,"ebs":1,"ecdh":1,"edge":2,"effective":1,"egov":3,"either":1,"eks":1,"eliminating":1,"elliptic":1,"else":1,"email":1,"embedded":2,"embedding":7,"employee":6,"employer":3,"employment":1,"ems":1,"enclave":3,"encryption":1,"end":6,"endeavour":1,"endpoint":5,"energy":1,"engage":1,"engagement":5,"engagements":3,"engaging":1,"engine":1,"engineering":8,"enrol":1,"enrolled":3,"enrolment":2,"enrols":1,"entitlements":3,"entity":3,"entrepreneurship":1,"entrust":1,"entrusted":1,"environment":1,"environmental":4,"equality":4,"essential":1,"et":2,"ethereum":1,"ethics":1,"european":2,"evaluation":1,"evaluator":1,"event":2,"every":1,"evidence":2,"exact":1,"exactly":2,"example":1,"except":1,"exchange":1,"existing":4,"exists":1,"expectations":2,"expected":1,"experience":1,"explicitly":1,"exposure":2,"extend":1,"extends":1,"extension":2,"extracts":1,"face":14,"facial":1,"facility":1,"facing":1,"factor":3,"fail":2,"faster":1,"feature":3,"features":1,"federal":1,"ffi":1,"field":3,"fields":1,"figure":1,"final":1,"firefox":1,"firms":1,"first":2,"flash":13,"flashes":1,"flat":1,"flow":3,"fmr":2,"fnmr":2,"focused":1,"following":1,"footprint":1,"for":38,"form":4,"formally":1,"formed":1,"forms":1,"founder":1,"four":1,"frame":2,"framework":1,"frameworks":1,"freely":1,"fresh":1,"friendly":4,"from":6,"front":1,"full":5,"fully":1,"function":2,"funds":1,"future":9,"fvs":2,"für":1,"g":2,"gap":1,"gender":4,"general":2,"generates":4,"generation":6,"geometry":2,"german":1,"germany":2,"gives":2,"go":1,"governance":4,"government":6,"governments":1,"govuk":2,"grade":1,"grafana":1,"group":1,"gst":1,"guarantees":1,"guides":1,"h":1,"hace":1,"halo2":11,"handles":1,"handling":2,"handover":1,"hardware":2,"harness":1,"has":6,"hash":6,"hashes":2,"hashing":1,"have":4,"headcount":1,"headings":1,"headline":1,"health":1,"healthcare":2,"hello":1,"helpdesk":1,"hence":1,"hidden":5,"hide":1,"hiding":1,"hkdf":1,"hold":3,"holder":1,"holding":1,"holds":2,"hosted":2,"hosting":1,"how":3,"hrv":1,"https":5,"hugo":5,"human":1,"humans":1,"i":1,"iac":1,"iag":1,"id":2,"identified":2,"identifier":1,"identity":12,"iec":3,"ietf":3,"if":6,"image":6,"immediately":1,"implement":1,"implementations":1,"improves":1,"in":54,"include":3,"including":3,"inclusive":1,"incorporation":1,"indigenous":9,"indo":1,"information":7,"informationstechnik":1,"infrastructure":3,"initiatives":1,"insert":4,"inside":2,"insider":1,"instrument":1,"integratable":1,"integrates":1,"integrating":1,"integration":4,"integrations":1,"integrator":1,"intended":1,"interest":5,"internal":1,"internally":1,"international":1,"internet":1,"into":1,"inversion":1,"investment":1,"io":2,"ios":2,"ip3":1,"ipp":2,"irap":2,"is":35,"island":1,"ism":3,"iso":7,"issued":2,"it":12,"its":4,"itself":2,"jni":1,"joint":2,"journey":2,"judicial":3,"july":1,"june":1,"kb":3,"kellogg":1,"key":3,"keys":1,"keystore":2,"knowledge":10,"knows":1,"l2":1,"l3":1,"language":3,"later":1,"layer":2,"learn":1,"learning":1,"learns":3,"leaves":3,"legal":1,"legislation":1,"letterhead":1,"level":2,"liability":1,"libraries":1,"library":8,"licence":2,"licensed":1,"lifecycle":1,"limited":1,"linearly":1,"listed":3,"live":2,"liveness":6,"living":1,"localisation":1,"lodgement":4,"logging":2,"logic":2,"lower":2,"ltd":1,"lv":1,"m":1,"made":1,"maintain":2,"maintainable":1,"maintenance":1,"major":1,"managed":1,"management":8,"mandatory":1,"mapped":1,"marginal":1,"match":5,"matching":1,"material":2,"materials":1,"mathew":1,"matrix":2,"mature":1,"maui":3,"may":1,"means":1,"measure":1,"measurement":1,"member":1,"membership":1,"methodology":1,"methods":1,"metrics":2,"microsoft":1,"million":1,"mindanao":1,"minimisation":1,"minimum":1,"mitigation":1,"mmr":3,"mobile":1,"mode":2,"model":3,"modern":1,"money":1,"monitoring":3,"monotonic":1,"months":4,"most":1,"ms":8,"muslim":1,"my":1,"myid":6,"mytka":1,"name":4,"named":2,"nation":1,"national":3,"nationality":1,"nations":1,"natural":3,"ndss":2,"negligible":1,"neither":1,"network":3,"never":2,"nfc":1,"nist":5,"no":14,"non":1,"nonce":6,"nonces":1,"none":2,"nor":1,"not":13,"note":1,"nothing":1,"noting":1,"now":1,"number":2,"numbers":1,"nv1":1,"o":5,"objectives":1,"obligations":1,"observability":1,"oecd":3,"of":66,"offer":1,"offering":1,"office":1,"offline":1,"older":1,"on":19,"onboarding":1,"once":2,"one":2,"ongoing":3,"online":1,"only":5,"op":1,"open":10,"operate":1,"operates":1,"operating":1,"operation":1,"operational":3,"operations":4,"operative":1,"operatives":1,"optional":2,"optionally":1,"or":9,"org":7,"organisational":3,"original":1,"originally":1,"other":6,"others":1,"our":5,"out":3,"outcome":3,"oval":1,"over":3,"own":2,"owned":1,"owner":1,"p":1,"p2p":2,"pacific":5,"pacing":1,"packaging":3,"pad":4,"pairing":1,"part":9,"participating":1,"participation":4,"partner":4,"party":5,"pass":2,"passing":1,"passport":1,"patching":2,"pathway":1,"patient":2,"pattern":3,"payloads":1,"pedersen":5,"peer":8,"per":4,"perceived":2,"person":5,"perspective":1,"philippines":2,"phone":1,"photo":3,"physical":2,"pi":2,"piece":1,"pipeline":2,"pipelines":1,"place":1,"plain":2,"plan":2,"planned":1,"planning":1,"platform":3,"plausible":1,"plus":1,"pods":1,"point":2,"policies":1,"policy":3,"poly1305":1,"portals":1,"portfolios":1,"poseidon":5,"positions":3,"possession":1,"post":1,"postal":1,"pqc":1,"practice":2,"practices":3,"practitioner":3,"precisely":1,"predicate":2,"predicates":4,"predicting":1,"preparing":1,"prescription":1,"present":1,"presentation":1,"presented":1,"preserved":1,"preserving":1,"prevent":1,"previously":2,"primary":2,"primitive":1,"primitives":4,"principal":1,"principles":1,"printed":1,"prior":2,"privacy":6,"private":1,"privatelink":2,"proceed":1,"process":3,"processes":1,"procurement":13,"product":1,"production":2,"profile":1,"programme":1,"progresses":1,"projects":1,"proof":24,"proofing":1,"proofs":6,"proposed":3,"proposes":1,"protected":2,"protection":1,"protects":1,"protocol":3,"prove":1,"proven":3,"provide":2,"provided":3,"provider":1,"provides":1,"proving":1,"public":14,"publicly":2,"published":1,"publishes":1,"pure":1,"purposes":2,"q15":1,"quad":1,"quality":3,"queries":1,"random":2,"rate":2,"rather":1,"re":1,"read":1,"readable":1,"real":2,"recaptures":1,"receipt":1,"receives":1,"record":4,"reduction":1,"reference":2,"reflect":1,"reflectance":2,"reflects":1,"regime":1,"region":1,"regional":1,"regions":2,"registered":2,"relate":1,"relating":2,"relation":2,"relationship":1,"release":1,"relevant":4,"remain":1,"remediation":1,"remote":1,"removes":1,"replay":4,"replayed":1,"reported":2,"reporting":1,"repositories":1,"representation":2,"representative":3,"request":2,"requested":1,"required":4,"requirement":4,"requirements":4,"research":24,"resilience":1,"respect":1,"respondent":6,"respondents":1,"responding":1,"responds":2,"response":19,"responses":1,"responsible":1,"retains":1,"retire":1,"retrieval":1,"retrieve":1,"reveal":2,"revealed":1,"revealing":1,"reveals":1,"review":1,"reviewed":2,"rfi":9,"rfq":1,"rft":1,"right":1,"risk":2,"rm":1,"roadmap":2,"role":1,"round":1,"rounds":2,"router":1,"row":1,"run":1,"runbook":1,"runs":1,"runtime":1,"rust":2,"s":30,"saas":5,"sable":31,"safari":1,"safety":1,"same":5,"satisfactory":2,"say":1,"sbom":1,"sc":3,"scalable":1,"scale":2,"scales":1,"school":1,"scope":9,"screen":6,"seat":1,"second":3,"seconds":2,"section":6,"sector":5,"secure":5,"security":3,"see":7,"sees":1,"select":2,"selective":4,"selectively":2,"sends":2,"sense":1,"separately":2,"server":1,"service":9,"services":2,"session":7,"set":4,"setup":6,"sha":1,"shares":1,"shell":1,"shortlist":1,"sicherheit":1,"side":2,"signatory":1,"signatures":2,"signed":2,"signing":2,"simultaneously":1,"single":3,"site":1,"six":1,"size":3,"sized":1,"sla":2,"small":2,"smartphone":1,"so":2,"soc":1,"software":1,"solution":1,"somebody":1,"soundness":1,"source":10,"sourced":1,"southeast":2,"sovereignty":3,"spanning":1,"spatial":9,"special":2,"specific":2,"spindle":1,"split":3,"stable":1,"stack":1,"stacks":1,"staff":1,"stage":9,"stakeholders":1,"standard":1,"standardised":1,"standards":1,"stated":1,"stateless":1,"statement":4,"states":1,"statistical":2,"status":1,"step":1,"stores":1,"str":5,"strategic":2,"stronger":1,"structural":1,"structurally":1,"structure":2,"subcontracting":1,"subcontractor":3,"subcontractors":3,"subject":3,"submission":2,"submitted":1,"such":1,"suitable":1,"suite":1,"summarised":1,"suncorp":1,"supplier":5,"supplies":1,"supply":1,"support":2,"surface":1,"swift":1,"sydney":3,"system":6,"systems":7,"t":1,"table":1,"tang":2,"targets":1,"tax":3,"tbd":1,"team":2,"technical":6,"telefónica":1,"telehealth":1,"telemetry":1,"telus":1,"template":2,"tender":1,"term":1,"terms":1,"test":1,"tests":3,"than":4,"that":19,"the":171,"their":2,"there":4,"these":1,"they":2,"third":2,"this":21,"threshold":2,"thresholds":1,"through":2,"tiered":1,"time":7,"timeframe":1,"to":59,"tool":1,"tools":1,"top":1,"total":2,"track":1,"trading":1,"traffic":2,"transcribe":1,"transformation":1,"transformative":1,"transits":1,"transparent":5,"travel":2,"triggers":1,"trip":1,"true":2,"trust":6,"trusted":4,"trusts":3,"trustworthy":2,"ts":1,"tv":1,"two":1,"uat":1,"ui":1,"uk":2,"under":3,"underlying":4,"underpins":1,"understand":1,"undertake":1,"undertaken":1,"unified":1,"uniformly":1,"university":1,"unpaid":1,"unpredictable":1,"unrelated":1,"untrusted":1,"up":1,"uplift":1,"upper":2,"use":6,"used":3,"user":20,"using":1,"ux":1,"valid":4,"validates":1,"validation":1,"validly":1,"value":4,"valued":1,"vector":1,"vendor":1,"verifiable":4,"verification":23,"verifier":16,"verifies":1,"verify":1,"vetting":1,"via":10,"vibe":1,"video":2,"vism":1,"viveka":1,"vs":2,"walkthrough":1,"wasm":2,"wcag":2,"we":10,"web":2,"website":1,"weeks":2,"weiley":1,"welfare":1,"wgea":1,"what":9,"when":2,"where":4,"wherever":1,"who":3,"widely":1,"wifi":1,"wiki":1,"will":11,"wiring":1,"with":27,"within":5,"without":2,"wollongong":1,"work":5,"working":2,"workplace":4,"works":2,"would":2,"wrapper":1,"x25519":1,"xlsx":1,"yes":1,"zcash":1,"zero":8,"zetl":1,"zk":13}},{"dl":4651,"n":"part3a-technical-compliance-matrix","s":"draft/part3a-technical-compliance-matrix","secs":[{"h":"Part 3a — Response Form (Technical) — Compliance Matrix — DRAFT","l":1,"t":"> Transcribe each row into the XLSX template `../attachments/04-part3a-response-technical.xlsx` — Column D = Response Compliance (drop-down: Compliant / Partially Compliant / Non-Compliant); Column E = Vendor Comments. ---"},{"h":"Biometric Capture and Liveness Detection","l":7,"t":"| # | Compliance | Vendor Comment | |---|---|---| | **LV-1** | **Compliant** | SABLE captures face embeddings via standard smartphone camera through the `sable-core/biometric` module. Image-quality scoring operates at capture time against the ISO/IEC 29794-5 image quality profile (sharpness, illumination uniformity, pose, occlusion). The quality profile output is exposed via the FFI for downstream verification. | | **LV-2** | **Compliant** | The capture SDK rejects out-of-spec frames in real time and returns user-facing guidance codes (face-too-close, face-too-far, low-light, off-axis, motion-blur, occlusion-detected). UI strings are configurable per ATO branding and language. Reference integrations exist today for native Swift (iOS) and Kotlin (Android); a reference MAUI implementation will be delivered alongside the MAUI bindings (see IN-1). | | **LV-3** | **Compliant** | SABLE employs an **active spatial-flash presentation-attack detection** technique adapted from Tang et al., NDSS 2018, *\"Face Flashing: a Secure Liveness Detection Protocol based on Light Reflections\"*. The device screen flashes a split-screen pattern of computer-derived colours over 3 rounds; the camera captures how the flash reflects off the user's face. A real 3D face reflects the split-pattern differently in upper vs lower regions (forehead vs chin); a flat photo or screen replay reflects identically. Cosine-similarity between regional delta vectors discriminates 3D from 2D presentation. | | **LV-4** | **Compliant** | Capture, PAD, and Halo2 proof generation execute in a **single continuous on-device pipeline** that takes approximately 10 seconds end-to-end (3 spatial-flash rounds at ~2.5 s each + ~250 ms proof generation). The proof cryptographically binds the captured biometric features, the per-region PAD reflectance fingerprints, and the session-binding nonce — they cannot be decoupled or replayed independently. | | **LV-5** | **Partially Compliant** | The spatial-flash technique is a published, peer-reviewed PAD methodology with demonstrated effectiveness against photo, video, and screen-replay attacks. **Formal ISO/IEC 30107-3:2023 EAL-2 (Level B) testing by a qualified third-party laboratory has not yet been undertaken;** Anuna Research Cooperative commits to engaging an **ILAC-accredited testing laboratory with the required ISO/IEC 30107 scope** for formal certification within 3-4 months and budgets ~AUD 60-100 k for this activity. No lab arrangement is in place at the RFI stage; specific lab selection would be a procurement-stage activity. Per Addendum 1 Q1, the test report will document: accreditation scope, test methodology, ISO/IEC 30107 version used, PAD assurance level assessed, and any limitations or exclusions. Internal red-team test results against printed photos, phone-screen replays, video replays, and 3D-printed masks available on request. | | **LV-6** | **Partially Compliant** | As LV-5. Anuna Research Cooperative will provide an ILAC-accredited third-party PAD test report inside a procurement evaluation phase, evidencing the body's qualifications, accreditation scope, test methodology, ISO/IEC 30107 version, PAD assurance level, and any limitations per Addendum 1 Q1. Vendor self-assessment evidence is available immediately. |"},{"h":"Technical Verification and Biometric Binding","l":18,"t":"| # | Compliance | Vendor Comment | |---|---|---| | **TV-1** | **Partially Compliant** | ICAO Doc 9303 NFC ePassport verification (BAC / PACE, Active Authentication, Document Signer Certificate validation, Master List handling, CRL checking) is **not yet shipped in SABLE core**. The `sable-core/attestation` module is architected to support X.509-style chain validation; ICAO 9303 PKI verification adds approximately 8-12 weeks of development effort. Implementation will leverage proven open-source libraries (jMRTD on Android, libICAOCertificate on iOS) wrapped through our FFI. Commitment to deliver inside a procurement evaluation phase. | | **TV-2** | **Compliant** | The **single continuous on-device pipeline** binds biometric capture, presentation-attack detection, and credential binding into one atomic Halo2 proof. PAD operates at point of capture; the entire pipeline runs to completion before any proof is submitted for verification. Data from both the data-capture subsystem (camera EXIF metadata, frame timing, sensor confidence scores) and system-level monitoring (challenge nonce binding, device attestation key signatures) feed the Halo2 circuit per ISO/IEC 30107-1. | | **TV-3** | **Partially Compliant** | Formal FMR / FNMR benchmarking against ISO/IEC TS 19795-9:2019 protocol with 90 % confidence interval is **not yet completed**. SABLE's matching uses Pedersen-committed Poseidon-hashed 1024-dimension face embeddings with a configurable Hamming-distance threshold inside the Halo2 circuit. Matching accuracy depends primarily on the embedding extractor model; we propose using a state-of-the-art extractor (e.g. ArcFace / MagFace) tuned to the operational target. Anuna Research Cooperative commits to running a formal ISO/IEC TS 19795-9 evaluation **against a representative diverse cohort per the Digital ID Accreditation Data Standards** — including individuals with disability, individuals with diverse abilities (including ability to use technology), and individuals across a diverse range of age, gender, and ethnicity (Addendum 1 Q2) — using a combination of IJB-C / MS-Celeb-1M demographic-balanced subsets and an Australian-cohort sample. FMR/FNMR reported at 90 % CI within the procurement evaluation window (4-6 weeks). The benchmark applies to **the SABLE matching algorithm** (not to the FVS algorithm). |"},{"h":"Scalability, Performance, Availability","l":26,"t":"| # | Compliance | Vendor Comment | |---|---|---| | **S-1** | **Compliant** | Halo2 verification is **stateless** (no session affinity, no shared memory, no in-flight state). The proposed SaaS verification endpoint runs as a horizontally-scaled EKS deployment behind an Application Load Balancer in AWS `ap-southeast-2`. Capacity scales linearly with pod count; autoscaling responds to request-per-second and p95-latency metrics. | | **S-2** | **Compliant** | The proposed deployment **wraps the open-source SABLE library as a hosted SaaS verification service** on AWS Sydney. The library remains client-side (embedded in the myID app); only the ZK proof and metadata reach the SaaS. | | **P-1** | **Compliant** | 10 000 verifications/hour = ~2.8 verifications/second average peak; Halo2 verification on a single AWS Graviton3 `m7g.medium` instance benchmarks at ~1.8 ms per proof (single-threaded), enabling > 500 verifications/second per instance — three orders of magnitude headroom against the stated peak load. P95 latency budget of ≤ 1000 ms is comfortable: ~1.8 ms verification + ~10-15 ms network round-trip from ATO infrastructure inside `ap-southeast-2` + ~5 ms application overhead = ~30 ms total p95. | | **P-2** | **Compliant** | We provide as part of this response: (i) **measured verification latency distributions** on Apple Silicon, AWS Graviton3, and Intel Xeon reference platforms with histogram + tail-latency analysis; (ii) **AWS infrastructure design** — VPC with three-AZ EKS cluster, ALB with health-checked targets, CloudFront for static assets, RDS for audit only (no PII), KMS for envelope encryption, AWS PrivateLink endpoint to ATO VPC; (iii) **Software Capacity Plan** projecting capacity at 1×, 10×, 100×, 1000× the stated peak load (50 000 verifications/hour, 500 000/hour, 5 M/hour, 50 M/hour) with associated EKS node sizing, RDS storage, and estimated monthly AWS spend at each tier. | | **A-1** | **Compliant** | The proposed deployment is a Multi-AZ EKS in `ap-southeast-2` (Sydney) across three Availability Zones; ALB health checks every 5 seconds with 2-failure deregistration; RDS Multi-AZ with synchronous standby; RTO < 5 minutes; RPO = 0 for the audit log. Committed SLA: **99.95 % monthly uptime**. As a bonus, SABLE's on-device capture / PAD / proof-generation pipeline is **100 % available offline** — only final verification touches the SaaS, so user-facing failures are limited to the few seconds of network call. |"},{"h":"Hosting and Integration","l":36,"t":"| # | Compliance | Vendor Comment | |---|---|---| | **H-1** | **Compliant** | The proposed deployment is a cloud-hosted SaaS on **AWS Sydney** (`ap-southeast-2`), vendor-managed by Anuna Research Cooperative. Three environments (Production, Staging, Development) in separate AWS accounts; AWS Organizations SCPs prevent replication outside `ap-southeast-2`. | | **H-2** | **Compliant** | Per Addendum 1 Q3, we describe **two supported deployment models** and let the ATO select the preferred path during a procurement-stage design activity. **Model 1 — Vendor-managed SaaS (default proposal):** Anuna Research Cooperative operates the Verification Service in `ap-southeast-2`; ATO connects via a **VPC Endpoint Service / AWS PrivateLink** to the SABLE Verification API — no internet egress, no public endpoint, no Transit Gateway. ATO-side dependencies: VPC Endpoint creation, IAM cross-account role for telemetry export, DNS resolver entry (~1-day ATO ops effort). Security controls: TLS 1.3 + mTLS + IAM least-privilege + WAF + GuardDuty. **Model 2 — ATO-managed in ATO AWS environment:** SABLE Verification Service deployed as a Helm chart on the ATO's EKS cluster via Anuna-supplied Terraform; ATO owns infrastructure, security baseline, and patching cadence; Anuna provides licensed software, container images, support, release management, and operational runbooks. ATO-side dependencies: EKS cluster, ALB, IAM provisioning, container registry, monitoring stack. Operational implications (Model 2): ATO assumes infrastructure / IRAP boundary; Anuna's IRAP cert is for the software component; combined IRAP scope must be negotiated; commercial impact: lower SaaS subscription, higher implementation + support fee. | | **IN-1** | **Partially Compliant** | SABLE has FFI for Android (JNI) and iOS (Swift). **Microsoft MAUI bindings have not yet been published** but are mechanical to generate: SABLE core exposes a C ABI via `cbindgen`, on top of which a .NET P/Invoke layer + MAUI NuGet package can be built. Effort estimate: **4-6 weeks** including a sample MAUI integration project and unit-test coverage. Anuna Research Cooperative commits to delivering MAUI bindings inside a procurement evaluation phase. | | **IN-2** | **Compliant** | The SABLE web frontend (`demo/web/`) runs **Halo2 proof generation in-browser via WASM**, with camera capture via `getUserMedia` and spatial-flash liveness via the browser canvas. Verified working in **Chrome, Safari, Edge, Firefox** on desktop and mobile. Browser-based path is fully feature-equivalent to the native iOS / Android implementation. | | **IN-3** | **Compliant** | The verification endpoint is **stateless** — no server affinity, no sticky sessions, no in-memory request state. Any request can hit any pod. Session-binding nonces are validated cryptographically inside the proof, not against server-side state. | | **IN-4** | **Compliant** | Deployment is **fully Infrastructure-as-Code** (Terraform modules provided as part of the delivered software package); the ATO can run `terraform apply` against its AWS account for a silent automated deployment. CI pipelines (GitHub Actions templates) provided. Per-environment configuration via SSM Parameter Store + sealed-secrets pattern. | | **IN-5** | **Partially Compliant — Desirable** | **Most directly relevant delivery-capability reference:** **Bangsamoro Autonomous Region in Muslim Mindanao (BARMM), Philippines** — Anuna Research Cooperative is the delivery partner building eGov services for the BARMM regional government, with scope spanning digital identity, citizen-facing eGov service delivery, and transformation advisory. **Production go-live: July 2026.** This is a government-of-government digital identity and eGov programme delivered end-to-end by Anuna with the same cooperative practitioner team that would deliver any ATO SABLE engagement. BARMM does not currently deploy SABLE; future SABLE deployment at BARMM is a candidate natural extension. By the time any post-RFI ATO procurement stage commences, BARMM will be in production with months of operational track record as evidence of delivery capability. **International interest in SABLE specifically:** Anuna is in early dialogue with **Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI)** about the SABLE approach. **Adjacent enterprise / public-sector references:** UK Government Digital Service (GovUK), CSIRO Data61, Microsoft, Autodesk, Suncorp, IAG, Telus, Telefónica. References available on request. We also offer a **paid Proof-of-Concept against ATO's existing myID test cohort** as the most decisive direct evidence for SABLE specifically in the ATO context. |"},{"h":"Security and Confidentiality","l":48,"t":"| # | Compliance | Vendor Comment | |---|---|---| | **SC-1** | **Partially Compliant** | The SaaS shell will be designed against the **PSPF, ISM, and Essential 8** from day one: multi-factor admin authentication, application allow-listing on production hosts, daily backups, ~daily patching cadence with 4-hour-Critical SLA, OS hardening per ASD STIG profiles, etc. **Full IRAP assessment** evidencing compliance is a procurement-stage activity; commitment to engage an IRAP assessor inside the procurement evaluation phase. | | **SC-2** | **Compliant** | SABLE's defining property is that **biometric data never leaves the user's device**. APP 1 (open and transparent management of personal information): SABLE is open-source and fully auditable. APP 3 (collection of solicited PI): we collect only the ZK proof + minimal metadata, never the biometric. APP 5 (notification of collection): the on-device capture flow surfaces a clear privacy notice. APP 6 (use and disclosure): the ZK proof reveals only the verification outcome plus selectively-disclosed predicates. APP 11 (security of PI): biometric data is committed-and-hidden in Pedersen commitments — even a total SaaS compromise exposes no biometric data. APP 12-13 (access and correction): users hold their own biometric template; ATO never has it to access or correct. | | **SC-3** | **Partially Compliant — Desirable** | SABLE uses **BLS12-381** (128-bit security level, widely deployed, foundational to Zcash and Ethereum BLS signatures), **Poseidon** (peer-reviewed ZK-friendly hash), **ChaCha20-Poly1305** (NIST / ISM-listed AEAD), and **X25519** (NIST / ISM-listed ECDH). BLS12-381 is **not yet on the ASD HACE catalogue** but is aligned with NIST PQC and IETF CFRG positions. Where strict HACE compliance is required, Anuna Research Cooperative will provide a **parallel cryptographic path** using ASD-approved primitives (P-256 with SHA-256 in classical-only mode) for environments that require it. | | **SC-4** | **Compliant — Desirable** | The Halo2 ZK proof IS the integrity control. The proof cryptographically binds (a) the captured biometric features, (b) the PAD liveness fingerprints, (c) the session-binding nonce, and (d) any selectively-disclosed credential attributes — a single ~2 KB proof. Tampering with any component invalidates the proof; the verifier cannot be deceived by altered client-side data. | | **SC-5** | **Compliant** | **Personal Information never crosses the boundary at all.** Per Addendum 1 Q11, SC-5 applies to the **full delivery chain** — subcontractors, sub-processors, PAD providers, hosting providers, support providers, telemetry, logging. SABLE's architecture means **no party in our delivery chain ever processes Personal Information**: biometric data never leaves the user's device; the ZK proof carries no PI; the SaaS endpoint receives no PI; subcontractors (NV1 support, managed SOC) operate on non-PI operational telemetry only; AWS Sydney is the sole infrastructure provider and `ap-southeast-2` is the sole region with SCP-enforced no-replication-out. Only the ZK proof, the session-binding nonce, and (optionally) selectively-disclosed predicates traverse the network. The SaaS verification endpoint cannot reconstruct biometric data even with full database access. Operational telemetry (request counts, latency histograms) contains no PI. This is a structurally stronger position than the \"PAD vendor on Australian infrastructure\" scenario clarified in Addendum 1 Q11 — we have no PI-touching PAD vendor in our chain because PAD runs on the user's device. | | **SC-6** | **Partially Compliant** | **PROTECTED-level ISM certification not yet held.** Per Addendum 1 Q10, the proposed **IRAP assessment scope** includes: (a) production platform — SABLE Verification Service in `ap-southeast-2`; (b) management plane — admin console, deployment pipelines; (c) support portal — ServiceNow-based ticket / incident portal; (d) administrative tooling — IAM, KMS, CI/CD, observability stack; (e) integrations — PrivateLink endpoint, log-shipping pipeline to ATO SIEM; (f) logging / monitoring — CloudWatch, GuardDuty, audit S3 buckets; (g) connected environments — Anuna corporate Atlassian / GitHub Enterprise where source-of-truth lives. **Current assessment status:** no IRAP assessment commenced; commitment to engage an IRAP assessor inside the procurement evaluation phase. **Residual gaps:** all ISM controls untested by IRAP; mitigated by ISM-first design from day one of the SaaS build. **Timeline:** IRAP assessment + PROTECTED certification estimated at 6-8 months elapsed, aligned with production-readiness milestones; spend ~AUD 150-250 k. The architecturally-minimised attack surface (no PI server-side; stateless verification; open-source codebase) materially simplifies the IRAP path. | | **SC-7** | **Compliant** | All Personal data and ATO operational data hosted in **`ap-southeast-2`** (AWS Sydney). AWS Organizations SCPs enforce data sovereignty: no replication, no snapshot copy, no S3 cross-region transfer outside `ap-southeast-2`. AWS Sydney holds **Certified Strategic Hosting Provider** classification under the Data Hosting Certification Framework. | | **SC-8** | **Compliant — Desirable** | Full **Software Bill of Materials (SBOM)** produced via `cargo cyclonedx` and `npm sbom` for each release, listing every dependency, version, licence, and access scope. Third-party components in SABLE: Halo2 (PSE / Zcash), Poseidon (academic reference), ChaCha20-Poly1305 (RustCrypto), X25519 (RustCrypto), JNI bindings (open-source). No third-party components have access to user biometric data. SBOM published with every release artefact. |"},{"h":"Operations, Vendor Implementation Support & Maintenance, Maintainability","l":61,"t":"> *Implementation note for the proposed SaaS Verification Service: SABLE (the library) is a pre-production open-source project today; the SaaS Verification Service is the proposed commercial wrapper that would be built to deliver SABLE for ATO myID. The operational descriptions below describe the **proposed production architecture and operating model**; specific commitments (SLAs, support staffing, named on-call) will be operationalised during the procurement evaluation phase and in proportion to the ATO scope. Anuna Research Cooperative's existing operational practices for its software portfolio inform the design.* | # | Compliance | Vendor Comment | |---|---|---| | **OP-1** | **Compliant** | The proposed production architecture is a standard three-environment design (Production, Staging, Development) with isolation enforced at the AWS account level. 24×7 monitoring via Amazon CloudWatch + an Australian on-call paging provider; a named L2 / L3 on-call rota will be in place at production go-live, scaled in proportion to the ATO contract scope (founder + cleared-subcontractor team per OP-9). | | **OP-2** | **Compliant — Desirable** | The SABLE library already uses GitHub Actions CI/CD; the proposed SaaS deployment pattern uses GitHub Actions to spin up **ephemeral per-PR test environments** via Terraform, with integration tests on PR open and on merge to `main`, and per-environment teardown after PR close. | | **OP-3** | **Compliant** | Data sovereignty will be enforced via AWS Organizations Service Control Policies preventing replication outside `ap-southeast-2`. Real-time service status will be exposed via internal Amazon CloudWatch dashboards and a public status page for the ATO operations team. | | **OP-4** | **Compliant** | The proposed architecture uses Amazon CloudTrail to record every API call and every privileged administrative operation; Amazon GuardDuty for anomaly detection; AWS Config for configuration drift; and logs shipped to a dedicated audit S3 bucket with Object Lock for immutability. | | **OP-5** | **Compliant** | Access will be enforced at **two layers**: (a) the VPC PrivateLink endpoint (restricted to the ATO VPC by Endpoint Policy); (b) the application authentication layer (mTLS client-certificate authentication, with ATO IP ranges as an additional allow-list). All IP ranges regionally localised to Australia. | | **OP-6** | **Compliant — Desirable** | Per Addendum 1 Q14, this requirement is for **organisational and operational controls**, not clinical assessment. Anuna Research Cooperative's practice (proportionate to its current scale, with documented uplift planned in parallel with any ATO engagement) covers: (a) **security awareness training** for all personnel including ACSC Essential 8 awareness, social-engineering and coercion-resistance content; (b) **escalation pathways** documented in the security policy; (c) **welfare / supervision processes** — regular 1:1s, peer support, referral pathways; (d) **privileged access monitoring** via AWS CloudTrail + GuardDuty; (e) **separation of duties** for sensitive operations (release approval requires two signatories; key-management operations require dual control); (f) **peer review** for sensitive actions (all production-affecting changes require code review + change-management approval); (g) **incident reporting** via documented runbook with mandatory disclosure to the ATO Security Officer; (h) **unusual access / behaviour detection** via GuardDuty + CloudWatch Insights anomaly alerts. For ATO scenarios requiring greater scale, Anuna will partner with an Australian managed-SOC provider for managed insider-risk monitoring (no such arrangement is in place at the RFI stage; partner identification a procurement-stage activity). | | **OP-7** | **Compliant** | The proposed architecture wires Amazon EventBridge → Amazon SNS → on-call paging for high-risk patterns: PAD failure clusters (potential ongoing attack), brute-force enrolment attempts, geographic anomalies, request-rate anomalies, anomalous proof-verification failure rates. Target detection latency: < 1 minute. | | **OP-8** | **Compliant — Desirable** | Tiered alerting (Critical / High / Medium / Low) with per-tier response SLAs; anomalous access patterns (unexpected geographic origin, unusual time-of-day patterns, sudden burst of failed authentications) trigger automatic risk-tier escalation. Data-loss-prevention is structurally addressed: there is no PI server-side to lose. | | **OP-9** | **Partially Compliant** | Per Addendum 1 Q9, NV1-cleared support is required **before personnel access PROTECTED / production systems, no later than production go-live**. **Current clearance status:** Anuna Research Cooperative personnel hold no current NV1 clearance; no subcontractor arrangement is in place at the RFI stage. **Sponsorship plan:** Anuna Research Cooperative will (a) sponsor founder Hugo O'Connor for NV1 directly via AGSVA (~12 months elapsed); and (b) in parallel, engage an **Australian Security Vetting Agency–cleared support subcontractor** for immediate L2 / L3 access from a cleared pool, ensuring no gap between contract signing and production go-live. Partner identification, due diligence, and contracting would be a procurement-stage activity. **Interim arrangements** (per Addendum 1 Q9 mitigation menu): restricted-access role design (cleared subcontractor handles any access to PROTECTED data; uncleared Anuna engineers limited to non-PROTECTED development); supervised access (any uncleared Anuna access happens with cleared subcontractor supervision); role separation (no Anuna engineer holds keys to ATO production systems until cleared); deferral of access until clearance is granted. ISM-compliant incident management via an IRAP-assessed Australian incident portal. | | **OP-10** | **Partially Compliant** | Anuna Research Cooperative will provide: (a) a **dedicated helpdesk** with named L2 / L3 engineers, P1-to-P4 tiered SLAs, response-time commitments; (b) a **public fraud-prevention roadmap** covering deepfake detection improvements, post-quantum migration, multi-spectral liveness; (c) **knowledge-transfer commitment** via documentation, on-site workshops, pair-programming during transition. **Government identity systems experience:** Anuna is currently delivering eGov services (digital identity, citizen services, advisory) for the **Bangsamoro Autonomous Region in Muslim Mindanao (BARMM)** — production go-live July 2026; this is direct end-to-end government identity / eGov delivery with the same practitioner team. BARMM does not currently deploy SABLE; future SABLE deployment at BARMM is a candidate natural extension. Adjacent context: UK Government Digital Service (GovUK), CSIRO Data61; early dialogue with Germany's BSI on the SABLE approach. This RFI represents our first direct **Australian federal** government identity engagement; paid PoC against the myID test cohort offered as the most decisive evidence for SABLE in the ATO-specific context. **Security certifications experience:** held within the team across prior commercial engagements. **SLA management and governance:** documented runbooks, monthly governance reviews, quarterly executive reviews for Mission-Critical tier. | | **VISM-1** | **Compliant** | Helpdesk via a dedicated support email and Australian-hosted status page; **proposed tiered SLAs** with per-tier response-time commitments (indicative: P1 1-hour acknowledge / 4-hour update; P2 4-hour / 24-hour; P3 24-hour; P4 best-effort). Specific SLA levels confirmed in any procurement stage. | | **VISM-2** | **Compliant** | The SABLE library has a full public `docs/` tree (technical specifications, API references, deployment guides) at [codeberg.org/anuna/sable](https://codeberg.org/anuna/sable). Ops runbooks for the SaaS Verification Service will be ATO-private and version-controlled in a dedicated GitOps repository. | | **VISM-3** | **Compliant** | Anuna Research Cooperative's commitment for the production deployment: monthly minor-version cadence; weekly dependency patching via Dependabot + Renovate; CVE response SLA of 4-hour triage / 24-hour patch for Critical, 7 days for High, 30 days for Medium. Published patching schedule. | | **VISM-4** | **Compliant** | Ongoing platform maintenance is in commercial scope: dependency patching, ZK circuit revisions as cryptographic best practice evolves, ASD HACE catalogue updates, ISM control delta tracking, AWS service deprecation migration. | | **VISM-5** | **Compliant — Desirable** | Public roadmap maintained alongside the SABLE library on Codeberg. Already on the roadmap: **BBS+ Verifiable Credentials** with selective disclosure; **post-quantum migration** (CRYSTALS-Dilithium signature path; hash-based commitment alternatives for cryptography); **multi-spectral liveness** (IR camera path for higher-assurance PAD); **continuous authentication** (behavioural-biometric layer). | | **VISM-6** | **Partially Compliant — Desirable** | Anuna Research Cooperative's **current BARMM (Philippines) eGov programme** — production go-live July 2026 — is direct implementation of a government-of-government digital identity / eGov system (digital identity, citizen services, advisory; BARMM does not currently deploy SABLE). Adjacent government-context experience includes UK Government Digital Service (GovUK) and CSIRO Data61. Early international dialogue on the SABLE approach with Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI). **No prior implementation of biometric identity systems in Australian federal government specifically**; the closest direct evidence available to either party in this RFI window is a **paid Proof-of-Concept against ATO's myID test cohort** — we offer this. | | **VISM-7** | **Compliant — Desirable** | Active research programme at Anuna Research Cooperative. Emerging-technology recommendations: (a) **post-quantum identity** via NIST PQC integration (CRYSTALS-Dilithium, CRYSTALS-Kyber, SPHINCS+); (b) **zero-knowledge KYC** (proving identity properties without revealing identity itself); (c) **offline-first identity proofs** for low-connectivity / disaster-recovery scenarios; (d) **homomorphic-encrypted biometric matching** as a complementary capability where on-device proof generation is not feasible; (e) **international interoperability of open-source identity primitives** — SABLE being Apache 2.0 enables interoperability with any other government adopting the same primitives; candidate future adopters include Anuna's existing BARMM (Philippines) eGov engagement as a natural extension, European public-sector identity stakeholders (early dialogue with Germany's BSI), Pacific / SEA governments, and adjacent use cases (age verification, healthcare, building access) where the privacy-by-construction property is valuable. | | **M-1** | **Compliant** | See VISM-3. `cargo audit` runs in CI on every PR; out-of-date dependencies block merges to `main`. Third-party JavaScript dependencies (web frontend) tracked via `npm audit` with similar gating. |"},{"h":"Reporting and Monitoring","l":86,"t":"| # | Compliance | Vendor Comment | |---|---|---| | **RM-1** | **Compliant** | All API activity, configuration changes, and security-relevant events logged via **Amazon CloudWatch Logs**. Optional log-shipping to ATO's SIEM via Amazon Kinesis Firehose → ATO endpoint (Splunk HEC, Azure Sentinel HTTPS, custom). | | **RM-2** | **Compliant** | **Amazon CloudWatch** + **Grafana** dashboards out-of-the-box: capture-time distribution, PAD pass/fail rates by region and device type, FMR/FNMR over time, regional latency percentiles, error rates, throughput. ATO can customise via Grafana with read access to underlying CloudWatch metrics. | | **RM-3** | **Compliant** | ATO read-access via **IAM cross-account roles**: read access to CloudWatch Logs Insights, read access to S3 audit-log bucket. Sample CloudWatch Logs Insights queries provided in the runbook for: \"all verification failures in last 24h\", \"PAD failure clusters by device model\", \"p99 latency by region\", etc. | | **RM-4** | **Compliant** | Native integration with: **Amazon CloudWatch** (default), **Datadog** (via AWS Lambda forwarder), **Splunk** (via HTTP Event Collector), **ATO existing SIEM** (via Kinesis Firehose log-shipping). Custom integrations supported via standard CloudWatch metric streams and OpenTelemetry. |"},{"h":"User Experience and Accessibility","l":95,"t":"| # | Compliance | Vendor Comment | |---|---|---| | **UX-1** | **Compliant** | **Mobile-first** capture flow + responsive web fallback. Native iOS / Android implementations are first-class; the WASM web build is verified on phones, tablets, desktops with viewport-aware layout, touch-first controls, and progressive enhancement. | | **UX-2** | **Compliant** | The SABLE demo (`demo/web/`) and reference iOS / Android integrations carry **UI standards** for the capture flow (typography, colour palette, iconography, error-state design) and **user-flow documentation** for Enrolment, Authentication, Account Recovery, and Error States. ATO-branded Figma library + Accessibility Mode flow maps will be produced as part of the WCAG 2.1 AA delivery package (see UX-3). | | **UX-3** | **Partially Compliant** | Capture flow uses standard form patterns + ARIA labels + sufficient contrast ratios. **Formal WCAG 2.1 AA audit** by an accredited Australian accessibility audit firm is **not yet completed** (no audit firm arrangement in place at the RFI stage; firm selection a procurement-stage activity). Commitment to complete audit + remediation within 4-6 weeks. Accessibility-mode liveness alternative (audio prompts, larger UI elements, single-flash colour challenge, screen-reader-friendly flow) on the roadmap for users with visual / motor / cognitive needs. | | **UX-4** | **Compliant** | Branding (colours, fonts, logos), copy (multi-language), capture-flow step sequencing, challenge parameters (flash duration, number of rounds, threshold tightness) are all **configuration-driven, not code changes**. ATO branding can be applied without engaging Anuna Research Cooperative engineering. | ---"},{"h":"Compliance Summary","l":106,"t":"(Reflects Addendum 1 clarifications — see [[addenda-clarifications]].) | Category | Compliant | Partially Compliant | Non-Compliant | |---|---:|---:|---:| | LV (Liveness) | 4 | 2 | 0 | | TV (Technical Verification) | 1 | 2 | 0 | | S / P / A | 5 | 0 | 0 | | H / IN | 5 | 2 | 0 | | SC (Security) | 5 | 3 | 0 | | OP / VISM / M | 15 | 3 | 0 | | RM | 4 | 0 | 0 | | UX | 3 | 1 | 0 | | **Total** | **42** | **13** | **0** | (OP-6 was Partially Compliant in the initial draft; Addendum 1 Q14 clarifies the requirement is for organisational controls — Anuna Research Cooperative is Compliant on the reframed requirement.) **Zero Non-Compliant** requirements. **13 Partially Compliant** requirements all have explicit remediation paths and timelines — see [[gaps-and-risks]] for the consolidated remediation programme. --- > *End of Part 3a draft.*"}],"tf":{"0":13,"000":3,"1":41,"10":5,"100":3,"1000":2,"1024":1,"11":1,"12":3,"128":1,"13":3,"15":2,"150":1,"19795":2,"1m":1,"1s":1,"2":24,"2018":1,"2019":1,"2023":1,"2026":3,"24":4,"24h":1,"250":2,"256":2,"29794":1,"2d":1,"3":19,"30":2,"30107":5,"381":2,"3a":2,"3d":3,"4":17,"42":1,"5":17,"50":2,"500":2,"509":1,"6":10,"60":1,"7":5,"8":9,"9":4,"90":2,"9303":2,"95":1,"99":1,"a":68,"aa":2,"abi":1,"abilities":1,"ability":1,"about":1,"academic":1,"access":21,"accessibility":4,"account":5,"accounts":1,"accreditation":3,"accredited":3,"accuracy":1,"acknowledge":1,"across":3,"acsc":1,"actions":4,"active":3,"activity":8,"adapted":1,"addenda":1,"addendum":12,"additional":1,"addressed":1,"adds":1,"adjacent":4,"admin":2,"administrative":2,"adopters":1,"adopting":1,"advisory":3,"aead":1,"affecting":1,"affinity":2,"after":1,"against":12,"age":2,"agency":1,"agsva":1,"al":1,"alb":3,"alerting":1,"alerts":1,"algorithm":2,"aligned":2,"all":10,"allow":2,"alongside":2,"already":2,"also":1,"altered":1,"alternative":1,"alternatives":1,"amazon":10,"an":13,"analysis":1,"and":75,"android":6,"anomalies":2,"anomalous":2,"anomaly":2,"anuna":32,"any":14,"apache":1,"api":4,"app":7,"apple":1,"application":4,"applied":1,"applies":2,"approach":3,"approval":2,"approved":1,"approximately":2,"arcface":1,"architected":1,"architecturally":1,"architecture":5,"are":6,"aria":1,"arrangement":4,"arrangements":1,"art":1,"artefact":1,"as":16,"asd":4,"assessed":2,"assessment":7,"assessor":2,"assets":1,"associated":1,"assumes":1,"assurance":3,"at":20,"atlassian":1,"ato":41,"atomic":1,"attack":4,"attacks":1,"attempts":1,"attestation":1,"attributes":1,"aud":2,"audio":1,"audit":9,"auditable":1,"australia":1,"australian":10,"authentication":6,"authentications":1,"autodesk":1,"automated":1,"automatic":1,"autonomous":2,"autoscaling":1,"availability":2,"available":5,"average":1,"aware":1,"awareness":2,"aws":23,"axis":1,"az":3,"azure":1,"b":8,"bac":1,"backups":1,"balanced":1,"balancer":1,"bangsamoro":2,"barmm":11,"based":4,"baseline":1,"bbs":1,"be":18,"because":1,"been":2,"before":2,"behaviour":1,"behavioural":1,"behind":1,"being":1,"below":1,"benchmark":1,"benchmarking":1,"benchmarks":1,"best":2,"between":2,"bill":1,"binding":7,"bindings":4,"binds":3,"biometric":16,"bit":1,"block":1,"bls":1,"bls12":2,"blur":1,"body":1,"bonus":1,"both":1,"boundary":2,"box":1,"branded":1,"branding":3,"browser":3,"brute":1,"bsi":4,"bucket":2,"buckets":1,"budget":1,"budgets":1,"build":2,"building":2,"built":2,"bundesamt":2,"burst":1,"but":2,"by":13,"c":7,"cadence":3,"call":6,"camera":5,"can":5,"candidate":3,"cannot":3,"canvas":1,"capability":3,"capacity":3,"capture":15,"captured":2,"captures":2,"carries":1,"carry":1,"cases":1,"catalogue":2,"category":1,"cd":2,"celeb":1,"cert":1,"certificate":2,"certification":4,"certifications":1,"certified":1,"cfrg":1,"chacha20":2,"chain":4,"challenge":3,"change":1,"changes":3,"chart":1,"checked":1,"checking":1,"checks":1,"chin":1,"chrome":1,"ci":5,"circuit":3,"citizen":3,"clarifications":2,"clarified":1,"clarifies":1,"class":1,"classical":1,"classification":1,"clear":1,"clearance":3,"cleared":7,"client":3,"clinical":1,"close":2,"closest":1,"cloud":1,"cloudfront":1,"cloudtrail":2,"cloudwatch":11,"cluster":3,"clusters":2,"code":3,"codebase":1,"codeberg":3,"codes":1,"coercion":1,"cognitive":1,"cohort":5,"collect":1,"collection":2,"collector":1,"colour":2,"colours":2,"column":2,"combination":1,"combined":1,"comfortable":1,"commenced":1,"commences":1,"comment":8,"comments":1,"commercial":4,"commitment":7,"commitments":4,"commits":3,"committed":3,"complementary":1,"complete":1,"completed":2,"completion":1,"compliance":13,"compliant":66,"component":2,"components":2,"compromise":1,"computer":1,"concept":2,"confidence":2,"confidentiality":1,"config":1,"configurable":2,"configuration":4,"confirmed":1,"connected":1,"connectivity":1,"connects":1,"connor":1,"console":1,"consolidated":1,"construction":1,"container":2,"contains":1,"content":1,"context":4,"continuous":3,"contract":2,"contracting":1,"contrast":1,"control":4,"controlled":1,"controls":5,"cooperative":19,"copy":2,"core":2,"corporate":1,"correct":1,"correction":1,"cosine":1,"count":1,"counts":1,"coverage":1,"covering":1,"covers":1,"creation":1,"credential":2,"credentials":1,"critical":4,"crl":1,"cross":3,"crosses":1,"cryptographic":2,"cryptographically":3,"cryptography":1,"crystals":3,"csiro":3,"current":5,"currently":4,"custom":2,"customise":1,"cve":1,"d":5,"daily":2,"dashboards":2,"data":17,"data61":3,"database":1,"datadog":1,"date":1,"day":4,"days":2,"deceived":1,"decisive":2,"decoupled":1,"dedicated":4,"deepfake":1,"default":2,"deferral":1,"defining":1,"deliver":3,"delivered":3,"delivering":2,"delivery":8,"delta":2,"demo":1,"demographic":1,"demonstrated":1,"dependabot":1,"dependencies":4,"dependency":3,"depends":1,"deploy":3,"deployed":2,"deployment":13,"deprecation":1,"der":2,"deregistration":1,"derived":1,"describe":2,"descriptions":1,"design":7,"designed":1,"desirable":10,"desktop":1,"desktops":1,"detected":1,"detection":8,"development":4,"device":12,"dialogue":4,"differently":1,"digital":9,"diligence":1,"dilithium":2,"dimension":1,"direct":5,"directly":2,"disability":1,"disaster":1,"disclosed":3,"disclosure":3,"discriminates":1,"distance":1,"distribution":1,"distributions":1,"diverse":3,"dns":1,"doc":1,"document":2,"documentation":2,"documented":4,"does":3,"down":1,"downstream":1,"draft":3,"drift":1,"driven":1,"drop":1,"dual":1,"due":1,"duration":1,"during":3,"duties":1,"e":5,"each":4,"eal":1,"early":4,"ecdh":1,"edge":1,"effectiveness":1,"effort":4,"egov":8,"egress":1,"either":1,"eks":6,"elapsed":2,"elements":1,"email":1,"embedded":1,"embedding":1,"embeddings":2,"emerging":1,"employs":1,"enables":1,"enabling":1,"encrypted":1,"encryption":1,"end":7,"endpoint":12,"enforce":1,"enforced":4,"engage":3,"engagement":4,"engagements":1,"engaging":2,"engineer":1,"engineering":2,"engineers":2,"enhancement":1,"enrolment":2,"ensuring":1,"enterprise":2,"entire":1,"entry":1,"envelope":1,"environment":4,"environments":4,"epassport":1,"ephemeral":1,"equivalent":1,"error":3,"escalation":2,"essential":2,"estimate":1,"estimated":2,"et":1,"etc":2,"ethereum":1,"ethnicity":1,"european":1,"evaluation":8,"even":2,"event":1,"eventbridge":1,"events":1,"ever":1,"every":6,"evidence":5,"evidencing":2,"evolves":1,"exclusions":1,"execute":1,"executive":1,"exif":1,"exist":1,"existing":4,"experience":4,"explicit":1,"export":1,"exposed":2,"exposes":2,"extension":3,"extractor":2,"f":2,"face":7,"facing":3,"factor":1,"fail":1,"failed":1,"failure":4,"failures":2,"fallback":1,"far":1,"feasible":1,"feature":1,"features":2,"federal":2,"fee":1,"feed":1,"few":1,"ffi":3,"figma":1,"final":1,"fingerprints":2,"firefox":1,"firehose":2,"firm":3,"first":6,"flash":7,"flashes":1,"flashing":1,"flat":1,"flight":1,"flow":8,"fmr":3,"fnmr":3,"fonts":1,"for":50,"force":1,"forehead":1,"form":2,"formal":5,"forwarder":1,"foundational":1,"founder":2,"frame":1,"frames":1,"framework":1,"fraud":1,"friendly":2,"from":7,"frontend":2,"full":5,"fully":3,"future":3,"fvs":1,"für":2,"g":3,"gap":1,"gaps":2,"gateway":1,"gating":1,"gender":1,"generate":1,"generation":5,"geographic":2,"germany":4,"github":4,"gitops":1,"go":6,"governance":2,"government":14,"governments":1,"govuk":3,"grafana":2,"granted":1,"graviton3":2,"greater":1,"guardduty":5,"guidance":1,"guides":1,"h":4,"hace":3,"halo2":9,"hamming":1,"handles":1,"handling":1,"happens":1,"hardening":1,"has":4,"hash":2,"hashed":1,"have":4,"headroom":1,"health":2,"healthcare":1,"hec":1,"held":2,"helm":1,"helpdesk":2,"hidden":1,"high":3,"higher":2,"histogram":1,"histograms":1,"hit":1,"hold":2,"holds":2,"homomorphic":1,"horizontally":1,"hosted":4,"hosting":4,"hosts":1,"hour":13,"how":1,"http":1,"https":2,"hugo":1,"i":1,"iag":1,"iam":5,"icao":2,"iconography":1,"id":1,"identically":1,"identification":2,"identity":15,"iec":8,"ietf":1,"ii":1,"iii":1,"ijb":1,"ilac":2,"illumination":1,"image":2,"images":1,"immediate":1,"immediately":1,"immutability":1,"impact":1,"implementation":8,"implementations":1,"implications":1,"improvements":1,"in":57,"incident":4,"include":1,"includes":2,"including":4,"independently":1,"indicative":1,"individuals":3,"inform":1,"information":3,"informationstechnik":2,"infrastructure":7,"initial":1,"inside":8,"insider":1,"insights":3,"instance":2,"integration":5,"integrations":4,"integrity":1,"intel":1,"interest":1,"interim":1,"internal":2,"international":3,"internet":1,"interoperability":2,"interval":1,"into":2,"invalidates":1,"invoke":1,"ios":6,"ip":2,"ir":1,"irap":12,"is":54,"ism":8,"iso":8,"isolation":1,"it":2,"its":3,"itself":1,"javascript":1,"jmrtd":1,"jni":2,"july":3,"k":2,"kb":1,"key":2,"keys":1,"kinesis":2,"kms":2,"knowledge":2,"kotlin":1,"kyber":1,"kyc":1,"l2":3,"l3":3,"lab":2,"labels":1,"laboratory":2,"lambda":1,"language":2,"larger":1,"last":1,"latency":8,"later":1,"layer":3,"layers":1,"layout":1,"least":1,"leaves":2,"let":1,"level":7,"levels":1,"leverage":1,"libicaocertificate":1,"libraries":1,"library":7,"licence":1,"licensed":1,"light":2,"limitations":2,"limited":2,"linearly":1,"list":2,"listed":2,"listing":2,"live":6,"liveness":8,"lives":1,"load":3,"localised":1,"lock":1,"log":5,"logged":1,"logging":2,"logos":1,"logs":4,"lose":1,"loss":1,"low":3,"lower":2,"lv":8,"m":4,"magface":1,"magnitude":1,"maintainability":1,"maintained":1,"maintenance":2,"managed":6,"management":7,"mandatory":1,"maps":1,"masks":1,"master":1,"matching":4,"materially":1,"materials":1,"matrix":1,"maui":6,"means":1,"measured":1,"mechanical":1,"medium":2,"memory":2,"menu":1,"merge":1,"merges":1,"metadata":3,"methodology":3,"metric":1,"metrics":2,"microsoft":2,"migration":3,"milestones":1,"mindanao":2,"minimal":1,"minimised":1,"minor":1,"minute":1,"minutes":1,"mission":1,"mitigated":1,"mitigation":1,"mobile":2,"mode":3,"model":6,"models":1,"module":2,"modules":1,"monitoring":7,"monthly":4,"months":4,"most":3,"motion":1,"motor":1,"ms":8,"mtls":2,"multi":6,"muslim":2,"must":1,"myid":5,"named":3,"native":4,"natural":3,"ndss":1,"needs":1,"negotiated":1,"net":1,"network":3,"never":5,"nfc":1,"nist":4,"no":33,"node":1,"non":5,"nonce":4,"nonces":1,"not":15,"note":1,"notice":1,"notification":1,"nuget":1,"number":1,"nv1":4,"o":1,"object":1,"observability":1,"occlusion":2,"of":39,"off":2,"offer":2,"offered":1,"officer":1,"offline":2,"on":38,"one":3,"ongoing":2,"only":8,"op":13,"open":9,"opentelemetry":1,"operate":1,"operates":3,"operating":1,"operation":1,"operational":10,"operationalised":1,"operations":4,"ops":2,"optional":1,"optionally":1,"or":4,"orders":1,"org":2,"organisational":2,"organizations":3,"origin":1,"os":1,"other":1,"our":4,"out":4,"outcome":1,"output":1,"outside":3,"over":2,"overhead":1,"own":1,"owns":1,"p":5,"p1":2,"p2":1,"p3":1,"p4":2,"p95":3,"p99":1,"pace":1,"pacific":1,"package":3,"pad":17,"page":2,"paging":2,"paid":3,"pair":1,"palette":1,"parallel":3,"parameter":1,"parameters":1,"part":5,"partially":17,"partner":4,"party":7,"pass":1,"patch":1,"patching":5,"path":6,"paths":1,"pathways":2,"pattern":4,"patterns":4,"peak":3,"pedersen":2,"peer":4,"per":22,"percentiles":1,"performance":1,"personal":4,"personnel":3,"phase":6,"philippines":3,"phone":1,"phones":1,"photo":2,"photos":1,"pi":9,"pii":1,"pipeline":5,"pipelines":2,"pki":1,"place":5,"plan":2,"plane":1,"planned":1,"platform":2,"platforms":1,"plus":1,"poc":1,"pod":2,"point":1,"policies":1,"policy":2,"poly1305":2,"pool":1,"portal":3,"portfolio":1,"pose":1,"poseidon":3,"position":1,"positions":1,"post":4,"potential":1,"pqc":2,"pr":4,"practice":2,"practices":1,"practitioner":2,"pre":1,"predicates":2,"preferred":1,"presentation":3,"prevent":1,"preventing":1,"prevention":2,"primarily":1,"primitives":3,"printed":2,"prior":2,"privacy":2,"private":1,"privatelink":4,"privilege":1,"privileged":2,"processes":2,"processors":1,"procurement":15,"produced":2,"production":19,"profile":2,"profiles":1,"programme":4,"programming":1,"progressive":1,"project":2,"projecting":1,"prompts":1,"proof":22,"proofs":1,"properties":1,"property":2,"proportion":2,"proportionate":1,"proposal":1,"propose":1,"proposed":13,"protected":5,"protocol":2,"proven":1,"provide":4,"provided":3,"provider":4,"providers":3,"provides":1,"proving":1,"provisioning":1,"pse":1,"pspf":1,"public":7,"published":4,"q1":2,"q10":1,"q11":2,"q14":2,"q2":1,"q3":1,"q9":2,"qualifications":1,"qualified":1,"quality":3,"quantum":3,"quarterly":1,"queries":1,"range":1,"ranges":2,"rate":1,"rates":3,"ratios":1,"rds":3,"reach":1,"read":4,"reader":1,"readiness":1,"real":3,"receives":1,"recommendations":1,"reconstruct":1,"record":2,"recovery":2,"red":1,"reference":6,"references":3,"referral":1,"reflectance":1,"reflections":1,"reflects":4,"reframed":1,"region":7,"regional":3,"regionally":1,"regions":1,"registry":1,"regular":1,"rejects":1,"release":4,"relevant":2,"remains":1,"remediation":3,"renovate":1,"replay":2,"replayed":1,"replays":2,"replication":4,"report":2,"reported":1,"reporting":2,"repository":1,"representative":1,"represents":1,"request":7,"require":3,"required":3,"requirement":3,"requirements":2,"requires":1,"requiring":1,"research":19,"residual":1,"resistance":1,"resolver":1,"responds":1,"response":7,"responsive":1,"restricted":2,"results":1,"returns":1,"revealing":1,"reveals":1,"review":2,"reviewed":2,"reviews":2,"revisions":1,"rfi":7,"risk":3,"risks":1,"rm":5,"roadmap":4,"role":3,"roles":1,"rota":1,"round":1,"rounds":3,"row":1,"rpo":1,"rto":1,"run":1,"runbook":2,"runbooks":3,"running":1,"runs":5,"rustcrypto":2,"s":27,"s3":4,"saas":16,"sable":39,"safari":1,"same":3,"sample":3,"sbom":2,"sc":10,"scalability":1,"scale":2,"scaled":2,"scales":1,"scenario":1,"scenarios":2,"schedule":1,"scope":10,"scores":1,"scoring":1,"scp":1,"scps":2,"screen":6,"sdk":1,"sea":1,"sealed":1,"second":3,"seconds":3,"secrets":1,"sector":2,"secure":1,"security":12,"see":5,"select":1,"selection":2,"selective":1,"selectively":3,"self":1,"sensitive":2,"sensor":1,"sentinel":1,"separate":1,"separation":2,"sequencing":1,"server":4,"service":15,"servicenow":1,"services":4,"session":5,"sessions":1,"sha":1,"shared":1,"sharpness":1,"shell":1,"shipped":2,"shipping":3,"sicherheit":2,"side":7,"siem":3,"signatories":1,"signature":1,"signatures":2,"signer":1,"signing":1,"silent":1,"silicon":1,"similar":1,"similarity":1,"simplifies":1,"single":6,"site":1,"sizing":1,"sla":5,"slas":4,"smartphone":1,"snapshot":1,"sns":1,"so":1,"soc":2,"social":1,"software":6,"sole":2,"solicited":1,"source":8,"sovereignty":2,"spanning":1,"spatial":4,"spec":1,"specific":4,"specifically":3,"specifications":1,"spectral":2,"spend":2,"sphincs":1,"spin":1,"split":2,"splunk":2,"sponsor":1,"sponsorship":1,"ssm":1,"stack":2,"staffing":1,"stage":12,"staging":2,"stakeholders":1,"standard":4,"standards":2,"standby":1,"state":5,"stated":2,"stateless":3,"states":1,"static":1,"status":5,"step":1,"sticky":1,"stig":1,"storage":1,"store":1,"strategic":1,"streams":1,"strict":1,"strings":1,"stronger":1,"structurally":2,"style":1,"sub":1,"subcontractor":5,"subcontractors":2,"submitted":1,"subscription":1,"subsets":1,"subsystem":1,"such":1,"sudden":1,"sufficient":1,"summary":1,"suncorp":1,"supervised":1,"supervision":2,"supplied":1,"support":12,"supported":2,"surface":1,"surfaces":1,"swift":2,"sydney":6,"synchronous":1,"system":2,"systems":4,"tablets":1,"tail":1,"takes":1,"tampering":1,"tang":1,"target":2,"targets":1,"team":6,"teardown":1,"technical":4,"technique":2,"technology":2,"telefónica":1,"telemetry":4,"telus":1,"template":2,"templates":1,"terraform":3,"test":10,"testing":2,"tests":1,"than":2,"that":5,"the":158,"their":1,"there":1,"they":1,"third":5,"this":9,"threaded":1,"three":5,"threshold":2,"through":2,"throughput":1,"ticket":1,"tier":5,"tiered":3,"tightness":1,"time":9,"timeline":1,"timelines":1,"timing":1,"tls":1,"to":49,"today":2,"too":2,"tooling":1,"top":1,"total":3,"touch":1,"touches":1,"touching":1,"track":1,"tracked":1,"tracking":1,"training":1,"transcribe":1,"transfer":2,"transformation":1,"transit":1,"transition":1,"transparent":1,"traverse":1,"tree":1,"triage":1,"trigger":1,"trip":1,"truth":1,"ts":2,"tuned":1,"tv":4,"two":3,"type":1,"typography":1,"ui":3,"uk":3,"uncleared":2,"under":1,"underlying":1,"undertaken":1,"unexpected":1,"uniformity":1,"unit":1,"untested":1,"until":2,"unusual":2,"up":1,"update":1,"updates":1,"uplift":1,"upper":1,"uptime":1,"use":3,"used":1,"user":9,"users":2,"uses":6,"using":3,"ux":6,"validated":1,"validation":2,"valuable":1,"vectors":1,"vendor":15,"verifiable":1,"verification":27,"verifications":4,"verified":2,"verifier":1,"version":5,"vetting":1,"via":32,"video":2,"viewport":1,"vism":9,"visual":1,"vpc":6,"vs":2,"waf":1,"was":1,"wasm":2,"wcag":2,"we":7,"web":4,"weekly":1,"weeks":4,"welfare":1,"where":4,"which":1,"widely":1,"will":17,"window":2,"wires":1,"with":49,"within":4,"without":2,"working":1,"workshops":1,"would":4,"wrapped":1,"wrapper":1,"wraps":1,"x":1,"x25519":2,"xeon":1,"xlsx":1,"yet":7,"zcash":2,"zero":2,"zk":8,"zones":1}},{"dl":706,"n":"part4-financial","s":"draft/part4-financial","secs":[{"h":"Part 4 — RFI Response Form — Financial — DRAFT","l":1,"t":"> Transcribe into the DOCX template in `../attachments/05-part4-response-financial.docx`. Pricing detail is in Part 4a. ---"},{"h":"Section 1 — The Respondent","l":7,"t":"| Respondent's details | | |---|---| | Full legal name | Anuna Research Cooperative *[confirm exact registered entity name before lodgement]* | | Trading name | Anuna / Anuna Research Cooperative | | Entity structure | Australian cooperative | | Entity identifier (☒ ABN) | *[insert ABN — confirm before lodgement]* | | Country of incorporation | Australia | | Principal place of business | *[insert before lodgement]* | ---"},{"h":"Section 2 — Financial Capacity","l":20,"t":"> *RFI stage — high-level summary only. The ATO has indicated that full financial-capacity evidence will only be requested in any procurement stage that follows the RFI.* Anuna Research Cooperative is an **Australian cooperative** working on trustworthy AI systems, transformation advisory, and practitioner-team assembly for client engagements. Revenue is from client engagements (Microsoft, Autodesk, CSIRO Data61, Telus, Suncorp, IAG, GovUK, Kellogg, Telefónica, and others) and from open-source project work funded internally. | Item | FY2024-25 | FY2025-26 | |---|---|---| | Annual revenue (audited) | *[insert — confirm before lodgement]* | *[insert]* | | Annual operating expenses | *[insert]* | *[insert]* | | Cash on hand at year end | *[insert]* | *[insert]* | | Notes | Early-stage; revenue from research grants and commercial pilots | Forecast | Anuna Research Cooperative: - has **no material loan or finance-lease commitments**; - has **no contingent liabilities** at the date of this Response; - has **no current or threatened litigation**; - holds **business and professional indemnity insurance** appropriate to its size (to be evidenced in a procurement stage); - is a **going concern** with no indication of material uncertainty in its financial position. In a procurement stage involving a contract of material value, Anuna Research Cooperative is open to providing: - audited financial statements for the trailing two financial years; - references from prior commercial customers / research partners; - a financial-capacity declaration from a registered auditor; - if requested, a **performance bond or bank guarantee** scaled to the contract value; - if requested, a **partnership / prime-subcontractor arrangement** with a larger Australian systems integrator (no such arrangement is in place at the RFI stage; partner identification and contracting would be a procurement-stage activity if the contract scope warrants it). ---"},{"h":"Section 3 — Pricing and Payment Basis","l":51,"t":"All pricing in Part 4a is provided on the following basis: - **Currency:** **Australian Dollars (AUD)**, GST-exclusive - **Term:** Pricing presented for an initial **12-month** subscription and for a **36-month** term option - **Indexation:** Annual indexation by lesser of CPI (Sydney All Groups) or 4 % per annum, applied at each contract anniversary - **Payment terms:** Net 30 days from valid tax invoice - **Foreign-currency exposure:** None at this time. If post-RFI scope requires foreign third-party services (e.g. an offshore third-party PAD testing laboratory) the foreign-currency component will be separately nominated per Table T1 - **Volume tiering:** Per Table T2 — pricing decreases with volume tier - **One-off costs:** Integration, training, environment setup per Table T3 - **Ongoing support:** Per Table T4 - **Labour rates:** Per Table T5 — for any incremental work outside the subscription scope ---"},{"h":"Section 4 — Response Price","l":67,"t":"**See Part 4a — Response Form — Pricing Table (XLSX) for the full pricing tables.** Summary of the pricing offer: | Component | Pricing approach | |---|---| | **SABLE library licence** | Apache 2.0 open-source — **AUD 0** per-seat / per-verification licence (the library itself remains free and open) | | **SaaS Verification Service — Production** | Subscription pricing, per-verification with tiered volume discount; see T1.2 | | **SaaS Verification Service — Non-Production** | Fixed annual fee for dev / staging environments; see T1.2 | | **One-off implementation** | Fixed-price for AWS PrivateLink wiring, MAUI bindings delivery, FMR/FNMR benchmark report, WCAG 2.1 AA audit, IRAP / PROTECTED-level certification programme; see T3 | | **Ongoing support & maintenance** | Tiered subscription (Standard / Enhanced / Mission-Critical) with SLA, on-call, and named L2/L3 engineers; see T4 | | **Labour rates** | Daily rates for: Engineer L2/L3/L4, Senior Engineer, Cryptography Specialist, Security Architect — for incremental scope; see T5 | Total cost of ownership for an ATO myID deployment serving 14 M-plus users will be sized in a procurement stage against the actual usage profile (peak-hour verifications, environment counts, support-tier selection, certification scope, MAUI delivery scope) and the contract vehicle terms. Anuna Research Cooperative is happy to engage in pricing conversations as part of any procurement stage; indicative line items per Part 4a (Tables T1 to T5) inform that conversation without committing to absolute totals at the RFI stage. --- > *End of Part 4 draft.*"}],"tf":{"0":2,"1":2,"12":1,"14":1,"2":5,"25":1,"26":1,"3":1,"30":1,"36":1,"4":4,"4a":4,"a":12,"aa":1,"abn":2,"absolute":1,"activity":1,"actual":1,"advisory":1,"against":1,"ai":1,"all":2,"an":4,"and":11,"anniversary":1,"annual":4,"annum":1,"anuna":7,"any":3,"apache":1,"applied":1,"approach":1,"appropriate":1,"architect":1,"arrangement":2,"as":1,"assembly":1,"at":6,"ato":2,"aud":2,"audit":1,"audited":2,"auditor":1,"australia":1,"australian":4,"autodesk":1,"aws":1,"bank":1,"basis":2,"be":5,"before":4,"benchmark":1,"bindings":1,"bond":1,"business":2,"by":1,"call":1,"capacity":3,"cash":1,"certification":2,"client":2,"commercial":2,"commitments":1,"committing":1,"component":2,"concern":1,"confirm":3,"contingent":1,"contract":5,"contracting":1,"conversation":1,"conversations":1,"cooperative":8,"cost":1,"costs":1,"country":1,"counts":1,"cpi":1,"critical":1,"cryptography":1,"csiro":1,"currency":3,"current":1,"customers":1,"daily":1,"data61":1,"date":1,"days":1,"declaration":1,"decreases":1,"delivery":2,"deployment":1,"detail":1,"details":1,"dev":1,"discount":1,"docx":1,"dollars":1,"draft":2,"e":1,"each":1,"early":1,"end":2,"engage":1,"engagements":2,"engineer":2,"engineers":1,"enhanced":1,"entity":3,"environment":2,"environments":1,"evidence":1,"evidenced":1,"exact":1,"exclusive":1,"expenses":1,"exposure":1,"fee":1,"finance":1,"financial":7,"fixed":2,"fmr":1,"fnmr":1,"following":1,"follows":1,"for":11,"forecast":1,"foreign":3,"form":2,"free":1,"from":6,"full":3,"funded":1,"fy2024":1,"fy2025":1,"g":1,"going":1,"govuk":1,"grants":1,"groups":1,"gst":1,"guarantee":1,"hand":1,"happy":1,"has":4,"high":1,"holds":1,"hour":1,"iag":1,"identification":1,"identifier":1,"if":4,"implementation":1,"in":10,"incorporation":1,"incremental":2,"indemnity":1,"indexation":2,"indicated":1,"indication":1,"indicative":1,"inform":1,"initial":1,"insert":8,"insurance":1,"integration":1,"integrator":1,"internally":1,"into":1,"invoice":1,"involving":1,"irap":1,"is":8,"it":1,"item":1,"items":1,"its":2,"itself":1,"kellogg":1,"l2":2,"l3":2,"l4":1,"laboratory":1,"labour":2,"larger":1,"lease":1,"legal":1,"lesser":1,"level":2,"liabilities":1,"library":2,"licence":2,"line":1,"litigation":1,"loan":1,"lodgement":4,"m":1,"maintenance":1,"material":3,"maui":2,"microsoft":1,"mission":1,"month":2,"myid":1,"name":3,"named":1,"net":1,"no":5,"nominated":1,"non":1,"none":1,"notes":1,"of":10,"off":2,"offer":1,"offshore":1,"on":4,"one":2,"ongoing":2,"only":2,"open":4,"operating":1,"option":1,"or":4,"others":1,"outside":1,"ownership":1,"pad":1,"part":7,"partner":1,"partners":1,"partnership":1,"party":2,"payment":2,"peak":1,"per":10,"performance":1,"pilots":1,"place":2,"plus":1,"position":1,"post":1,"practitioner":1,"presented":1,"price":2,"pricing":11,"prime":1,"principal":1,"prior":1,"privatelink":1,"procurement":6,"production":2,"professional":1,"profile":1,"programme":1,"project":1,"protected":1,"provided":1,"providing":1,"rates":3,"references":1,"registered":2,"remains":1,"report":1,"requested":3,"requires":1,"research":8,"respondent":2,"response":4,"revenue":3,"rfi":6,"s":1,"saas":2,"sable":1,"scaled":1,"scope":6,"seat":1,"section":4,"security":1,"see":6,"selection":1,"senior":1,"separately":1,"service":2,"services":1,"serving":1,"setup":1,"size":1,"sized":1,"sla":1,"source":2,"specialist":1,"stage":10,"staging":1,"standard":1,"statements":1,"structure":1,"subcontractor":1,"subscription":4,"such":1,"summary":2,"suncorp":1,"support":3,"sydney":1,"systems":2,"t1":4,"t2":1,"t3":2,"t4":2,"t5":3,"table":6,"tables":2,"tax":1,"team":1,"telefónica":1,"telus":1,"template":1,"term":2,"terms":2,"testing":1,"that":3,"the":18,"third":2,"this":2,"threatened":1,"tier":2,"tiered":2,"tiering":1,"time":1,"to":7,"total":1,"totals":1,"trading":1,"trailing":1,"training":1,"transcribe":1,"transformation":1,"trustworthy":1,"two":1,"uncertainty":1,"usage":1,"users":1,"valid":1,"value":2,"vehicle":1,"verification":4,"verifications":1,"volume":3,"warrants":1,"wcag":1,"will":3,"wiring":1,"with":5,"without":1,"work":2,"working":1,"would":1,"xlsx":1,"year":1,"years":1}},{"dl":893,"n":"part4a-pricing","s":"draft/part4a-pricing","secs":[{"h":"Part 4a — Pricing Tables — DRAFT","l":1,"t":"> Transcribe into the XLSX template `../attachments/06-part4a-response-pricing.xlsx`. All amounts AUD GST-exclusive unless otherwise noted. ---"},{"h":"Pricing philosophy","l":7,"t":"SABLE itself (the cryptographic library) is **Apache 2.0 open-source** — no per-seat or per-verification licence fee for the library. The commercial pricing covers: 1. The **hosted SaaS Verification Service** in AWS Sydney (`ap-southeast-2`) — verification of ZK proofs, metrics dashboards, audit logging, PrivateLink endpoint 2. **One-off implementation** — integration with ATO infrastructure, MAUI bindings, FMR/FNMR benchmark, WCAG 2.1 AA audit, IRAP / PROTECTED certification programme 3. **Ongoing support and maintenance** — tiered SLAs, dependency patching, ZK circuit revisions, AWS service migration 4. **Labour rates** — for incremental scope outside the subscription > All numbers below are **indicative for RFI purposes**; final pricing depends on procurement-stage scope, volume forecast, and contract-vehicle terms. ---"},{"h":"T1 — Software Licensing","l":20,"t":""},{"h":"T1.1 — Perpetual licence model","l":22,"t":"| Item | Quantity | Rate (AUD) | Total (AUD) | Pricing Assumptions | |---|---:|---:|---:|---| | SABLE core library — Apache 2.0 (no licence cost) | unlimited | 0 | 0 | Library is open-source; no per-seat charge | | SABLE SaaS Verification Service — perpetual licence | N/A | N/A | N/A | SaaS is sold as subscription only — no perpetual model | | **Total perpetual licence cost** | | | **0** | | > Subscription model (T1.2) is the only commercially-available delivery model for the SaaS. The library itself remains free under Apache 2.0 indefinitely."},{"h":"T1.2 — Subscription licence model","l":32,"t":""},{"h":"SP1.2.1 — Production SaaS Verification Service (per-verification, tiered)","l":34,"t":"| Tier | Annual verification volume | Year 1 (AUD) | Year 2 (AUD) | Year 3 (AUD) | 3-year total (AUD) | |---|---|---:|---:|---:|---:| | Tier A | up to 10 M / year | *[$ TBD — to refine with co-signatory]* | *[TBD]* | *[TBD]* | *[TBD]* | | Tier B | 10 M – 50 M / year | *[TBD]* | *[TBD]* | *[TBD]* | *[TBD]* | | Tier C | 50 M – 250 M / year | *[TBD]* | *[TBD]* | *[TBD]* | *[TBD]* | | Tier D | 250 M – 1 B / year | *[TBD]* | *[TBD]* | *[TBD]* | *[TBD]* | | Tier E (myID scale) | > 1 B / year | *[TBD]* | *[TBD]* | *[TBD]* | *[TBD]* | | **Unlimited subscription** | unlimited | *[TBD]* | *[TBD]* | *[TBD]* | *[TBD]* | *Pricing assumptions:* fixed AUD; CPI/4 % indexation at anniversary; tiers based on aggregate annual verifications across all environments; tier breakpoints negotiable in a procurement stage."},{"h":"SP1.2.2 — Non-Production Environments (fixed annual fee)","l":47,"t":"| Environment | Year 1 (AUD) | Year 2 (AUD) | Year 3 (AUD) | |---|---:|---:|---:| | Development (1 instance, no SLA) | *[TBD]* | *[TBD]* | *[TBD]* | | Staging (1 instance, business-hours SLA) | *[TBD]* | *[TBD]* | *[TBD]* | | **Total** | *[TBD]* | *[TBD]* | *[TBD]* | ---"},{"h":"T2 — Tiered Discounts","l":57,"t":"| Volume tier | Discount on per-verification rate | |---|---:| | Tier A (≤ 10 M / yr) | List price (0 %) | | Tier B (10 M – 50 M / yr) | 15 % | | Tier C (50 M – 250 M / yr) | 30 % | | Tier D (250 M – 1 B / yr) | 45 % | | Tier E (> 1 B / yr) | 55 % | | Unlimited subscription | Capped — see SP1.2.1 | Additional discounts: - **Multi-year commitment discount** — 5 % off list for 3-year term; 8 % for 5-year - **Prepay discount** — 3 % off for annual prepay - **Government volume discount** — additional 5 % off for any Commonwealth agency engagement (excluding stacking with tier discount; whichever is greater) ---"},{"h":"T3 — One-Off Costs","l":76,"t":"| Component | Description | Indicative AUD | |---|---|---:| | **AWS PrivateLink wiring** | VPC Endpoint Service setup, IAM cross-account role configuration, DNS, validation | *[TBD]* | | **Microsoft MAUI bindings delivery** | C ABI → .NET P/Invoke → MAUI NuGet package + sample MAUI integration project + unit tests | *[TBD — 4-6 weeks]* | | **FMR/FNMR benchmark report** | ISO/IEC TS 19795-9:2019 evaluation against representative corpus, 90 % CI report | *[TBD — 4-6 weeks]* | | **WCAG 2.1 AA audit + remediation** | Audit by an accredited Australian accessibility audit firm; remediation; conformance statement | *[TBD — 4-6 weeks]* | | **ISO/IEC 30107-3 EAL-2 (Level B) PAD testing** | Engagement of an ILAC-accredited testing laboratory with the required ISO/IEC 30107 scope; formal test report | *[TBD — 3-4 months — ~AUD 60-100 k pass-through]* | | **IRAP / PROTECTED-level certification programme** | IRAP assessor engagement; ISM control evidence; remediation; certification | *[TBD — 6-8 months — ~AUD 150-250 k pass-through]* | | **ICAO Doc 9303 ePassport verification capability** | NFC ePassport reading, PKI verification, CRL checking module + integration | *[TBD — 8-12 weeks]* | | **myID app integration & onboarding** | Engineering integration with ATO infrastructure, joint dev / test cycles, joint UAT, runbook handover | *[TBD — sized by ATO scope]* | | **Training** | Onboarding training for ATO ops team; quarterly refresher sessions for Year 1 | *[TBD]* | | **Total one-off costs** | | *[TBD]* | ---"},{"h":"T4 — Ongoing Support and Maintenance","l":93,"t":"| Tier | Description | Annual (AUD) | |---|---|---:| | **Standard** | Business-hours email/ticket support; P1: 4-hour ack, 24-hour update; CVE patches per published SLA; quarterly platform updates | *[TBD]* | | **Enhanced** | 24×7 P1 on-call; P1: 1-hour ack, 4-hour update; monthly platform updates; named L2/L3 engineer; quarterly architecture review | *[TBD]* | | **Mission-Critical** | 24×7 named-engineer on-call across L2/L3/L4; P1: 30-minute ack, 2-hour update; weekly platform updates; dedicated engineering hours for ATO-specific work; quarterly executive review | *[TBD — recommended tier for myID scale]* | ---"},{"h":"T5 — Labour Rates","l":103,"t":"For any incremental work outside the subscription scope (custom features, ATO-specific engineering, training engagements). | Role | Day rate (AUD, GST-exclusive) | |---|---:| | Software Engineer (L2) | *[TBD]* | | Senior Software Engineer (L3) | *[TBD]* | | Principal Engineer (L4) | *[TBD]* | | Cryptography Specialist | *[TBD]* | | Security Architect | *[TBD]* | | Project Manager | *[TBD]* | | UX / Accessibility Specialist | *[TBD]* | | Documentation / Tech Writer | *[TBD]* | Travel and incidentals charged at cost with prior approval; standard 8-hour day; rates indexed annually. --- > *End of Part 4a draft. Indicative pricing numbers above are placeholders to be refined with co-signatory before lodgement and properly defined in a procurement stage. The RFI does not require firm pricing — the ATO has indicated this is for market-intelligence purposes.*"}],"tf":{"0":7,"1":16,"10":4,"100":1,"12":1,"15":1,"150":1,"19795":1,"2":16,"2019":1,"24":3,"250":5,"3":8,"30":2,"30107":2,"4":8,"45":1,"4a":2,"5":3,"50":4,"55":1,"6":4,"60":1,"7":2,"8":4,"9":1,"90":1,"9303":1,"a":7,"aa":2,"abi":1,"above":1,"accessibility":2,"account":1,"accredited":2,"ack":3,"across":2,"additional":2,"against":1,"agency":1,"aggregate":1,"all":3,"amounts":1,"an":2,"and":5,"anniversary":1,"annual":5,"annually":1,"any":2,"apache":3,"app":1,"approval":1,"architect":1,"architecture":1,"are":2,"as":1,"assessor":1,"assumptions":2,"at":2,"ato":7,"aud":16,"audit":5,"australian":1,"available":1,"aws":3,"b":7,"based":1,"be":1,"before":1,"below":1,"benchmark":2,"bindings":2,"breakpoints":1,"business":2,"by":2,"c":3,"call":2,"capability":1,"capped":1,"certification":3,"charge":1,"charged":1,"checking":1,"ci":1,"circuit":1,"co":2,"commercial":1,"commercially":1,"commitment":1,"commonwealth":1,"component":1,"configuration":1,"conformance":1,"contract":1,"control":1,"core":1,"corpus":1,"cost":3,"costs":2,"covers":1,"cpi":1,"critical":1,"crl":1,"cross":1,"cryptographic":1,"cryptography":1,"custom":1,"cve":1,"cycles":1,"d":2,"dashboards":1,"day":2,"dedicated":1,"defined":1,"delivery":2,"dependency":1,"depends":1,"description":2,"dev":1,"development":1,"discount":5,"discounts":2,"dns":1,"doc":1,"documentation":1,"does":1,"draft":2,"e":2,"eal":1,"email":1,"end":1,"endpoint":2,"engagement":3,"engagements":1,"engineer":5,"engineering":3,"enhanced":1,"environment":1,"environments":2,"epassport":2,"evaluation":1,"evidence":1,"excluding":1,"exclusive":2,"executive":1,"features":1,"fee":2,"final":1,"firm":2,"fixed":2,"fmr":2,"fnmr":2,"for":14,"forecast":1,"formal":1,"free":1,"government":1,"greater":1,"gst":2,"handover":1,"has":1,"hosted":1,"hour":6,"hours":3,"iam":1,"icao":1,"iec":3,"ilac":1,"implementation":1,"in":3,"incidentals":1,"incremental":2,"indefinitely":1,"indexation":1,"indexed":1,"indicated":1,"indicative":3,"infrastructure":2,"instance":2,"integration":5,"intelligence":1,"into":1,"invoke":1,"irap":3,"is":6,"ism":1,"iso":3,"item":1,"itself":2,"joint":2,"k":2,"l2":3,"l3":3,"l4":2,"laboratory":1,"labour":2,"level":2,"library":5,"licence":6,"licensing":1,"list":2,"lodgement":1,"logging":1,"m":12,"maintenance":2,"manager":1,"market":1,"maui":4,"metrics":1,"microsoft":1,"migration":1,"minute":1,"mission":1,"model":5,"module":1,"monthly":1,"months":2,"multi":1,"myid":3,"n":3,"named":2,"negotiable":1,"net":1,"nfc":1,"no":5,"non":1,"not":1,"noted":1,"nuget":1,"numbers":2,"of":3,"off":6,"on":5,"onboarding":2,"one":3,"ongoing":2,"only":2,"open":2,"ops":1,"or":1,"otherwise":1,"outside":2,"p":1,"p1":4,"package":1,"pad":1,"part":2,"pass":2,"patches":1,"patching":1,"per":6,"perpetual":4,"philosophy":1,"pki":1,"placeholders":1,"platform":3,"prepay":2,"price":1,"pricing":8,"principal":1,"prior":1,"privatelink":2,"procurement":3,"production":2,"programme":2,"project":2,"proofs":1,"properly":1,"protected":2,"published":1,"purposes":2,"quantity":1,"quarterly":4,"rate":3,"rates":3,"reading":1,"recommended":1,"refine":1,"refined":1,"refresher":1,"remains":1,"remediation":3,"report":3,"representative":1,"require":1,"required":1,"review":2,"revisions":1,"rfi":2,"role":2,"runbook":1,"saas":5,"sable":3,"sample":1,"scale":2,"scope":5,"seat":2,"security":1,"see":1,"senior":1,"service":5,"sessions":1,"setup":1,"signatory":2,"sized":1,"sla":3,"slas":1,"software":3,"sold":1,"source":2,"sp1":3,"specialist":2,"specific":2,"stacking":1,"stage":3,"staging":1,"standard":2,"statement":1,"subscription":7,"support":3,"sydney":1,"t1":4,"t2":1,"t3":1,"t4":1,"t5":1,"tables":1,"tbd":54,"team":1,"tech":1,"template":1,"term":1,"terms":1,"test":2,"testing":2,"tests":1,"the":13,"this":1,"through":2,"ticket":1,"tier":16,"tiered":3,"tiers":1,"to":3,"total":5,"training":3,"transcribe":1,"travel":1,"ts":1,"uat":1,"under":1,"unit":1,"unless":1,"unlimited":4,"up":1,"update":3,"updates":3,"ux":1,"validation":1,"vehicle":1,"verification":10,"verifications":1,"volume":4,"vpc":1,"wcag":2,"weekly":1,"weeks":4,"whichever":1,"wiring":1,"with":7,"work":2,"writer":1,"xlsx":1,"year":16,"yr":5,"zk":2}},{"dl":445,"n":"index","s":"index","secs":[{"h":"AusTender ATM cea1b989 — SABLE Response Draft","l":1,"t":"Working brief for **[Anuna Research Cooperative](https://anuna.io)**'s response to AusTender ATM `cea1b989-ceb0-4b36-8b48-ac1330062362`, positioning **[[sable]]** (Secure Attested Biometric Library for Edge — Halo2 zero-knowledge proofs over biometrics, fully offline, no special hardware) as the proposed solution. Anuna positions as *\"applied AI research, done through the work itself\"* — integrating AI engineering, organisational design and governance as one unified practice. Anuna is currently delivering eGov services (digital identity + citizen services + advisory) for the **Bangsamoro Autonomous Region in Muslim Mindanao (BARMM)**, Philippines — production go-live July 2026 — the most directly relevant delivery-capability reference for this RFI (BARMM does not currently deploy SABLE; future SABLE deployment at BARMM is a candidate natural extension). Early international dialogue on the SABLE approach is under way with **Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI)**. Adjacent prior clients include Microsoft, Autodesk, CSIRO Data61, Telus, Kellogg, Suncorp, IAG, GovUK and Telefónica. **ATM URL:** https://www.tenders.gov.au/Atm/Show/cea1b989-ceb0-4b36-8b48-ac1330062362"},{"h":"Status","l":7,"t":"- [ ] [[task-login]] — authenticated session against tenders.gov.au - [ ] [[task-meta-extract]] — title, agency, close date, eligibility, attachments - [ ] [[task-download-attachments]] — RFP, response templates, attachments - [ ] [[task-extract-text]] — every attachment to markdown in /sources - [ ] [[task-review-requirements]] — curated /pages synthesis - [ ] [[task-draft-application]] — response narrative + compliance matrix in /draft - [ ] [[task-validate]] — every mandatory requirement answered"},{"h":"Layout","l":17,"t":"- `index.md` — this file - `plan.spl` — hence-driven coordination plan - `.crawl/` — raw crawl artefacts (gitignored, includes session/cookies) - `attachments/` — downloaded files from the ATM page (PDFs, response templates, etc.) - `sources/` — text/markdown extractions of attachments + ATM landing page - `pages/` — curated synthesis (opportunity overview, evaluation criteria, etc.) - `draft/` — the response document itself (narrative, pricing, compliance matrix)"},{"h":"Coordination","l":27,"t":""},{"h":"Our solution: SABLE","l":35,"t":"`../sable` — Apache-2.0 ZK biometrics library by Anuna Research Cooperative: - **True zero-knowledge proofs over biometric data** — Halo2 transparent setup, ~250 ms proof gen, ~2 ms verification, 2 KB proofs - **Fully offline** — peer-to-peer verification via NFC/BLE/WiFi Direct, no cloud, no blockchain - **No special hardware** — works with any smartphone camera; spatial-flash liveness detection (Tang et al., NDSS 2018) without depth sensors - **Selective disclosure** — BBS+-signed Verifiable Credentials let users prove predicates (e.g. \"≥ 18\") without revealing underlying data - **519 tests passing** across the core library, 77 Halo2-specific See [[sable-fit]] for the technical mapping from SABLE capabilities to the ATM's stated requirements."},{"h":"Reading order","l":47,"t":"1. [[opportunity-overview]] — context and why SABLE fits 2. [[evaluation-criteria]] — every requirement verbatim 3. [[sable-fit]] — per-requirement compliance position 4. [[gaps-and-risks]] — honest gap analysis 5. [[ato-myid-context]] — strategic framing 6. [[response-structure]] — what we have to submit 7. [[key-dates]] — close 4-Jun-2026 14:00 ACT Source extracts: [[source-index]]. Raw downloads: `attachments/INDEX.md`. All curated pages: [[page-index]]."}],"tf":{"0":1,"00":1,"1":1,"14":1,"18":1,"2":4,"2018":1,"2026":2,"250":1,"3":1,"4":2,"4b36":1,"5":1,"519":1,"6":1,"7":1,"77":1,"8b48":1,"a":1,"ac1330062362":1,"across":1,"act":1,"adjacent":1,"advisory":1,"against":1,"agency":1,"ai":2,"al":1,"all":1,"analysis":1,"and":4,"answered":1,"anuna":5,"any":1,"apache":1,"application":1,"applied":1,"approach":1,"artefacts":1,"as":3,"at":1,"atm":7,"ato":1,"attachment":1,"attachments":4,"attested":1,"au":2,"austender":2,"authenticated":1,"autodesk":1,"autonomous":1,"bangsamoro":1,"barmm":3,"bbs":1,"biometric":2,"biometrics":2,"ble":1,"blockchain":1,"brief":1,"bsi":1,"bundesamt":1,"by":1,"camera":1,"candidate":1,"capabilities":1,"capability":1,"cea1b989":2,"ceb0":1,"citizen":1,"clients":1,"close":2,"cloud":1,"compliance":3,"context":2,"cookies":1,"cooperative":2,"coordination":2,"core":1,"crawl":1,"credentials":1,"criteria":2,"csiro":1,"curated":3,"currently":2,"data":2,"data61":1,"date":1,"dates":1,"delivering":1,"delivery":1,"deploy":1,"deployment":1,"depth":1,"der":1,"design":1,"detection":1,"dialogue":1,"digital":1,"direct":1,"directly":1,"disclosure":1,"document":1,"does":1,"done":1,"download":1,"downloaded":1,"downloads":1,"draft":3,"driven":1,"e":1,"early":1,"edge":1,"egov":1,"eligibility":1,"engineering":1,"et":1,"etc":2,"evaluation":2,"every":3,"extension":1,"extract":2,"extractions":1,"extracts":1,"file":1,"files":1,"fit":2,"fits":1,"flash":1,"for":5,"framing":1,"from":2,"fully":2,"future":1,"für":1,"g":1,"gap":1,"gaps":1,"gen":1,"germany":1,"gitignored":1,"go":1,"gov":2,"governance":1,"govuk":1,"halo2":3,"hardware":2,"have":1,"hence":1,"honest":1,"https":2,"iag":1,"identity":1,"in":4,"include":1,"includes":1,"index":2,"informationstechnik":1,"integrating":1,"international":1,"io":1,"is":3,"itself":2,"july":1,"jun":1,"kb":1,"kellogg":1,"key":1,"knowledge":2,"landing":1,"layout":1,"let":1,"library":3,"live":1,"liveness":1,"login":1,"mandatory":1,"mapping":1,"markdown":2,"matrix":2,"meta":1,"microsoft":1,"mindanao":1,"most":1,"ms":2,"muslim":1,"myid":1,"narrative":2,"natural":1,"ndss":1,"nfc":1,"no":4,"not":1,"of":1,"offline":2,"on":1,"one":1,"opportunity":2,"order":1,"organisational":1,"our":1,"over":2,"overview":2,"page":3,"pages":2,"passing":1,"pdfs":1,"peer":2,"per":1,"philippines":1,"plan":1,"position":1,"positioning":1,"positions":1,"practice":1,"predicates":1,"pricing":1,"prior":1,"production":1,"proof":1,"proofs":3,"proposed":1,"prove":1,"raw":2,"reading":1,"reference":1,"region":1,"relevant":1,"requirement":3,"requirements":2,"research":3,"response":7,"revealing":1,"review":1,"rfi":1,"rfp":1,"risks":1,"s":3,"sable":10,"secure":1,"see":1,"selective":1,"sensors":1,"services":2,"session":2,"setup":1,"show":1,"sicherheit":1,"signed":1,"smartphone":1,"solution":2,"source":2,"sources":1,"spatial":1,"special":2,"specific":1,"stated":1,"status":1,"strategic":1,"structure":1,"submit":1,"suncorp":1,"synthesis":2,"tang":1,"task":7,"technical":1,"telefónica":1,"telus":1,"templates":2,"tenders":2,"tests":1,"text":2,"the":10,"this":2,"through":1,"title":1,"to":5,"transparent":1,"true":1,"under":1,"underlying":1,"unified":1,"url":1,"users":1,"validate":1,"verbatim":1,"verifiable":1,"verification":2,"via":1,"way":1,"we":1,"what":1,"why":1,"wifi":1,"with":2,"without":2,"work":1,"working":1,"works":1,"www":1,"zero":2,"zk":1}},{"dl":727,"n":"addenda-clarifications","s":"pages/addenda-clarifications","secs":[{"h":"Addenda — Clarifications Applied","l":1,"t":"Two addenda issued by the ATO during the RFI period materially shape the response:"},{"h":"Addendum 2 — Closing date extension","l":5,"t":"Closing time **2:00 pm 28-May-2026 → 2:00 pm 4-Jun-2026 ACT**. Applied throughout [[key-dates]]."},{"h":"Addendum 1 — Q&A clarifications (15 items)","l":9,"t":""},{"h":"Items that change our position","l":11,"t":"| # | Clarification | Impact on draft | |---|---|---| | Q1 (LV-6) | Any **ILAC-accredited** testing lab is acceptable — not specifically iBeta. Must evidence accreditation scope, methodology, version, PAD assurance level, limitations. | [[sable-fit]] / Part 3a — broaden lab options | | Q2 (TV-3) | Algorithm must be tested using **diverse cohort** per Digital ID Accreditation Data Standards: disability; diverse abilities including technology ability; diverse age, gender, ethnicity. Applies to vendor's own algorithm, not FVS. | Part 3a TV-3 — add explicit diversity commitment | | Q3 (H-2) | ATO is open to **multiple deployment models** — vendor-managed SaaS *or* ATO-managed within ATO AWS environment. Both should be described with infrastructure, ops, security, support, licensing implications. | Part 3a H-2 — add a second deployment-model description | | Q4 (IN-4) | IaC required for the **deployment model proposed**, plus document responsibility split (vendor vs ATO). | Part 3a IN-4 — clarify responsibility matrix | | Q5 (IN-1) | If MAUI not available at RFI response time, **provide committed delivery approach, timeline, risks, dependencies**. Phased delivery acceptable subject to ATO assessment. | Part 3a IN-1 — already a 4-6 week commitment; refine risk/dependency narrative | | Q6 | Liveness only required at **enrolment + reverification + recovery**, NOT every login. 95M login figure is total activity, not liveness volume. | Part 3a P-1 / Pricing — clarifies sizing | | Q7 (P-1) | 10 000/hr is combined projected + observed; applies to enrolments, reverifications, account recovery events. | Part 3a P-1 — explicit | | Q8 (P-2) | No growth forecast available — respondents to provide their own Software Capacity Plan with assumptions, scalable architecture, headroom, constraints, scaling triggers, monitoring, commercial implications across contract term. | Part 3a P-2 — strengthen Capacity Plan narrative | | Q9 (OP-9) | NV1 clearance needed **before personnel access PROTECTED/production systems**, no later than production go-live. **Interim arrangements** possible (restricted access, supervised access, role separation, use of already-cleared personnel, deferral) subject to ATO Security approval. Respondents must provide current clearance status, sponsorship assumptions, lead times, mitigation. | Part 3a OP-9 — add interim arrangement plan | | Q10 (SC-6) | IRAP scope includes **all components processing/storing/transmitting/administering/monitoring/supporting ATO data**: production platform, management plane, support portal, admin tooling, integrations, logging/monitoring, connected environments. Respondents to define proposed scope, current status, residual gaps, timeline; IRAP readiness must align with security assurance + production-readiness milestones. | Part 3a SC-6 — broaden scope statement | | Q11 (SC-5) | SC-5 applies across **full delivery chain**: subcontractors, sub-processors, PAD providers, hosting providers, support providers, telemetry, logging. **Foreign-incorporated PAD vendor OK if all PI stays in Australia.** | Part 3a SC-5 — already strong (no PI ever crosses boundary); add explicit sub-processor coverage | | Q12 | Solution must follow **privacy-by-design + data minimisation**; biometric data must not be retained longer than required. | SABLE's no-PI-server-side architecture: ideal fit; add explicit alignment statement | | Q13 (TV-1) | No volume forecast for offshore NFC verification; phased delivery acceptable. | Part 3a TV-1 — already a 8-12 week phased commitment; add forecast acknowledgement | | Q14 (OP-6) | Requirement is for **organisational/operational controls**, not clinical assessment: security awareness, escalation pathways, welfare/supervision, privileged access monitoring, separation of duties, peer review for sensitive actions, incident reporting, unusual access/behaviour detection. | Part 3a OP-6 — **upgrade from Partially Compliant to Compliant** with organisational-controls answer | | Q15 (ISO 14001) | Must state in RFI response whether currently certified, aligned, or can achieve within 6 months. Must provide certification/alignment evidence, planned uplift, responsible owner, timeframe. | Part 3 General — add ISO 14001 statement |"},{"h":"Items confirming our existing position","l":31,"t":"- LV-6 (any ILAC-accredited lab) — strengthens our position (no vendor lock-in to a specific lab) - TV-3 (diverse cohort) — easy to address via test-corpus selection - SC-5 (full delivery chain) — SABLE's architecture is \"no PI in delivery chain at all\" — strongest possible position - Q12 (retention) — SABLE matches privacy-by-design by construction; no retention required because no PI is ever held - Q6 / Q7 — liveness scale is enrolment + reverification + recovery only; reinforces feasibility at 10k/hr"},{"h":"Linked notes","l":39,"t":"- [[evaluation-criteria]] — source requirements - [[sable-fit]] — per-requirement position (updated to reflect addenda) - [[gaps-and-risks]] — gap remediation plan"}],"tf":{"00":2,"000":1,"1":8,"10":1,"10k":1,"12":1,"14001":2,"15":1,"2":7,"2026":2,"28":1,"3":4,"3a":13,"4":4,"5":4,"6":8,"8":1,"9":2,"95m":1,"a":5,"abilities":1,"ability":1,"acceptable":3,"access":5,"account":1,"accreditation":2,"accredited":2,"achieve":1,"acknowledgement":1,"across":2,"act":1,"actions":1,"activity":1,"add":7,"addenda":3,"addendum":2,"address":1,"admin":1,"administering":1,"age":1,"algorithm":2,"align":1,"aligned":1,"alignment":2,"all":3,"already":4,"and":1,"answer":1,"any":2,"applied":2,"applies":3,"approach":1,"approval":1,"architecture":3,"arrangement":1,"arrangements":1,"assessment":2,"assumptions":2,"assurance":2,"at":4,"ato":8,"australia":1,"available":2,"awareness":1,"aws":1,"be":3,"because":1,"before":1,"behaviour":1,"biometric":1,"both":1,"boundary":1,"broaden":2,"by":4,"can":1,"capacity":2,"certification":1,"certified":1,"chain":3,"change":1,"clarification":1,"clarifications":2,"clarifies":1,"clarify":1,"clearance":2,"cleared":1,"clinical":1,"closing":2,"cohort":2,"combined":1,"commercial":1,"commitment":3,"committed":1,"compliant":2,"components":1,"confirming":1,"connected":1,"constraints":1,"construction":1,"contract":1,"controls":2,"corpus":1,"coverage":1,"criteria":1,"crosses":1,"current":2,"currently":1,"data":4,"date":1,"dates":1,"deferral":1,"define":1,"delivery":6,"dependencies":1,"dependency":1,"deployment":3,"described":1,"description":1,"design":2,"detection":1,"digital":1,"disability":1,"diverse":4,"diversity":1,"document":1,"draft":1,"during":1,"duties":1,"easy":1,"enrolment":2,"enrolments":1,"environment":1,"environments":1,"escalation":1,"ethnicity":1,"evaluation":1,"events":1,"ever":2,"every":1,"evidence":2,"existing":1,"explicit":4,"extension":1,"feasibility":1,"figure":1,"fit":3,"follow":1,"for":4,"forecast":3,"foreign":1,"from":1,"full":2,"fvs":1,"gap":1,"gaps":2,"gender":1,"general":1,"go":1,"growth":1,"h":2,"headroom":1,"held":1,"hosting":1,"hr":2,"iac":1,"ibeta":1,"id":1,"ideal":1,"if":2,"ilac":2,"impact":1,"implications":2,"in":8,"incident":1,"includes":1,"including":1,"incorporated":1,"infrastructure":1,"integrations":1,"interim":2,"irap":2,"is":8,"iso":2,"issued":1,"items":3,"jun":1,"key":1,"lab":4,"later":1,"lead":1,"level":1,"licensing":1,"limitations":1,"linked":1,"live":1,"liveness":3,"lock":1,"logging":2,"login":2,"longer":1,"lv":2,"managed":2,"management":1,"matches":1,"materially":1,"matrix":1,"maui":1,"may":1,"methodology":1,"milestones":1,"minimisation":1,"mitigation":1,"model":2,"models":1,"monitoring":4,"months":1,"multiple":1,"must":8,"narrative":2,"needed":1,"nfc":1,"no":9,"not":7,"notes":1,"nv1":1,"observed":1,"of":2,"offshore":1,"ok":1,"on":1,"only":2,"op":4,"open":1,"operational":1,"ops":1,"options":1,"or":2,"organisational":2,"our":3,"own":2,"owner":1,"p":5,"pad":3,"part":14,"partially":1,"pathways":1,"peer":1,"per":2,"period":1,"personnel":2,"phased":3,"pi":5,"plan":4,"plane":1,"planned":1,"platform":1,"plus":1,"pm":2,"portal":1,"position":5,"possible":2,"pricing":1,"privacy":2,"privileged":1,"processing":1,"processor":1,"processors":1,"production":4,"projected":1,"proposed":2,"protected":1,"provide":4,"providers":3,"q":1,"q1":1,"q10":1,"q11":1,"q12":2,"q13":1,"q14":1,"q15":1,"q2":1,"q3":1,"q4":1,"q5":1,"q6":2,"q7":2,"q8":1,"q9":1,"readiness":2,"recovery":3,"refine":1,"reflect":1,"reinforces":1,"remediation":1,"reporting":1,"required":4,"requirement":2,"requirements":1,"residual":1,"respondents":3,"response":3,"responsibility":2,"responsible":1,"restricted":1,"retained":1,"retention":2,"reverification":2,"reverifications":1,"review":1,"rfi":3,"risk":1,"risks":2,"role":1,"s":3,"saas":1,"sable":5,"sc":6,"scalable":1,"scale":1,"scaling":1,"scope":4,"second":1,"security":4,"selection":1,"sensitive":1,"separation":2,"server":1,"shape":1,"should":1,"side":1,"sizing":1,"software":1,"solution":1,"source":1,"specific":1,"specifically":1,"split":1,"sponsorship":1,"standards":1,"state":1,"statement":3,"status":2,"stays":1,"storing":1,"strengthen":1,"strengthens":1,"strong":1,"strongest":1,"sub":2,"subcontractors":1,"subject":2,"supervised":1,"supervision":1,"support":3,"supporting":1,"systems":1,"technology":1,"telemetry":1,"term":1,"test":1,"tested":1,"testing":1,"than":2,"that":1,"the":4,"their":1,"throughout":1,"time":2,"timeframe":1,"timeline":2,"times":1,"to":11,"tooling":1,"total":1,"transmitting":1,"triggers":1,"tv":5,"two":1,"unusual":1,"updated":1,"upgrade":1,"uplift":1,"use":1,"using":1,"vendor":5,"verification":1,"version":1,"via":1,"volume":2,"vs":1,"week":2,"welfare":1,"whether":1,"with":4,"within":2}},{"dl":1840,"n":"ato-myid-context","s":"pages/ato-myid-context","secs":[{"h":"ATO myID Context","l":1,"t":"Context for the RFI: what myID is today, where it's heading, and how a SABLE-class capability complements rather than replaces the existing stack."},{"h":"What myID is today","l":5,"t":"- Australia's national [Digital ID Provider](https://www.digitalidsystem.gov.au/) under the **Digital ID Act 2024** (commenced 1-Dec-2024) - An app installed on the user's smart device — they prove who they are once and log in to government online services thereafter - **14 M+ users**; **6 M+ at IP3 (Strong)** identity proofing - **95 M+ uses** across 12 months (Aug 2024 – Aug 2025) across 240+ government online services - Three identity-proofing (IP) levels today: - **IP1 (Basic)** — verified email + self-asserted name + DOB - **IP2 (Standard)** — verified email + name + DOB via 2 documents through DVS - **IP3 (Strong)** — verified email + name + DOB via 2-3 documents through DVS + face biometric against source document (Australian Passport / Driver Licence) via FVS - Future IP levels per Digital ID Act: - **IP1+** — 1 document via DVS - **IP2+** — 2 documents via DVS + face biometric (where Passport not used) via FVS, with a liveness check"},{"h":"What the ATO is looking to evolve","l":19,"t":"> *\"Since the launch of Strong myID in 2021, the technology landscape for identity verification has evolved significantly… To ensure myID continues to meet the highest standards of security, usability, and inclusivity, the ATO is seeking information from technology providers on their capabilities to support future enhancements.\"* Three concrete capability streams: 1. **Liveness detection & facial image capture** — refresh of the 2021-procured liveness stack 2. **Biometric matching** — enable login / account recovery without manual re-proofing (today's IP3 users sometimes have to re-prove via call-centre support → high cost, poor UX) 3. **Technical verification of credentials** — NFC-enabled verification of electronically readable identity documents (ePassports) so **offshore users** can verify with foreign Passports (today they can't, because myID only verifies against Australian-issued documents)"},{"h":"Why this is a strategic moment","l":29,"t":"- The Digital ID Act 2024 codifies privacy and minimisation as legal obligations, not best practice - The market has moved on from 2021's PAD techniques (anti-spoofing is now a moving target as deepfakes mature) - 14 M+ users at IP3 represent significant lock-in to the current architecture, so any replacement must be backwards-compatible - Offshore verification is currently a gap — myID doesn't work outside Australia for foreign-document holders, which limits its use for diaspora / expat / visa-track users"},{"h":"Where SABLE fits","l":36,"t":"[Anuna Research Cooperative](https://anuna.io) brings directly-comparable delivery experience: **the BARMM (Bangsamoro Autonomous Region in Muslim Mindanao) eGov programme** — currently building digital identity, citizen-facing services, and transformation advisory for a regional Philippines government, with production go-live July 2026 (BARMM does not currently deploy SABLE; future SABLE deployment at BARMM is a candidate natural extension). Adjacent engagements with **GovUK** (UK Government Digital Service) and **CSIRO Data61** position us in the OECD public-sector context; early international dialogue on the SABLE approach is under way with **Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI)**. SABLE is **not a drop-in replacement** for the current liveness / matching stack — it is a complementary capability with four distinctive properties: 1. **Privacy by construction** — biometric data never leaves the device. The 2021-procured stack typically captures the face image, transmits it to a vendor-operated matcher / liveness service, and stores it for audit. SABLE captures, hashes (Pedersen), and proves match locally; only the ZK proof reaches the SaaS endpoint. This is a stronger guarantee than any policy-based access control. 2. **Selective disclosure via BBS+** — once the Digital ID Act starts requiring proof of attributes (over 18 / Australian citizen / not on a sanctions list) the standard approach is to expose the underlying credential. SABLE's BBS+ pipeline lets the user prove the predicate without revealing the field — directly aligned with the Act's minimisation principles. 3. **Offline P2P operation** — the capture / liveness / proof pipeline executes entirely on-device with no internet dependency. Addresses inclusivity for users in low-connectivity areas of Australia, and provides a path to the offshore-verification capability the ATO has identified as a gap for users abroad. 4. **Open-source regional public good** — Apache 2.0 licence means investment in maturing SABLE for myID use compounds beyond the ATO's direct benefit; see *Regional spillover* below. These align especially well with the ATO's **inclusivity** and **future-readiness** vision, and complement (rather than compete with) the FVS-anchored architecture for the current IP3 path. A pragmatic deployment pattern is: - **Phase 1** (immediate): SABLE provides the *capture + PAD + match* pipeline running entirely on-device; ATO's existing FVS continues to perform the authoritative 1:1 match against the source document via existing channels. SABLE's proof is an additional integrity / liveness signal alongside the FVS check. - **Phase 2** (12-18 months): SABLE handles routine reauthentication (login / recovery) entirely on-device using the user's Pedersen-committed enrolment, removing 80 %+ of FVS round-trips and call-centre re-proofing escalations. - **Phase 3** (24+ months): SABLE's BBS+ selective disclosure path becomes the default for attribute-only checks (age, citizenship, etc.) per Digital ID Act evolution."},{"h":"The architectural case for moving biometric data off centralised servers","l":54,"t":"The case for an on-device, never-leaves-device architecture is reinforced by a decade of breach evidence. Internationally, the 2019 Suprema BioStar 2 incident exposed approximately 27.8 million biometric records — fingerprints and facial-recognition templates — through an unsecured database. The 2014-15 US Office of Personnel Management breach exfiltrated approximately 5.6 million fingerprint records to a state-sponsored adversary as part of a larger 21.5-million-record compromise of background-check files. The 2023 23andMe breach affected approximately 6.9 million users' genetic-biometric profiles via credential stuffing. In Australia, the Notifiable Data Breaches scheme has recorded large-scale identity-document exposures at Optus (September 2022, approximately 9.8 million customers including passport and driver-licence data), Medibank (October 2022, approximately 9.7 million customers including health and identity data), and Latitude Financial (March 2023, approximately 14 million records including approximately 7.9 million driver licences and 53 000 passport numbers). The pattern across these incidents is consistent: any system that aggregates biometric or identity-document data into a central store creates a high-value target whose breach risk is *structural*, not merely operational. Hardening procedures, access controls, encryption-at-rest, and post-breach disclosure regimes can each be improved — but none of them retire the target class. **SABLE retires the target class by design.** There is nothing for an attacker to exfiltrate at scale because the biometric data never leaves the user's device; even total compromise of the SaaS verification endpoint yields no biometric data, because none is held there. For an identity service of myID's scale and visibility, this architectural property is materially more defensible than any defence-in-depth posture built on top of centralised storage."},{"h":"Social licence to operate","l":60,"t":"Trust in large-scale government identity infrastructure is a maintained asset, not an inherent property. The broader Australian public-sector experience over the last decade — the parliamentary scrutiny that shaped the Digital ID Act 2024, ongoing public commentary on the use of biometric and identity-document data, and the demonstrated reputational consequences when government data systems lose public confidence — has shown that the *social licence to operate* national identity infrastructure is contingent on demonstrable privacy posture, not just on legal compliance with the privacy framework. myID's scale (14 million-plus users, 95 million-plus logins per year, 240-plus services) means it now functions as critical national infrastructure, with the public-trust expectations that come with that status. Architectural privacy — where biometric data verifiably never leaves the user's device — is not only a security control; it is a **social-licence asset**. It makes the ATO's privacy commitments *empirically verifiable* rather than rhetorically assertable: a user can inspect the open-source code, an independent cryptographer can verify the zero-knowledge property, a journalist or parliamentary committee can verify the architectural claim without specialist access. Each of these closes off a channel through which the social licence to operate can be challenged. For the ATO specifically, this matters in two ways. **Operationally:** each future incident in the broader biometric / identity-data sector creates pressure on every operator of identity infrastructure, including myID; architectural privacy makes it possible to credibly answer *\"that class of incident is structurally impossible for us\"* rather than *\"we have controls in place to mitigate that risk\"*. **Strategically:** the ATO's wider authority — its capacity to administer the tax system at scale — depends on continued public confidence that it holds and uses citizen data appropriately. Reducing what it holds, by design and not just by policy, strengthens that wider authority directly. Investment in privacy-by-construction biometrics is, in this sense, also investment in the ATO's social licence to operate at the scale and trust level the modern tax system requires."},{"h":"Regional spillover — additional public value","l":68,"t":"A distinctive feature of an ATO investment in SABLE: **the work is Apache 2.0 open-source**, so any production-hardening work the ATO funds — third-party ISO/IEC 30107-3 EAL-2 (Level B) PAD certification, ISO/IEC TS 19795-9 FMR/FNMR benchmarking, Microsoft MAUI bindings, IRAP / PROTECTED-level certification, ASD-HACE-compliant cryptographic pathway, WCAG 2.1 AA accessibility audit — becomes **immediately and freely available** to any other government deploying the library. Candidate future deployment contexts for SABLE that would directly benefit from ATO-funded maturation: - **BARMM (Philippines)** — Anuna's existing eGov delivery engagement provides a natural deployment pathway for SABLE; the same practitioner team is in position - **European public-sector identity** — early dialogue under way with **Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI)** about the SABLE approach - **Other Pacific island nations** — many actively scoping or building national digital ID; on-device privacy-preserving primitives are a natural fit - **ASEAN member states** — multiple jurisdictions with active digital-identity programmes - **Adjacent use cases beyond national digital identity** — age verification for online services; healthcare patient verification (telehealth, prescription authorisation); building / facility access control; employer / contractor on-site identity; peer-to-peer credential verification — wherever holding biometric or identity-document data centrally is a liability that an architectural alternative could retire This dimension aligns with several Commonwealth foreign-policy priorities: - **Pacific Step-Up** — Australian-developed digital-trust infrastructure deployable across the Pacific - **Indo-Pacific Endeavour** — supporting regional digital sovereignty without dependence on US or Chinese vendor stacks - **ASEAN digital cooperation** — interoperable identity primitives across the region - **The Quad's cyber resilience agenda** — open, audit-able, sovereign-controlled identity capability - **DFAT Cyber and Critical Tech Cooperation Program** — capacity building in regional digital trust The ATO procures an audited, certified production stack for myID. The by-product is a public good — an Australian-developed open-source identity capability that strengthens the regional digital-trust posture more broadly. This is genuine additional public value the ATO can claim from the procurement spend, beyond the direct benefit to myID users."},{"h":"Linked notes","l":90,"t":"- [[opportunity-overview]] — the RFI itself - [[sable-fit]] — per-requirement capability mapping - [[gaps-and-risks]]"}],"tf":{"0":2,"000":1,"1":8,"12":2,"14":4,"15":1,"18":2,"19795":1,"2":11,"2014":1,"2019":1,"2021":4,"2022":2,"2023":2,"2024":5,"2025":1,"2026":1,"21":1,"23andme":1,"24":1,"240":2,"27":1,"3":5,"30107":1,"4":1,"5":2,"53":1,"6":3,"7":2,"8":2,"80":1,"9":5,"95":2,"a":31,"aa":1,"able":1,"about":1,"abroad":1,"access":4,"accessibility":1,"account":1,"across":5,"act":7,"active":1,"actively":1,"additional":3,"addresses":1,"adjacent":2,"administer":1,"adversary":1,"advisory":1,"affected":1,"against":3,"age":2,"agenda":1,"aggregates":1,"align":1,"aligned":1,"aligns":1,"alongside":1,"also":1,"alternative":1,"an":12,"anchored":1,"and":27,"answer":1,"anti":1,"anuna":3,"any":6,"apache":2,"app":1,"approach":3,"appropriately":1,"approximately":7,"architectural":6,"architecture":3,"are":2,"areas":1,"as":5,"asd":1,"asean":2,"assertable":1,"asserted":1,"asset":2,"at":8,"ato":16,"attacker":1,"attribute":1,"attributes":1,"au":1,"audit":3,"audited":1,"aug":2,"australia":4,"australian":6,"authorisation":1,"authoritative":1,"authority":2,"autonomous":1,"available":1,"b":1,"background":1,"backwards":1,"bangsamoro":1,"barmm":4,"based":1,"basic":1,"bbs":3,"be":3,"because":3,"becomes":2,"below":1,"benchmarking":1,"benefit":3,"best":1,"beyond":3,"bindings":1,"biometric":14,"biometrics":1,"biostar":1,"breach":5,"breaches":1,"brings":1,"broader":2,"broadly":1,"bsi":2,"building":4,"built":1,"bundesamt":2,"but":1,"by":7,"call":2,"can":8,"candidate":2,"capabilities":1,"capability":7,"capacity":2,"capture":3,"captures":2,"case":2,"cases":1,"central":1,"centralised":2,"centrally":1,"centre":2,"certification":2,"certified":1,"challenged":1,"channel":1,"channels":1,"check":3,"checks":1,"chinese":1,"citizen":3,"citizenship":1,"claim":2,"class":4,"closes":1,"code":1,"codifies":1,"come":1,"commenced":1,"commentary":1,"commitments":1,"committed":1,"committee":1,"commonwealth":1,"comparable":1,"compatible":1,"compete":1,"complement":1,"complementary":1,"complements":1,"compliance":1,"compliant":1,"compounds":1,"compromise":2,"concrete":1,"confidence":2,"connectivity":1,"consequences":1,"consistent":1,"construction":2,"context":3,"contexts":1,"contingent":1,"continued":1,"continues":2,"contractor":1,"control":3,"controlled":1,"controls":2,"cooperation":2,"cooperative":1,"cost":1,"could":1,"creates":2,"credential":3,"credentials":1,"credibly":1,"critical":2,"cryptographer":1,"cryptographic":1,"csiro":1,"current":3,"currently":3,"customers":2,"cyber":2,"data":14,"data61":1,"database":1,"dec":1,"decade":2,"deepfakes":1,"default":1,"defence":1,"defensible":1,"delivery":2,"demonstrable":1,"demonstrated":1,"dependence":1,"dependency":1,"depends":1,"deploy":1,"deployable":1,"deploying":1,"deployment":4,"depth":1,"der":2,"design":2,"detection":1,"developed":2,"device":10,"dfat":1,"dialogue":2,"diaspora":1,"digital":17,"digitalidsystem":1,"dimension":1,"direct":2,"directly":4,"disclosure":3,"distinctive":2,"dob":3,"document":8,"documents":5,"does":1,"doesn":1,"driver":3,"drop":1,"dvs":4,"each":3,"eal":1,"early":2,"egov":2,"electronically":1,"email":3,"empirically":1,"employer":1,"enable":1,"enabled":1,"encryption":1,"endeavour":1,"endpoint":2,"engagement":1,"engagements":1,"enhancements":1,"enrolment":1,"ensure":1,"entirely":3,"epassports":1,"escalations":1,"especially":1,"etc":1,"european":1,"even":1,"every":1,"evidence":1,"evolution":1,"evolve":1,"evolved":1,"executes":1,"exfiltrate":1,"exfiltrated":1,"existing":4,"expat":1,"expectations":1,"experience":2,"expose":1,"exposed":1,"exposures":1,"extension":1,"face":3,"facial":2,"facility":1,"facing":1,"feature":1,"field":1,"files":1,"financial":1,"fingerprint":1,"fingerprints":1,"fit":2,"fits":1,"fmr":1,"fnmr":1,"for":22,"foreign":3,"four":1,"framework":1,"freely":1,"from":4,"functions":1,"funded":1,"funds":1,"future":6,"fvs":6,"für":2,"gap":2,"gaps":1,"genetic":1,"genuine":1,"germany":2,"go":1,"good":2,"gov":1,"government":7,"govuk":1,"guarantee":1,"hace":1,"handles":1,"hardening":2,"has":5,"hashes":1,"have":2,"heading":1,"health":1,"healthcare":1,"held":1,"high":2,"highest":1,"holders":1,"holding":1,"holds":2,"how":1,"https":2,"id":8,"identified":1,"identity":22,"iec":2,"image":2,"immediate":1,"immediately":1,"impossible":1,"improved":1,"in":22,"incident":3,"incidents":1,"including":4,"inclusivity":3,"independent":1,"indo":1,"information":1,"informationstechnik":2,"infrastructure":5,"inherent":1,"inspect":1,"installed":1,"integrity":1,"international":1,"internationally":1,"internet":1,"interoperable":1,"into":1,"investment":4,"io":1,"ip":2,"ip1":2,"ip2":2,"ip3":5,"irap":1,"is":32,"island":1,"iso":2,"issued":1,"it":10,"its":2,"itself":1,"journalist":1,"july":1,"jurisdictions":1,"just":2,"knowledge":1,"landscape":1,"large":2,"larger":1,"last":1,"latitude":1,"launch":1,"leaves":4,"legal":2,"lets":1,"level":3,"levels":2,"liability":1,"library":1,"licence":8,"licences":1,"limits":1,"linked":1,"list":1,"live":1,"liveness":7,"locally":1,"lock":1,"log":1,"login":2,"logins":1,"looking":1,"lose":1,"low":1,"m":4,"maintained":1,"makes":2,"management":1,"manual":1,"many":1,"mapping":1,"march":1,"market":1,"match":3,"matcher":1,"matching":2,"materially":1,"matters":1,"maturation":1,"mature":1,"maturing":1,"maui":1,"means":2,"medibank":1,"meet":1,"member":1,"merely":1,"microsoft":1,"million":10,"mindanao":1,"minimisation":2,"mitigate":1,"modern":1,"moment":1,"months":3,"more":2,"moved":1,"moving":2,"multiple":1,"muslim":1,"must":1,"myid":13,"name":3,"national":5,"nations":1,"natural":3,"never":4,"nfc":1,"no":2,"none":2,"not":10,"notes":1,"nothing":1,"notifiable":1,"now":2,"numbers":1,"obligations":1,"october":1,"oecd":1,"of":21,"off":2,"office":1,"offline":1,"offshore":3,"on":18,"once":2,"ongoing":1,"online":3,"only":4,"open":5,"operate":4,"operated":1,"operation":1,"operational":1,"operationally":1,"operator":1,"opportunity":1,"optus":1,"or":5,"other":2,"outside":1,"over":2,"overview":1,"p2p":1,"pacific":4,"pad":3,"parliamentary":2,"part":1,"party":1,"passport":4,"passports":1,"path":3,"pathway":2,"patient":1,"pattern":2,"pedersen":2,"peer":2,"per":4,"perform":1,"personnel":1,"phase":3,"philippines":2,"pipeline":3,"place":1,"plus":3,"policy":3,"poor":1,"position":2,"possible":1,"post":1,"posture":3,"practice":1,"practitioner":1,"pragmatic":1,"predicate":1,"prescription":1,"preserving":1,"pressure":1,"primitives":2,"principles":1,"priorities":1,"privacy":9,"procedures":1,"procured":2,"procurement":1,"procures":1,"product":1,"production":3,"profiles":1,"program":1,"programme":1,"programmes":1,"proof":4,"proofing":4,"properties":1,"property":3,"protected":1,"prove":3,"proves":1,"provider":1,"providers":1,"provides":3,"public":11,"quad":1,"rather":4,"re":3,"reaches":1,"readable":1,"readiness":1,"reauthentication":1,"recognition":1,"record":1,"recorded":1,"records":3,"recovery":2,"reducing":1,"refresh":1,"regimes":1,"region":2,"regional":7,"reinforced":1,"removing":1,"replacement":2,"replaces":1,"represent":1,"reputational":1,"requirement":1,"requires":1,"requiring":1,"research":1,"resilience":1,"rest":1,"retire":2,"retires":1,"revealing":1,"rfi":2,"rhetorically":1,"risk":2,"risks":1,"round":1,"routine":1,"running":1,"s":24,"saas":2,"sable":19,"same":1,"sanctions":1,"scale":7,"scheme":1,"scoping":1,"scrutiny":1,"sector":4,"security":2,"see":1,"seeking":1,"selective":2,"self":1,"sense":1,"september":1,"servers":1,"service":3,"services":5,"several":1,"shaped":1,"shown":1,"sicherheit":2,"signal":1,"significant":1,"significantly":1,"since":1,"site":1,"smart":1,"so":3,"social":5,"sometimes":1,"source":6,"sovereign":1,"sovereignty":1,"specialist":1,"specifically":1,"spend":1,"spillover":2,"sponsored":1,"spoofing":1,"stack":5,"stacks":1,"standard":2,"standards":1,"starts":1,"state":1,"states":1,"status":1,"step":1,"storage":1,"store":1,"stores":1,"strategic":1,"strategically":1,"streams":1,"strengthens":2,"strong":3,"stronger":1,"structural":1,"structurally":1,"stuffing":1,"support":2,"supporting":1,"suprema":1,"system":3,"systems":1,"t":2,"target":4,"tax":2,"team":1,"tech":1,"technical":1,"techniques":1,"technology":2,"telehealth":1,"templates":1,"than":6,"that":12,"the":91,"their":1,"them":1,"there":2,"thereafter":1,"these":3,"they":3,"third":1,"this":7,"three":2,"through":4,"to":23,"today":5,"top":1,"total":1,"track":1,"transformation":1,"transmits":1,"trips":1,"trust":6,"ts":1,"two":1,"typically":1,"uk":1,"under":3,"underlying":1,"unsecured":1,"up":1,"us":4,"usability":1,"use":4,"used":1,"user":6,"users":10,"uses":2,"using":1,"ux":1,"value":3,"vendor":2,"verifiable":1,"verifiably":1,"verification":9,"verified":3,"verifies":1,"verify":3,"via":10,"visa":1,"visibility":1,"vision":1,"way":2,"ways":1,"wcag":1,"we":1,"well":1,"what":4,"when":1,"where":4,"wherever":1,"which":2,"who":1,"whose":1,"why":1,"wider":2,"with":16,"without":4,"work":3,"would":1,"www":1,"year":1,"yields":1,"zero":1,"zk":1}},{"dl":1283,"n":"evaluation-criteria","s":"pages/evaluation-criteria","secs":[{"h":"Evaluation Criteria — Mandatory / Desirable / Optional","l":1,"t":"Pulled verbatim from `sources/src-02-part2-statement-of-requirements.md` and `sources/src-04-part3a-response-technical.md`. Priority codes: **M** mandatory (failure = unviable), **D** desirable (materially improves viability), **O** optional."},{"h":"Biometric Capture & Liveness Detection (LV)","l":5,"t":"| ID | Priority | Requirement | |---|---|---| | LV-1 | M | Capture biometric images of sufficient quality for biometric comparison, complying with **ISO/IEC 29794-5** when generating the image quality profile of the acquired image. | | LV-2 | M | Implement automated image-quality controls within its biometric capability and provide clear UI guidance to direct a user to capture an image that meets the required image quality profile. | | LV-3 | M | Employ **Presentation Attack Detection (PAD)** to determine whether the acquired image originates from a living human subject present at the point of capture. | | LV-4 | M | Complete image capture and PAD as part of a **single continuous process** before the image is submitted to the ATO system for online biometric verification, to prevent exploitation via separation of acquisition and PAD. | | LV-5 | M | PAD technology meets at least **Evaluation Assurance Level 2 (Level B)** as defined by **ISO/IEC 30107-3:2023** and the Digital ID (Accreditation) Data Standards. | | LV-6 | M | Tested or validated by a **qualified third-party biometric testing entity** experienced in ISO/IEC 30107 to evidence the PAD meets EAL-2 (Level B). |"},{"h":"Technical Verification & Biometric Binding (TV)","l":16,"t":"| ID | Priority | Requirement | |---|---|---| | TV-1 | M | For foreign ePassport technical verification: (a) comply with relevant sections of **ICAO Doc 9303** for remote PKI verification; and (b) check published CRLs or equivalents for ePassport cancellation status. | | TV-2 | M | Online biometric binding MUST: complete binding within a single continuous workflow; include liveness detection as part of PAD; execute PAD at the point of capture; complete capture and PAD prior to submission for binding; use PAD technology incorporating data from both the capture subsystem and system-level monitoring consistent with **ISO/IEC 30107-1**. | | TV-3 | M | Biometric matching algorithm achieves **FMR ≤ 0.01 %** and **FNMR ≤ 3 %** at a **90 % confidence interval**, per **ISO/IEC TS 19795-9:2019**. |"},{"h":"Scalability (S), Performance (P), Availability (A)","l":24,"t":"| ID | Priority | Requirement | |---|---|---| | S-1 | M | Scalable to meet performance requirements under variable and increasing usage. | | S-2 | M | Support **SaaS solution**. | | P-1 | M | Support peak loads of **10 000 verifications/hour** with **95th-percentile response time ≤ 1000 ms**. | | P-2 | M | Provide: (i) Licensed Software performance metrics and test regimes used; (ii) infrastructure design specifications; (iii) a Software Capacity Plan and supplier strategies for scaling. | | A-1 | M | Achieve or exceed **99.95 % availability**. |"},{"h":"Hosting (H), Integration (IN)","l":34,"t":"| ID | Priority | Requirement | |---|---|---| | H-1 | M | Cloud-hosted **SaaS** offering, delivered via a secure, scalable, vendor-managed environment. | | H-2 | M | If cloud-based, describe connectivity with current AWS technologies and services, connectivity methods (e.g. **AWS PrivateLink**), and resources required from ATO to support connectivity. | | IN-1 | M | Support the **Microsoft MAUI** development environment and provide bindings for client API access. | | IN-2 | M | Support operation through standard web browsers (Chrome, Safari, Edge, Firefox) in addition to mobile platforms. | | IN-3 | M | Where not hosted within an ATO Software Service, MUST not require server affinity. | | IN-4 | M | Support silent automated deployments including IaaS, where ATO is responsible for deployment. | | IN-5 | D | Provide **two short case studies** demonstrating delivery of similar services in high-volume, large-scale deployments, including references. |"},{"h":"Security & Confidentiality (SC)","l":46,"t":"| ID | Priority | Requirement | |---|---|---| | SC-1 | M | Evidence of ability to comply with **PSPF, ISM, Essential 8** and other security requirements as defined in the Digital ID Act 2024. | | SC-2 | M | Demonstrate compliance with the **Australian Privacy Principles**. | | SC-3 | D | Secure all collected/held/used data (PI, ATO Data, ATO Material, inter-agency information) in use and at rest using **ASD-approved cryptographic algorithms** consistent with the Australian Government ISM or NIST. | | SC-4 | D | Controls to ensure integrity of data generated within the client software or provided to the Facial Verification Service. | | SC-5 | M | **MUST NOT transfer Personal Information outside Australia.** | | SC-6 | M | Capable of meeting relevant ISM controls to allow the ATO's Information Security Advisor to issue certification at the **PROTECTED** level. | | SC-7 | M | All Personal and ATO data **hosted and stored in Australia**, complying with Australian data sovereignty laws and the **Data Hosting Certification Framework**. | | SC-8 | D | List all products used in delivery of Licensed Software, their function, whether third-party, and any access those products have to user data. |"},{"h":"Operations (OP), Vendor Implementation Support & Maintenance (VISM), Maintainability (M)","l":59,"t":"| ID | Priority | Requirement | |---|---|---| | OP-1 | M | Secure, isolated non-production environments coupled with 24×7 monitoring. | | OP-2 | D | Dynamic, automated test environments with integration testing. | | OP-3 | M | Maintain data sovereignty and provide internal real-time service status visibility. | | OP-4 | M | Continuously monitor access and privileged activities. | | OP-5 | M | Assurance that system access is limited to approved IP ranges that are regionally localised. | | OP-6 | D | Mechanisms to detect early indicators of stress or coercion among personnel interacting with sensitive systems. | | OP-7 | M | Real-time alerts for high-risk or policy-violating behaviours, including biometric failures. | | OP-8 | D | Tiered alerting based on risk severity; detect abnormal access or potential data loss incidents. | | OP-9 | M | **Australian-based NV1-cleared support**, ISM-compliant timelines, governance reporting, secure incident management via an **iRAP-certified portal**. | | OP-10 | M | Dedicated helpdesk, roadmap for fraud prevention, knowledge transfer; demonstrate experience with government identity systems and security certifications, plus SLA management and governance. | | VISM-1 | M | Solution-specific support and troubleshooting via a formal helpdesk function. | | VISM-2 | M | Documented processes, manuals and operational instructions. | | VISM-3 | M | Ongoing support to keep software up-to-date with regular patching and updates. | | VISM-4 | M | Ongoing platform maintenance services. | | VISM-5 | D | Roadmaps and planned updates in fraud prevention and identity technology. | | VISM-6 | D | Demonstrate proven experience in successful implementation of similar systems in other government agencies. | | VISM-7 | D | Describe emerging technologies and recommendations based on vendor research. | | M-1 | M | Keep Licensed Software up-to-date through maintenance and patches (including security patches) for the Licensed Software and any third-party components. |"},{"h":"Reporting & Monitoring (RM), User Experience & Accessibility (UX)","l":82,"t":"| ID | Priority | Requirement | |---|---|---| | RM-1 | M | Centrally log system activity (security settings, verification activities) and support shipping logs to ATO's logging system. | | RM-2 | M | Configurable metrics, dashboards and drill-down visualisations (e.g. capture-time statistics, failure-to-enrol/acquire rates). | | RM-3 | M | Provide ATO with appropriate access to view logs (requests, response payloads, processing status) for troubleshooting. | | RM-4 | M | Describe monitoring capability or integration options. | | UX-1 | M | Support **Mobile First and Responsive Web Design** methodologies. | | UX-2 | M | Provide UI standards, UI screen designs, and UX documentation including user-flow mappings. | | UX-3 | M | Conform to **WCAG 2.1 Level AA** for mobile and web browser experiences. | | UX-4 | M | Ability for the ATO to customise user experience elements. |"},{"h":"Cross-cutting headline business requirements (from §6 Overview)","l":95,"t":"- **Secure** — detect/prevent spoofing, deepfakes, identity threats; biometric match rates (FAR/FRR) per Digital ID Act 2024 - **User-friendly** — quick, simple, accessible for all users including those with accessibility needs - **Device compatibility** — wide range of mobile devices, platforms, browsers, OSes - **Accessible** — meets minimum WCAG requirements as defined in Digital ID Act 2024 - **Scalable** — high volumes, consistent performance, reliability, uptime - **Cost-effective** — sustainable pricing aligned with Commonwealth procurement frameworks - **Compliant** — Digital ID Act 2024 liveness/biometric verification standards and disclosure requirements - **Integratable & maintainable** — seamless integration with existing ATO infrastructure and future architectures - **Value for money**"},{"h":"Linked notes","l":107,"t":"- [[sable-fit]] — per-requirement SABLE answer (compliance position + commentary) - [[gaps-and-risks]] — items we cannot claim compliance on today - [[ato-myid-context]] — myID architecture context that frames the M/D/O priorities"}],"tf":{"0":1,"000":1,"01":1,"1":15,"10":2,"1000":1,"19795":1,"2":14,"2019":1,"2023":1,"2024":4,"24":1,"29794":1,"3":10,"30107":3,"4":7,"5":6,"6":5,"7":4,"8":3,"9":2,"90":1,"9303":1,"95":1,"95th":1,"99":1,"a":12,"aa":1,"ability":2,"abnormal":1,"access":6,"accessibility":2,"accessible":2,"accreditation":1,"achieve":1,"achieves":1,"acquire":1,"acquired":2,"acquisition":1,"act":4,"activities":2,"activity":1,"addition":1,"advisor":1,"affinity":1,"agencies":1,"agency":1,"alerting":1,"alerts":1,"algorithm":1,"algorithms":1,"aligned":1,"all":4,"allow":1,"among":1,"an":3,"and":41,"answer":1,"any":2,"api":1,"appropriate":1,"approved":2,"architecture":1,"architectures":1,"are":1,"as":5,"asd":1,"assurance":2,"at":6,"ato":13,"attack":1,"australia":2,"australian":4,"automated":3,"availability":2,"aws":2,"b":3,"based":4,"before":1,"behaviours":1,"binding":4,"bindings":1,"biometric":12,"both":1,"browser":1,"browsers":2,"business":1,"by":2,"cancellation":1,"cannot":1,"capability":2,"capable":1,"capacity":1,"capture":9,"case":1,"centrally":1,"certification":2,"certifications":1,"certified":1,"check":1,"chrome":1,"claim":1,"clear":1,"cleared":1,"client":2,"cloud":2,"codes":1,"coercion":1,"collected":1,"commentary":1,"commonwealth":1,"comparison":1,"compatibility":1,"complete":3,"compliance":3,"compliant":2,"comply":2,"complying":2,"components":1,"confidence":1,"confidentiality":1,"configurable":1,"conform":1,"connectivity":3,"consistent":3,"context":2,"continuous":2,"continuously":1,"controls":3,"cost":1,"coupled":1,"criteria":1,"crls":1,"cross":1,"cryptographic":1,"current":1,"customise":1,"cutting":1,"d":12,"dashboards":1,"data":11,"date":2,"dedicated":1,"deepfakes":1,"defined":3,"delivered":1,"delivery":2,"demonstrate":3,"demonstrating":1,"deployment":1,"deployments":2,"describe":3,"design":2,"designs":1,"desirable":2,"detect":3,"detection":3,"determine":1,"development":1,"device":1,"devices":1,"digital":5,"direct":1,"disclosure":1,"doc":1,"documentation":1,"documented":1,"down":1,"drill":1,"dynamic":1,"e":2,"eal":1,"early":1,"edge":1,"effective":1,"elements":1,"emerging":1,"employ":1,"enrol":1,"ensure":1,"entity":1,"environment":2,"environments":2,"epassport":2,"equivalents":1,"essential":1,"evaluation":2,"evidence":2,"exceed":1,"execute":1,"existing":1,"experience":4,"experienced":1,"experiences":1,"exploitation":1,"facial":1,"failure":2,"failures":1,"far":1,"firefox":1,"first":1,"fit":1,"flow":1,"fmr":1,"fnmr":1,"for":17,"foreign":1,"formal":1,"frames":1,"framework":1,"frameworks":1,"fraud":2,"friendly":1,"from":5,"frr":1,"function":2,"future":1,"g":2,"gaps":1,"generated":1,"generating":1,"governance":2,"government":3,"guidance":1,"h":3,"have":1,"headline":1,"held":1,"helpdesk":2,"high":3,"hosted":3,"hosting":2,"hour":1,"human":1,"i":1,"iaas":1,"icao":1,"id":12,"identity":3,"iec":5,"if":1,"ii":1,"iii":1,"image":8,"images":1,"implement":1,"implementation":2,"improves":1,"in":17,"incident":1,"incidents":1,"include":1,"including":6,"incorporating":1,"increasing":1,"indicators":1,"information":3,"infrastructure":2,"instructions":1,"integratable":1,"integration":4,"integrity":1,"inter":1,"interacting":1,"internal":1,"interval":1,"ip":1,"irap":1,"is":3,"ism":4,"iso":5,"isolated":1,"issue":1,"items":1,"its":1,"keep":2,"knowledge":1,"large":1,"laws":1,"least":1,"level":6,"licensed":4,"limited":1,"linked":1,"list":1,"liveness":3,"living":1,"loads":1,"localised":1,"log":1,"logging":1,"logs":2,"loss":1,"lv":7,"m":49,"maintain":1,"maintainability":1,"maintainable":1,"maintenance":3,"managed":1,"management":2,"mandatory":2,"manuals":1,"mappings":1,"match":1,"matching":1,"material":1,"materially":1,"maui":1,"mechanisms":1,"meet":1,"meeting":1,"meets":4,"methodologies":1,"methods":1,"metrics":2,"microsoft":1,"minimum":1,"mobile":4,"money":1,"monitor":1,"monitoring":4,"ms":1,"must":3,"myid":2,"needs":1,"nist":1,"non":1,"not":3,"notes":1,"nv1":1,"o":2,"of":17,"offering":1,"on":3,"ongoing":2,"online":2,"op":11,"operation":1,"operational":1,"operations":1,"optional":2,"options":1,"or":9,"originates":1,"oses":1,"other":2,"outside":1,"overview":1,"p":3,"pad":9,"part":2,"party":3,"patches":2,"patching":1,"payloads":1,"peak":1,"per":3,"percentile":1,"performance":4,"personal":2,"personnel":1,"pi":1,"pki":1,"plan":1,"planned":1,"platform":1,"platforms":2,"plus":1,"point":2,"policy":1,"portal":1,"position":1,"potential":1,"present":1,"presentation":1,"prevent":2,"prevention":2,"pricing":1,"principles":1,"prior":1,"priorities":1,"priority":8,"privacy":1,"privatelink":1,"privileged":1,"process":1,"processes":1,"processing":1,"procurement":1,"production":1,"products":2,"profile":2,"protected":1,"proven":1,"provide":7,"provided":1,"pspf":1,"published":1,"pulled":1,"qualified":1,"quality":4,"quick":1,"range":1,"ranges":1,"rates":2,"real":2,"recommendations":1,"references":1,"regimes":1,"regionally":1,"regular":1,"relevant":2,"reliability":1,"remote":1,"reporting":2,"requests":1,"require":1,"required":2,"requirement":8,"requirements":5,"research":1,"resources":1,"response":2,"responsible":1,"responsive":1,"rest":1,"risk":2,"risks":1,"rm":5,"roadmap":1,"roadmaps":1,"s":5,"saas":2,"sable":2,"safari":1,"sc":9,"scalability":1,"scalable":3,"scale":1,"scaling":1,"screen":1,"seamless":1,"sections":1,"secure":5,"security":6,"sensitive":1,"separation":1,"server":1,"service":3,"services":3,"settings":1,"severity":1,"shipping":1,"short":1,"silent":1,"similar":2,"simple":1,"single":2,"sla":1,"software":8,"solution":2,"sovereignty":2,"specific":1,"specifications":1,"spoofing":1,"standard":1,"standards":3,"statistics":1,"status":3,"stored":1,"strategies":1,"stress":1,"studies":1,"subject":1,"submission":1,"submitted":1,"subsystem":1,"successful":1,"sufficient":1,"supplier":1,"support":12,"sustainable":1,"system":5,"systems":3,"technical":2,"technologies":2,"technology":3,"test":2,"tested":1,"testing":2,"that":4,"the":23,"their":1,"third":3,"those":2,"threats":1,"through":2,"tiered":1,"time":4,"timelines":1,"to":26,"today":1,"transfer":2,"troubleshooting":2,"ts":1,"tv":4,"two":1,"ui":3,"under":1,"unviable":1,"up":2,"updates":2,"uptime":1,"usage":1,"use":2,"used":3,"user":6,"users":1,"using":1,"ux":6,"validated":1,"value":1,"variable":1,"vendor":3,"verbatim":1,"verification":7,"verifications":1,"via":4,"viability":1,"view":1,"violating":1,"visibility":1,"vism":8,"visualisations":1,"volume":1,"volumes":1,"wcag":2,"we":1,"web":3,"when":1,"where":2,"whether":2,"wide":1,"with":18,"within":4,"workflow":1}},{"dl":903,"n":"gaps-and-risks","s":"pages/gaps-and-risks","secs":[{"h":"Gaps & Risks — Honest Disclosure","l":1,"t":"Consolidated view of every requirement where SABLE is **Partially Compliant** today, what remediation is needed, and what timeline."},{"h":"Certifications & accreditations (largest gap cluster)","l":5,"t":"| ID | Gap | Remediation | Effort | |---|---|---|---| | **LV-5** / **LV-6** | No ISO/IEC 30107-3:2023 EAL-2 (Level B) third-party PAD test report yet | Engage an ILAC-accredited PAD testing laboratory; no lab arrangement in place at RFI stage | 3-4 months elapsed; ~AUD 60-100 k spend | | **SC-1** | Full ISM / Essential 8 compliance evidence not yet produced for SaaS shell | Build SaaS to ISM controls from day 1; engage IRAP assessor | 6-8 months elapsed (overlaps with SC-6) | | **SC-6** | PROTECTED-level IRAP certification not yet held | Engage IRAP assessor; remediate findings; cert at PROTECTED | 6-8 months elapsed; ~AUD 150-250 k spend | | **OP-9** | No NV1-cleared Australian support staff today; no subcontractor arrangement in place | Sponsor founder NV1 clearance + subcontract via an Australian Security Vetting Agency–cleared support partner | 12+ months for direct NV1; immediate via partner once contracted | All four are **standard procurement-stage activities** in Australian federal identity tech — none are blockers. The RFI explicitly notes evidence is not required at this stage; we acknowledge the work is needed and commit to completing it inside any second-stage timeline."},{"h":"Technical gaps with clear remediation","l":16,"t":"| ID | Gap | Remediation | Effort | |---|---|---|---| | **TV-1** | ICAO Doc 9303 ePassport PKI verification (with CRL checking) not in core | Add via existing OSS libs (jMRTD wrapper, Apache Santuario for PKI); design slot exists in `attestation` module | 8-12 weeks dev | | **TV-3** | Quantitative FMR / FNMR not measured against ISO/IEC TS 19795-9 protocol | Run formal benchmark against LFW / IJB-C / MS-Celeb-1M corpora; report at 90% CI | 4-6 weeks | | **IN-1** | Microsoft MAUI bindings not shipped (Android JNI / iOS Swift exist) | Generate via cbindgen → C ABI → MAUI .NET bindings + sample app | 4-6 weeks | | **UX-3** | WCAG 2.1 AA audit not yet performed | Engage an accredited Australian accessibility audit firm; remediate findings | 4-6 weeks | | **SC-3** | BLS12-381 not currently on ASD HACE catalogue | Either (a) ASD HACE assessment / acceptance pathway, or (b) provide parallel ASD-approved cryptographic path (e.g. P-256 + SHA-256 classical-only mode) for environments requiring strict HACE compliance | 4-8 weeks for parallel path |"},{"h":"Track-record gaps","l":26,"t":"| ID | Gap | Compensating evidence | |---|---|---| | **IN-5** | SABLE specifically has no prior large-scale government deployments | (a) Anuna's **current BARMM eGov programme** — government identity, citizen services, advisory, production go-live July 2026 — is the most directly relevant delivery-capability reference (BARMM does not currently deploy SABLE; future deployment a candidate natural extension); (b) early international dialogue on the SABLE approach with Germany's BSI; (c) adjacent: GovUK, CSIRO Data61, Microsoft, Autodesk, Suncorp, IAG, Telus, Telefónica, Kellogg, University of Wollongong — references available on request; (d) Tang et al. NDSS 2018 published methodology with academic validations; (e) **offer of a paid Proof-of-Concept** against ATO's myID test cohort as the most decisive direct evidence for SABLE specifically | | **VISM-6** | No prior implementation of biometric identity systems in **Australian federal** government specifically | BARMM is direct government identity / eGov delivery by the same practitioner team (SABLE not yet deployed at BARMM); GovUK + CSIRO Data61 cover OECD public-sector posture; this would be Anuna's first direct Australian federal identity engagement | | **OP-10** | First direct Australian federal government identity-system delivery | As IN-5; BARMM (in production July 2026) provides the closest delivery-capability analogue — same practitioner team, same delivery shape; ATO would be Anuna's first Australian federal engagement and SABLE's first government deployment | | **OP-6** | (Re-reading Addendum 1 Q14: requirement is for organisational controls, not clinical assessment) | Anuna has these — separation of duties, peer review, security-awareness training, privileged-access monitoring, incident-reporting runbooks. Now **Compliant** — see [[addenda-clarifications]] |"},{"h":"Strategic risks (for ATO to weigh)","l":35,"t":"| Risk | Mitigation | |---|---| | SABLE is pre-production; bugs / vulnerabilities possible | (a) Open-source, fully auditable; (b) 519 tests passing with 89% coverage; (c) commitment to a security audit (e.g. Trail of Bits, Kudelski) before any production cutover; (d) phased PoC → pilot → rollout deployment model | | Halo2 is a 2020-2021 cryptosystem; comparatively new compared to legacy PKI | Halo2 has rigorous academic review; deployed at production scale by Zcash; transparent-setup eliminates the trusted-ceremony class of failures | | BLS12-381 quantum-vulnerable by 2030-2035 | Post-quantum migration on the published roadmap (CRYSTALS-Dilithium signature path; hash-based commitment alternatives); ATO's deployment timeline likely aligns with industry-wide PQ rollout | | Anuna Research Cooperative is a small Australian company | (a) Open-source codebase removes vendor-lock-in / business-continuity risk; (b) source-escrow agreement available; (c) **partnership model** with an Australian systems integrator acceptable for delivery scale if procurement warrants it (no such arrangement is in place at the RFI stage) |"},{"h":"What this RFI is buying","l":44,"t":"The ATO is buying *market intelligence* and *option value* on innovative biometric solutions. SABLE's distinctive value isn't a 99 %-vs-95 % match-rate improvement — it's **privacy by construction**, which the existing 2021-procured stack architecturally cannot offer. Even if the ATO ultimately proceeds with an incumbent for the SaaS reverification stack, SABLE's on-device proof + selective-disclosure model is a strategic capability worth understanding for the next 5-10 years of Digital ID Act evolution."},{"h":"Linked notes","l":48,"t":"- [[sable-fit]] — per-requirement detail - [[evaluation-criteria]] — source requirements - [[ato-myid-context]] — why the strategic capability matters"}],"tf":{"1":6,"10":2,"100":1,"12":2,"150":1,"19795":1,"1m":1,"2":2,"2018":1,"2020":1,"2021":2,"2023":1,"2026":2,"2030":1,"2035":1,"250":1,"256":2,"3":5,"30107":1,"381":2,"4":5,"5":4,"519":1,"6":10,"60":1,"8":5,"89":1,"9":2,"90":1,"9303":1,"95":1,"99":1,"a":11,"aa":1,"abi":1,"academic":2,"acceptable":1,"acceptance":1,"access":1,"accessibility":1,"accreditations":1,"accredited":2,"acknowledge":1,"act":1,"activities":1,"add":1,"addenda":1,"addendum":1,"adjacent":1,"advisory":1,"against":3,"agency":1,"agreement":1,"al":1,"aligns":1,"all":1,"alternatives":1,"an":5,"analogue":1,"and":4,"android":1,"anuna":5,"any":2,"apache":1,"app":1,"approach":1,"approved":1,"architecturally":1,"are":2,"arrangement":3,"as":2,"asd":3,"assessment":2,"assessor":2,"at":7,"ato":7,"aud":2,"audit":3,"auditable":1,"australian":10,"autodesk":1,"available":2,"awareness":1,"b":5,"barmm":5,"based":1,"be":2,"before":1,"benchmark":1,"bindings":2,"biometric":2,"bits":1,"blockers":1,"bls12":2,"bsi":1,"bugs":1,"build":1,"business":1,"buying":2,"by":4,"c":5,"candidate":1,"cannot":1,"capability":4,"catalogue":1,"cbindgen":1,"celeb":1,"ceremony":1,"cert":1,"certification":1,"certifications":1,"checking":1,"ci":1,"citizen":1,"clarifications":1,"class":1,"classical":1,"clear":1,"clearance":1,"cleared":2,"clinical":1,"closest":1,"cluster":1,"codebase":1,"cohort":1,"commit":1,"commitment":2,"company":1,"comparatively":1,"compared":1,"compensating":1,"completing":1,"compliance":2,"compliant":2,"concept":1,"consolidated":1,"construction":1,"context":1,"continuity":1,"contracted":1,"controls":2,"cooperative":1,"core":1,"corpora":1,"cover":1,"coverage":1,"criteria":1,"crl":1,"cryptographic":1,"cryptosystem":1,"crystals":1,"csiro":2,"current":1,"currently":2,"cutover":1,"d":2,"data61":2,"day":1,"decisive":1,"delivery":6,"deploy":1,"deployed":2,"deployment":4,"deployments":1,"design":1,"detail":1,"dev":1,"device":1,"dialogue":1,"digital":1,"dilithium":1,"direct":5,"directly":1,"disclosure":2,"distinctive":1,"doc":1,"does":1,"duties":1,"e":3,"eal":1,"early":1,"effort":2,"egov":2,"either":1,"elapsed":3,"eliminates":1,"engage":4,"engagement":2,"environments":1,"epassport":1,"escrow":1,"essential":1,"et":1,"evaluation":1,"even":1,"every":1,"evidence":4,"evolution":1,"exist":1,"existing":2,"exists":1,"explicitly":1,"extension":1,"failures":1,"federal":5,"findings":2,"firm":1,"first":4,"fit":1,"fmr":1,"fnmr":1,"for":11,"formal":1,"founder":1,"four":1,"from":1,"full":1,"fully":1,"future":1,"g":2,"gap":4,"gaps":3,"generate":1,"germany":1,"go":1,"government":6,"govuk":2,"hace":3,"halo2":2,"has":3,"hash":1,"held":1,"honest":1,"iag":1,"icao":1,"id":4,"identity":6,"iec":2,"if":2,"ijb":1,"ilac":1,"immediate":1,"implementation":1,"improvement":1,"in":12,"incident":1,"incumbent":1,"industry":1,"innovative":1,"inside":1,"integrator":1,"intelligence":1,"international":1,"ios":1,"irap":3,"is":14,"ism":2,"isn":1,"iso":2,"it":3,"jmrtd":1,"jni":1,"july":2,"k":2,"kellogg":1,"kudelski":1,"lab":1,"laboratory":1,"large":1,"largest":1,"legacy":1,"level":2,"lfw":1,"libs":1,"likely":1,"linked":1,"live":1,"lock":1,"lv":2,"market":1,"match":1,"matters":1,"maui":2,"measured":1,"methodology":1,"microsoft":2,"migration":1,"mitigation":1,"mode":1,"model":3,"module":1,"monitoring":1,"months":4,"most":2,"ms":1,"myid":2,"natural":1,"ndss":1,"needed":2,"net":1,"new":1,"next":1,"no":7,"none":1,"not":11,"notes":2,"now":1,"nv1":3,"oecd":1,"of":9,"offer":2,"on":6,"once":1,"only":1,"op":3,"open":2,"option":1,"or":1,"organisational":1,"oss":1,"overlaps":1,"p":1,"pad":2,"paid":1,"parallel":2,"partially":1,"partner":2,"partnership":1,"party":1,"passing":1,"path":3,"pathway":1,"peer":1,"per":1,"performed":1,"phased":1,"pilot":1,"pki":3,"place":3,"poc":1,"possible":1,"post":1,"posture":1,"pq":1,"practitioner":2,"pre":1,"prior":2,"privacy":1,"privileged":1,"proceeds":1,"procured":1,"procurement":2,"produced":1,"production":5,"programme":1,"proof":2,"protected":2,"protocol":1,"provide":1,"provides":1,"public":1,"published":2,"q14":1,"quantitative":1,"quantum":2,"rate":1,"re":1,"reading":1,"record":1,"reference":1,"references":1,"relevant":1,"remediate":2,"remediation":4,"removes":1,"report":2,"reporting":1,"request":1,"required":1,"requirement":3,"requirements":1,"requiring":1,"research":1,"reverification":1,"review":2,"rfi":4,"rigorous":1,"risk":2,"risks":2,"roadmap":1,"rollout":2,"run":1,"runbooks":1,"s":10,"saas":3,"sable":11,"same":3,"sample":1,"santuario":1,"sc":4,"scale":3,"second":1,"sector":1,"security":3,"see":1,"selective":1,"separation":1,"services":1,"setup":1,"sha":1,"shape":1,"shell":1,"shipped":1,"signature":1,"slot":1,"small":1,"solutions":1,"source":4,"specifically":3,"spend":2,"sponsor":1,"stack":2,"staff":1,"stage":5,"standard":1,"strategic":3,"strict":1,"subcontract":1,"subcontractor":1,"such":1,"suncorp":1,"support":2,"swift":1,"system":1,"systems":2,"t":1,"tang":1,"team":2,"tech":1,"technical":1,"telefónica":1,"telus":1,"test":2,"testing":1,"tests":1,"the":16,"these":1,"third":1,"this":3,"timeline":3,"to":5,"today":2,"track":1,"trail":1,"training":1,"transparent":1,"trusted":1,"ts":1,"tv":2,"ultimately":1,"understanding":1,"university":1,"ux":1,"validations":1,"value":2,"vendor":1,"verification":1,"vetting":1,"via":4,"view":1,"vism":1,"vs":1,"vulnerabilities":1,"vulnerable":1,"warrants":1,"wcag":1,"we":1,"weeks":5,"weigh":1,"what":3,"where":1,"which":1,"why":1,"wide":1,"with":9,"wollongong":1,"work":1,"worth":1,"would":2,"wrapper":1,"years":1,"yet":5,"zcash":1}},{"dl":1578,"n":"internal-competitive-landscape","s":"pages/internal-competitive-landscape","secs":[{"h":"Internal Competitive Landscape — RFI-15434","l":1,"t":"> **🔒 INTERNAL ONLY — NOT FOR LODGEMENT.** > This page is strategic intelligence to inform Anuna's positioning of the RFI-15434 response. It must not be transcribed into Part 3, Part 3a, Part 4, Part 4a, the FOCI form, or the cover letter. Federal procurement responses do not include competitor analysis; reading as if we are attacking other vendors would damage credibility. This page exists only to inform internal sharpening of the affirmative case."},{"h":"Likely respondent pool","l":6,"t":"The RFI explicitly invites responses across three streams — liveness detection, biometric matching, NFC ePassport verification. A vendor needs strength in one stream to respond. The realistic respondent pool:"},{"h":"Tier 1 — Closest functional matches / probable incumbent","l":10,"t":"| Vendor | Country | Why a likely respondent | |---|---|---| | **iProov** | UK | Flashmark flash-based liveness conceptually similar to SABLE's spatial-flash; ISO/IEC 30107-3 PAD certified; NHS / GovUK deployments; plausible 2021 myID incumbent though not publicly confirmed | | **FaceTec** | US | Patented 3D ZoOm liveness; iBeta Level 2 PAD certified; multiple government deployments globally; different technique to SABLE but same threat model |"},{"h":"Tier 1 — Heavy-iron globals","l":17,"t":"| Vendor | Country | Notes | |---|---|---| | **Idemia** | France | Global biometric prime; existing AU government relationships | | **Thales / Gemalto** | France | Major government identity deployments | | **NEC** | Japan | Face recognition leader; AFP-facial-recognition controversy lingers | | **HID Global** | US | Identity / access control prime | | **Veridos** | Germany | Government identity; Giesecke+Devrient subsidiary | | **Aware Inc** | US | Biometric SDK vendor |"},{"h":"Tier 2 — Identity-verification platforms (adjacent)","l":28,"t":"| Vendor | Country | Notes | |---|---|---| | **Onfido** | UK | Document verification + matching + liveness | | **Mitek** | US | Identity verification specialist | | **AU10TIX** | Israel | Identity verification | | **Jumio** | US/Austria | Identity verification |"},{"h":"Tier 2 — Australian players","l":37,"t":"| Vendor | Notes | |---|---| | **IDVerse** | Australian-founded; recently acquired by LexisNexis Risk Solutions; already in AU government deployments | | **Australia Post Digital iD** | Existing AU digital identity stack | | **Anonyome Labs** | Sydney; privacy-focused identity | | Smaller AU face-matching shops | Various; less likely to respond at this scale | Australian Government will weight Australian-domiciled providers favourably."},{"h":"Tier 3 — Hyperscalers","l":48,"t":"| Vendor | Threat | |---|---| | **Microsoft Entra Verified ID** | The strongest non-traditional play. Microsoft's positioning on **MAUI integration** (IN-1) would be effectively unbeatable on that axis alone. Entra Verified ID brings ISO 30107 PAD-certified components via Microsoft's stack. | | **AWS Rekognition / Google Vision** | Less likely to respond directly (commodity APIs, not packaged identity products), but a systems integrator could propose one as the matching layer. |"},{"h":"Tier 4 — ZK / privacy-preserving identity","l":55,"t":"This is where SABLE's competitive set is genuinely thin: - **WorldCoin / Tools for Humanity** — iris + ZK, dependent on proprietary Orb hardware, politically toxic; would not respond - **Privado ID / Polygon ID** — ZK identity, credential-focused, not biometric - **Anon Aadhaar, zkPass, Galxe** — ZK credential proofs, no biometric - **Academic projects at MIT / ETH Zurich** — not commercially deliverable **SABLE is genuinely close to a category-of-one** in the intersection of *(true ZK biometric proofs) × (open source) × (no special hardware) × (production-ready library) × (Australian-developed)*. Most reviewers will not have seen this combination before. ---"},{"h":"Competitive position by axis","l":68,"t":"| Axis | Likely incumbents | SABLE | |---|---|---| | ISO/IEC 30107-3 EAL-2 (Level B) PAD certification | ✅ iProov, FaceTec, Idemia, NEC certified | ❌ Don't have it; sized 3-4 month / AUD 60-100 k remediation | | ISO/IEC TS 19795-9 FMR/FNMR benchmark | ✅ Published numbers | ❌ Don't have it; sized 4-6 week remediation | | Government identity deployments at scale | ✅ Multiple references | ⚠️ None for SABLE yet; BARMM (July 2026) is Anuna's closest delivery-capability reference but does not currently deploy SABLE | | Production maturity | ✅ Multi-million-user deployments today | ⚠️ Pre-production library; public demo; 519 tests | | MAUI bindings | ✅ Microsoft native; others vary | ❌ 4-6 week delivery; not shipped | | IRAP / PROTECTED certification | ⚠️ Some AU-domiciled or via cleared SI | ❌ Not held; sized 6-8 months | | Australian-domiciled | ⚠️ Some (IDVerse, Australia Post); most no | ✅ Yes | | **Privacy by construction (data never leaves device)** | ❌ None at scale — all transmit to vendor for matching | ✅ **Architectural** | | **Selective disclosure (BBS+)** | ⚠️ Some emerging | ✅ On roadmap | | **Open source** | ❌ None (except maybe components) | ✅ **Apache 2.0** | | **Transparent ZK setup** | N/A (most don't use ZK) | ✅ **Halo2** | | **Sovereignty / IP control** | ❌ Foreign-IP for most | ✅ Australian-developed | ---"},{"h":"Where SABLE can credibly win","l":87,"t":"Three evaluator hot buttons where SABLE has a defensible distinctive position: 1. **Privacy-conservative reviewers** (Privacy Commissioner, OAIC, ATO privacy team, parliamentary scrutiny). Argument: *\"every other respondent transmits biometric data to a vendor system; SABLE doesn't. The Optus / Medibank / Latitude / Suprema breach class is structurally impossible for us.\"* 2. **Sovereignty-conservative reviewers** (concerned about foreign-vendor dependence, especially post-AFP-FRT-NEC controversy, post-Optus). Argument: *\"Australian-developed, open-source, no foreign-vendor lock-in, source-escrow obviated.\"* 3. **Future-fit / strategic reviewers** (thinking about 5-10 years of Digital ID Act evolution, BBS+ Verifiable Credentials, post-quantum migration). Argument: *\"forward-fit to where the Act is heading; not a retrofit.\"*"},{"h":"Where SABLE will almost certainly lose","l":95,"t":"1. **Pure technical compliance evaluation** focused on existing certifications. If evaluation is checklist-driven, we score 42/55 Compliant + 13 Partially while incumbents score 50+/55 fully Compliant. 2. **Scale / track record evaluation**. Incumbents have multi-million-user SABLE-equivalent deployments today. Anuna has BARMM (eGov delivery, no SABLE yet) going live in 2 months as a delivery-capability proof, and early international dialogue with Germany's BSI on the SABLE approach. 3. **MAUI-specific evaluation**. Microsoft Entra will be very hard to beat on this axis. ---"},{"h":"Sharpening recommendations (for the affirmative case — without naming competitors)","l":103,"t":"These should sharpen what is already in the response. None of these add competitor names."},{"h":"#1 — Promote architectural-retirement argument to cover letter","l":107,"t":"The breach-evidence paragraph in `ato-myid-context.md` is currently strategic-internal. The most decisive single sentence — *\"any system that aggregates biometric data into a central store creates a structural risk class; SABLE retires the target class by design\"* — should appear in the cover letter as the closing of pillar 1 (Privacy by construction). This directly contrasts SABLE's architecture with **every other respondent's** architecture without naming any of them."},{"h":"#2 — Concrete scoped PoC offer in cover letter","l":111,"t":"The PoC offer is currently distributed across `compliance-summary.md` and the IN-5 / VISM-6 / OP-10 row text. Worth a discrete paragraph in the cover letter: *\"We propose a paid 8-week Proof-of-Concept against the ATO's existing myID IP3 test cohort, evaluating PAD performance against a curated attack corpus, FMR/FNMR against a representative diverse Australian sample, end-to-end UX of the spatial-flash flow, PrivateLink integration latency to existing FVS/DVS infrastructure, and operational soak at 10× current peak load. This is the most decisive evidence either party can generate inside the RFI's stated question.\"* This positions SABLE to break a deadlock with incumbents who lead on certifications: against actual ATO data, the architectural advantages start to count."},{"h":"#3 — Sovereignty narrative made explicit","l":115,"t":"Currently implicit. One direct sentence in the cover letter or Part 3 Section 3: *\"SABLE is Australian-developed open-source IP. No foreign-vendor licensing dependency, no foreign-IP escrow risk, no foreign-commercial-entity in the SABLE delivery chain between the ATO and the cryptographic primitives.\"*"},{"h":"#4 — Architectural advantages not retrievable by incumbents","l":119,"t":"The most strategic counter-positioning argument. Incumbents can build remediation programmes to close certification gaps; they cannot rebuild their architecture mid-contract. Worth one sentence in cover letter or compliance summary: *\"The certification gaps SABLE acknowledges (ISO/IEC 30107-3, IRAP PROTECTED, ISO/IEC TS 19795-9) are time-bounded remediation work. The architectural advantages SABLE offers (biometric data on-device, ZK proof traversal, open-source auditability, selective disclosure) are not retrievable by competitors inside any procurement timeline. The relevant question for the ATO is therefore which set of properties is more strategically valuable to acquire.\"* — this argument is the cleanest way to invite an evaluator to weigh \"certified incumbent vs architecturally distinctive newcomer\" in our favour."},{"h":"What NOT to do","l":123,"t":"- ❌ **Don't name competitors in the response.** Federal procurement responses don't include competitor analysis. - ❌ **Don't claim \"we are better than X\".** Claim instead \"we have property X that solves problem Y\". Let the evaluator do the comparison. - ❌ **Don't speculate publicly about who has the 2021 contract.** Unprofessional and we don't actually know. - ❌ **Don't underprice to undercut incumbents.** Anuna can't run a heroic loss-leading bid. Win on architectural distinctiveness; price on value. - ❌ **Don't push \"category of one\" claims harder than \"first open-source library to combine X\".** That line is defensible; stronger claims become risky. ---"},{"h":"Questions for Hugo before lodgement","l":133,"t":"1. **Who do we think holds the 2021 myID liveness contract?** Hugo may know via industry contacts; informs how aggressively we counter-position. 2. **Which respondents has Hugo specifically talked to about partnering?** Could affect whether we mention partnership availability anywhere (currently we say none in place). 3. **Is there a strategic incumbent vendor we should be open to subcontracting *to*?** Sometimes the right play is to be the \"ZK biometric component\" inside a prime's response, not a standalone respondent. Could mean different framing for a different prime relationship. 4. **What's the realistic post-RFI scenario?** If Hugo thinks the ATO is genuinely scoping a new procurement (not just market intelligence to inform an incumbent renewal), the PoC offer should be more aggressive. 5. **DFAT / DTA touchpoints.** If Anuna has any actual conversations with DFAT or the DTA about regional Pacific digital identity, the regional-spillover argument lands harder. ---"},{"h":"Linked notes","l":143,"t":"- [[opportunity-overview]] — the RFI itself - [[sable-fit]] — per-requirement capability mapping - [[ato-myid-context]] — strategic framing (privacy, breach-class, social licence, regional spillover) - [[gaps-and-risks]] — honest gap disclosure - [[evaluation-criteria]] — source requirements"}],"tf":{"0":1,"1":8,"10":3,"100":1,"13":1,"15434":2,"19795":2,"2":10,"2021":3,"2026":1,"3":12,"30107":4,"3a":1,"3d":1,"4":7,"42":1,"4a":1,"5":3,"50":1,"519":1,"55":2,"6":4,"60":1,"8":2,"9":2,"a":22,"aadhaar":1,"about":5,"academic":1,"access":1,"acknowledges":1,"acquire":1,"acquired":1,"across":2,"act":2,"actual":2,"actually":1,"add":1,"adjacent":1,"advantages":3,"affect":1,"affirmative":2,"afp":2,"against":4,"aggregates":1,"aggressive":1,"aggressively":1,"all":1,"almost":1,"alone":1,"already":2,"an":2,"analysis":2,"and":6,"anon":1,"anonyome":1,"anuna":5,"any":4,"anywhere":1,"apache":1,"apis":1,"appear":1,"approach":1,"architectural":6,"architecturally":1,"architecture":3,"are":4,"argument":7,"as":4,"at":5,"ato":7,"attack":1,"attacking":1,"au":5,"au10tix":1,"aud":1,"auditability":1,"australia":2,"australian":10,"austria":1,"availability":1,"aware":1,"aws":1,"axis":4,"b":1,"barmm":2,"based":1,"bbs":2,"be":6,"beat":1,"become":1,"before":2,"benchmark":1,"better":1,"between":1,"bid":1,"bindings":1,"biometric":10,"bounded":1,"breach":3,"break":1,"brings":1,"bsi":1,"build":1,"but":3,"buttons":1,"by":7,"can":4,"cannot":1,"capability":3,"case":2,"category":2,"central":1,"certainly":1,"certification":4,"certifications":2,"certified":5,"chain":1,"checklist":1,"claim":2,"claims":2,"class":4,"cleanest":1,"cleared":1,"close":2,"closest":2,"closing":1,"cohort":1,"combination":1,"combine":1,"commercial":1,"commercially":1,"commissioner":1,"commodity":1,"comparison":1,"competitive":3,"competitor":3,"competitors":3,"compliance":2,"compliant":2,"component":1,"components":2,"concept":1,"conceptually":1,"concerned":1,"concrete":1,"confirmed":1,"conservative":2,"construction":2,"contacts":1,"context":1,"contract":3,"contrasts":1,"control":2,"controversy":2,"conversations":1,"corpus":1,"could":3,"count":1,"counter":2,"country":3,"cover":7,"creates":1,"credential":2,"credentials":1,"credibility":1,"credibly":1,"criteria":1,"cryptographic":1,"curated":1,"current":1,"currently":5,"damage":1,"data":5,"deadlock":1,"decisive":2,"defensible":2,"deliverable":1,"delivery":5,"demo":1,"dependence":1,"dependency":1,"dependent":1,"deploy":1,"deployments":7,"design":1,"detection":1,"developed":4,"device":2,"devrient":1,"dfat":2,"dialogue":1,"different":3,"digital":4,"direct":1,"directly":2,"disclosure":3,"discrete":1,"distinctive":2,"distinctiveness":1,"distributed":1,"diverse":1,"do":4,"document":1,"does":1,"doesn":1,"domiciled":3,"don":10,"driven":1,"dta":2,"dvs":1,"eal":1,"early":1,"effectively":1,"egov":1,"either":1,"emerging":1,"end":2,"entity":1,"entra":3,"epassport":1,"equivalent":1,"escrow":2,"especially":1,"eth":1,"evaluating":1,"evaluation":5,"evaluator":3,"every":2,"evidence":2,"evolution":1,"except":1,"existing":5,"exists":1,"explicit":1,"explicitly":1,"face":2,"facetec":2,"facial":1,"favour":1,"favourably":1,"federal":2,"first":1,"fit":3,"flash":3,"flashmark":1,"flow":1,"fmr":2,"fnmr":2,"foci":1,"focused":3,"for":10,"foreign":6,"form":1,"forward":1,"founded":1,"framing":2,"france":2,"frt":1,"fully":1,"functional":1,"future":1,"fvs":1,"galxe":1,"gap":1,"gaps":3,"gemalto":1,"generate":1,"genuinely":3,"germany":2,"giesecke":1,"global":2,"globally":1,"globals":1,"going":1,"google":1,"government":7,"govuk":1,"halo2":1,"hard":1,"harder":2,"hardware":2,"has":5,"have":5,"heading":1,"heavy":1,"held":1,"heroic":1,"hid":1,"holds":1,"honest":1,"hot":1,"how":1,"hugo":4,"humanity":1,"hyperscalers":1,"ibeta":1,"id":6,"idemia":2,"identity":14,"idverse":2,"iec":5,"if":4,"implicit":1,"impossible":1,"in":18,"inc":1,"include":2,"incumbent":5,"incumbents":7,"industry":1,"inform":3,"informs":1,"infrastructure":1,"inside":3,"instead":1,"integration":2,"integrator":1,"intelligence":2,"internal":4,"international":1,"intersection":1,"into":2,"invite":1,"invites":1,"ip":4,"ip3":1,"iproov":2,"irap":2,"iris":1,"iron":1,"is":20,"iso":6,"israel":1,"it":3,"itself":1,"japan":1,"july":1,"jumio":1,"just":1,"k":1,"know":2,"labs":1,"lands":1,"landscape":1,"latency":1,"latitude":1,"layer":1,"lead":1,"leader":1,"leading":1,"leaves":1,"less":2,"let":1,"letter":7,"level":2,"lexisnexis":1,"library":3,"licence":1,"licensing":1,"likely":5,"line":1,"lingers":1,"linked":1,"live":1,"liveness":5,"load":1,"lock":1,"lodgement":2,"lose":1,"loss":1,"made":1,"major":1,"mapping":1,"market":1,"matches":1,"matching":5,"maturity":1,"maui":3,"may":1,"maybe":1,"mean":1,"medibank":1,"mention":1,"microsoft":5,"mid":1,"migration":1,"million":2,"mit":1,"mitek":1,"model":1,"month":1,"months":2,"more":2,"most":7,"multi":2,"multiple":2,"must":1,"myid":4,"n":1,"name":1,"names":1,"naming":2,"narrative":1,"native":1,"nec":3,"needs":1,"never":1,"new":1,"newcomer":1,"nfc":1,"nhs":1,"no":8,"non":1,"none":5,"not":18,"notes":4,"numbers":1,"oaic":1,"obviated":1,"of":12,"offer":3,"offers":1,"on":11,"one":6,"onfido":1,"only":2,"op":1,"open":7,"operational":1,"opportunity":1,"optus":2,"or":5,"orb":1,"other":3,"others":1,"our":1,"overview":1,"pacific":1,"packaged":1,"pad":5,"page":2,"paid":1,"paragraph":2,"parliamentary":1,"part":5,"partially":1,"partnering":1,"partnership":1,"party":1,"patented":1,"peak":1,"per":1,"performance":1,"pillar":1,"place":1,"platforms":1,"plausible":1,"play":2,"players":1,"poc":3,"politically":1,"polygon":1,"pool":2,"position":3,"positioning":3,"positions":1,"post":6,"pre":1,"preserving":1,"price":1,"prime":4,"primitives":1,"privacy":8,"privado":1,"privatelink":1,"probable":1,"problem":1,"procurement":4,"production":3,"products":1,"programmes":1,"projects":1,"promote":1,"proof":3,"proofs":2,"properties":1,"property":1,"propose":2,"proprietary":1,"protected":2,"providers":1,"public":1,"publicly":2,"published":1,"pure":1,"push":1,"quantum":1,"question":2,"questions":1,"reading":1,"ready":1,"realistic":2,"rebuild":1,"recently":1,"recognition":2,"recommendations":1,"record":1,"reference":1,"references":1,"regional":3,"rekognition":1,"relationship":1,"relationships":1,"relevant":1,"remediation":4,"renewal":1,"representative":1,"requirement":1,"requirements":1,"respond":4,"respondent":6,"respondents":1,"response":4,"responses":3,"retirement":1,"retires":1,"retrievable":2,"retrofit":1,"reviewers":4,"rfi":6,"right":1,"risk":3,"risks":1,"risky":1,"roadmap":1,"row":1,"run":1,"s":13,"sable":22,"same":1,"sample":1,"say":1,"scale":4,"scenario":1,"scoped":1,"scoping":1,"score":2,"scrutiny":1,"sdk":1,"section":1,"seen":1,"selective":2,"sentence":3,"set":2,"setup":1,"sharpen":1,"sharpening":2,"shipped":1,"shops":1,"should":4,"si":1,"similar":1,"single":1,"sized":3,"smaller":1,"soak":1,"social":1,"solutions":1,"solves":1,"some":3,"sometimes":1,"source":8,"sovereignty":3,"spatial":2,"special":1,"specialist":1,"specific":1,"specifically":1,"speculate":1,"spillover":2,"stack":2,"standalone":1,"start":1,"stated":1,"store":1,"strategic":6,"strategically":1,"stream":1,"streams":1,"strength":1,"stronger":1,"strongest":1,"structural":1,"structurally":1,"subcontracting":1,"subsidiary":1,"summary":1,"suprema":1,"sydney":1,"system":2,"systems":1,"t":12,"talked":1,"target":1,"team":1,"technical":1,"technique":1,"test":1,"tests":1,"text":1,"thales":1,"than":2,"that":4,"the":50,"their":1,"them":1,"there":1,"therefore":1,"these":2,"they":1,"thin":1,"think":1,"thinking":1,"thinks":1,"this":10,"though":1,"threat":2,"three":2,"tier":6,"time":1,"timeline":1,"to":29,"today":2,"tools":1,"touchpoints":1,"toxic":1,"track":1,"traditional":1,"transcribed":1,"transmit":1,"transmits":1,"transparent":1,"traversal":1,"true":1,"ts":2,"uk":2,"unbeatable":1,"undercut":1,"underprice":1,"unprofessional":1,"us":6,"use":1,"user":2,"ux":1,"valuable":1,"value":1,"various":1,"vary":1,"vendor":13,"vendors":1,"veridos":1,"verifiable":1,"verification":6,"verified":2,"very":1,"via":3,"vision":1,"vism":1,"vs":1,"way":1,"we":11,"week":3,"weigh":1,"weight":1,"what":3,"where":5,"whether":1,"which":2,"while":1,"who":3,"why":1,"will":4,"win":2,"with":4,"without":2,"work":1,"worldcoin":1,"worth":2,"would":3,"x":3,"y":1,"years":1,"yes":1,"yet":2,"zk":9,"zkpass":1,"zoom":1,"zurich":1}},{"dl":172,"n":"key-dates","s":"pages/key-dates","secs":[{"h":"Key Dates","l":1,"t":"| Date | Event | |---|---| | 23-Apr-2026 | RFI-15434 published on AusTender | | 2026 (after publish) | Addendum 1 issued — see `attachments/08-addendum-1.pdf` | | 2026 (after Addendum 1) | Addendum 2 issued — see `attachments/09-addendum-2.pdf` | | **4-Jun-2026 14:00 ACT** | **RFI close** — responses must be lodged via AusTender by this time | | TBD (post-RFI) | ATO analyses responses; may proceed to Shortlist / RFT / RFQ / LT / PoC / PD or close |"},{"h":"Lodgement","l":11,"t":"- **Channel:** AusTender Lodgement Page — `https://www.tenders.gov.au/Atm/ResponseLodgeForm/cea1b989-ceb0-4b36-8b48-ac1330062362` - **Physical address (for hard-copy):** 26 Narellan Street, Canberra City ACT 2601 (electronic via AusTender is the normal channel)"},{"h":"Internal milestones (working back from close)","l":16,"t":"| Internal date | Milestone | |---|---| | 2026-06-01 (Mon) | Draft v1 of Part 3, Part 3a, Part 4, Part 4a, FOCI complete | | 2026-06-02 (Tue) | Internal review by Hugo + co-signatory; technical accuracy pass | | 2026-06-03 (Wed) | Final edit + dry-run lodgement (upload to AusTender as draft) | | **2026-06-04 09:00 ACT** | **Submit** — minimum 5-hour buffer before 14:00 ACT close | Note: the **AusTender Helpdesk is closed Mon 1-Jun-2026** for Reconciliation Day public holiday. Plan around that."}],"tf":{"00":3,"01":1,"02":1,"03":1,"04":1,"06":4,"09":1,"1":3,"14":2,"15434":1,"2":1,"2026":9,"23":1,"26":1,"2601":1,"3":1,"3a":1,"4":2,"4a":1,"5":1,"accuracy":1,"act":4,"addendum":3,"address":1,"after":2,"analyses":1,"apr":1,"around":1,"as":1,"ato":1,"austender":6,"back":1,"be":1,"before":1,"buffer":1,"by":2,"canberra":1,"channel":2,"city":1,"close":4,"closed":1,"co":1,"complete":1,"copy":1,"date":2,"dates":1,"day":1,"draft":2,"dry":1,"edit":1,"electronic":1,"event":1,"final":1,"foci":1,"for":2,"from":1,"hard":1,"helpdesk":1,"holiday":1,"hour":1,"hugo":1,"internal":3,"is":2,"issued":2,"jun":2,"key":1,"lodged":1,"lodgement":3,"lt":1,"may":1,"milestone":1,"milestones":1,"minimum":1,"mon":2,"must":1,"narellan":1,"normal":1,"note":1,"of":1,"on":1,"or":1,"page":1,"part":4,"pass":1,"pd":1,"physical":1,"plan":1,"poc":1,"post":1,"proceed":1,"public":1,"publish":1,"published":1,"reconciliation":1,"responses":2,"review":1,"rfi":3,"rfq":1,"rft":1,"run":1,"see":2,"shortlist":1,"signatory":1,"street":1,"submit":1,"tbd":1,"technical":1,"that":1,"the":2,"this":1,"time":1,"to":2,"tue":1,"upload":1,"v1":1,"via":2,"wed":1,"working":1}},{"dl":658,"n":"opportunity-overview","s":"pages/opportunity-overview","secs":[{"h":"Opportunity Overview","l":1,"t":"**ATM:** RFI-15434 — *Biometric Verification Capability* **Agency:** Australian Taxation Office (ATO) **Type:** Request for Information (non-binding) **Closes:** **4-Jun-2026 14:00 ACT** (4 calendar days from 2026-05-31) **Contact:** Alison Buchanan — `RFI15434@ato.gov.au`"},{"h":"Why the ATO is asking","l":9,"t":"The ATO operates [[myid]], Australia's national [Digital ID](https://www.digitalidsystem.gov.au/) provider under the Digital ID Act 2024 (commenced 1-Dec-2024). myID has **14 M+ users**, **6 M+ at IP3 (Strong)** identity proofing, used **95 M+ times** in the last 12 months across 240+ government online services. myID's current liveness-detection stack was procured in 2021. Since then biometric tech has moved on (anti-spoofing, deepfake defence, NFC-document binding). The ATO is now scoping a refresh and an expansion into **offshore identity verification** via NFC ePassports — neither covered by the existing stack."},{"h":"What the ATO is asking for","l":15,"t":"Three streams of capability: 1. **Liveness detection & facial image capture** — detect spoofing, deepfakes, presentation attacks; capture biometric images of adequate quality for matching. 2. **Biometric matching** — authentication during service access and account recovery without manual re-proofing. 3. **Technical verification of credentials** — NFC-enabled verification of electronically readable identity documents (ePassports) for offshore users. Solution must be SaaS, AWS-hosted, MAUI-compatible, Australian-data-resident, ISM-PROTECTED-certifiable, WCAG 2.1 AA, with 99.95 % availability and ≥10 000 verifications/hour @ p95 ≤ 1000 ms. See [[evaluation-criteria]]."},{"h":"Where this could go","l":25,"t":"> *\"As a direct result of this RFI, the ATO may proceed with a second stage that includes any of the following … Shortlist, RFT, RFQ, Limited Tender, Proof of Concept, Product demonstration/trial, or RFI closure.\"* So this is **market intelligence**, with a strong shortlisting bias — RFI respondents who answer technically and demonstrate fit are the natural pool for the next stage."},{"h":"Why SABLE is a strong fit","l":31,"t":"See [[sable-fit]] for the requirement-by-requirement mapping. The four distinctive pillars: 1. **Privacy by construction** — biometric data never leaves the device; cryptographic guarantee via Halo2 ZK rather than a policy promise. Exceeds APP minimum and structurally fits the Digital ID Act 2024's data-minimisation provisions. 2. **Selective disclosure via BBS+** — Verifiable Credential predicates (\"over 18\", \"Australian citizen\") provable without exposing underlying fields. 3. **Offline P2P operation** — the capture / liveness / proof pipeline runs entirely on-device, no internet dependency for capture; addresses inclusivity for low-connectivity / offshore users. 4. **Open-source public good** — Apache 2.0; any maturation work the ATO funds becomes freely available to any other government adopter. Candidate future deployment contexts include Anuna's existing BARMM (Philippines) eGov engagement (natural extension; SABLE not yet deployed there), European public-sector identity stakeholders (early dialogue with Germany's BSI), other Pacific / SEA governments, and adjacent use cases (age verification, healthcare, building access). To our knowledge SABLE is the first open-source library to combine all four properties together with transparent ZK setup (no trusted ceremony) and no special hardware requirement. Additional credibility signals: - **Spatial-flash liveness** (Tang et al., NDSS 2018) — strong defence against photo / screen replay attacks without depth sensors - **Anuna track record** — currently delivering eGov services (digital identity + citizen services + advisory) for **BARMM (Bangsamoro Autonomous Region in Muslim Mindanao)** — production go-live July 2026 — same practitioner team that would deliver any ATO engagement (BARMM does not currently deploy SABLE). Adjacent: GovUK, CSIRO Data61, Microsoft, Autodesk, Suncorp, IAG, Telus, Telefónica. Early international dialogue on the SABLE approach with Germany's BSI. Open gaps that the response must acknowledge: third-party ISO/IEC 30107-3 EAL-2 (Level B) PAD test report, ASD PROTECTED certification, NV1-cleared Australian support staff. All addressable through a follow-on procurement stage. See [[gaps-and-risks]]."},{"h":"Linked notes","l":49,"t":"- [[evaluation-criteria]] — every M / D / O requirement and our compliance position - [[sable-fit]] — capability-by-capability mapping - [[gaps-and-risks]] — honest gap analysis - [[response-structure]] — what we have to submit - [[key-dates]] — close date and lodgement - [[ato-myid-context]] — what myID does today and where it's heading"}],"tf":{"0":1,"00":1,"000":1,"05":1,"1":4,"10":1,"1000":1,"12":1,"14":2,"15434":1,"18":1,"2":5,"2018":1,"2021":1,"2024":3,"2026":3,"240":1,"3":3,"30107":1,"31":1,"4":3,"6":1,"95":2,"99":1,"a":7,"aa":1,"access":2,"account":1,"acknowledge":1,"across":1,"act":3,"additional":1,"addressable":1,"addresses":1,"adequate":1,"adjacent":2,"adopter":1,"advisory":1,"against":1,"age":1,"agency":1,"al":1,"alison":1,"all":2,"an":1,"analysis":1,"and":12,"answer":1,"anti":1,"anuna":2,"any":4,"apache":1,"app":1,"approach":1,"are":1,"as":1,"asd":1,"asking":2,"at":1,"atm":1,"ato":9,"attacks":2,"au":1,"australia":1,"australian":4,"authentication":1,"autodesk":1,"autonomous":1,"availability":1,"available":1,"aws":1,"b":1,"bangsamoro":1,"barmm":3,"bbs":1,"be":1,"becomes":1,"bias":1,"binding":2,"biometric":5,"bsi":2,"buchanan":1,"building":1,"by":4,"calendar":1,"candidate":1,"capability":4,"capture":4,"cases":1,"ceremony":1,"certifiable":1,"certification":1,"citizen":2,"cleared":1,"close":1,"closes":1,"closure":1,"combine":1,"commenced":1,"compatible":1,"compliance":1,"concept":1,"connectivity":1,"construction":1,"contact":1,"context":1,"contexts":1,"could":1,"covered":1,"credential":1,"credentials":1,"credibility":1,"criteria":2,"cryptographic":1,"csiro":1,"current":1,"currently":2,"d":1,"data":3,"data61":1,"date":1,"dates":1,"days":1,"dec":1,"deepfake":1,"deepfakes":1,"defence":2,"deliver":1,"delivering":1,"demonstrate":1,"demonstration":1,"dependency":1,"deploy":1,"deployed":1,"deployment":1,"depth":1,"detect":1,"detection":2,"device":2,"dialogue":2,"digital":4,"digitalidsystem":1,"direct":1,"disclosure":1,"distinctive":1,"document":1,"documents":1,"does":2,"during":1,"eal":1,"early":2,"egov":2,"electronically":1,"enabled":1,"engagement":2,"entirely":1,"epassports":2,"et":1,"european":1,"evaluation":2,"every":1,"exceeds":1,"existing":2,"expansion":1,"exposing":1,"extension":1,"facial":1,"fields":1,"first":1,"fit":4,"fits":1,"flash":1,"follow":1,"following":1,"for":9,"four":2,"freely":1,"from":1,"funds":1,"future":1,"gap":1,"gaps":3,"germany":2,"go":2,"good":1,"gov":1,"government":2,"governments":1,"govuk":1,"guarantee":1,"halo2":1,"hardware":1,"has":2,"have":1,"heading":1,"healthcare":1,"honest":1,"hosted":1,"hour":1,"https":1,"iag":1,"id":3,"identity":5,"iec":1,"image":1,"images":1,"in":3,"include":1,"includes":1,"inclusivity":1,"information":1,"intelligence":1,"international":1,"internet":1,"into":1,"ip3":1,"is":6,"ism":1,"iso":1,"it":1,"july":1,"jun":1,"key":1,"knowledge":1,"last":1,"leaves":1,"level":1,"library":1,"limited":1,"linked":1,"live":1,"liveness":4,"lodgement":1,"low":1,"m":4,"manual":1,"mapping":2,"market":1,"matching":2,"maturation":1,"maui":1,"may":1,"microsoft":1,"mindanao":1,"minimisation":1,"minimum":1,"months":1,"moved":1,"ms":1,"muslim":1,"must":2,"myid":5,"national":1,"natural":2,"ndss":1,"neither":1,"never":1,"next":1,"nfc":3,"no":3,"non":1,"not":2,"notes":1,"now":1,"nv1":1,"o":1,"of":7,"office":1,"offline":1,"offshore":3,"on":4,"online":1,"open":3,"operates":1,"operation":1,"opportunity":1,"or":1,"other":2,"our":2,"over":1,"overview":1,"p2p":1,"p95":1,"pacific":1,"pad":1,"party":1,"philippines":1,"photo":1,"pillars":1,"pipeline":1,"policy":1,"pool":1,"position":1,"practitioner":1,"predicates":1,"presentation":1,"privacy":1,"proceed":1,"procured":1,"procurement":1,"product":1,"production":1,"promise":1,"proof":2,"proofing":2,"properties":1,"protected":2,"provable":1,"provider":1,"provisions":1,"public":2,"quality":1,"rather":1,"re":1,"readable":1,"record":1,"recovery":1,"refresh":1,"region":1,"replay":1,"report":1,"request":1,"requirement":4,"resident":1,"respondents":1,"response":2,"result":1,"rfi":4,"rfq":1,"rft":1,"risks":2,"runs":1,"s":7,"saas":1,"sable":7,"same":1,"scoping":1,"screen":1,"sea":1,"second":1,"sector":1,"see":3,"selective":1,"sensors":1,"service":1,"services":3,"setup":1,"shortlist":1,"shortlisting":1,"signals":1,"since":1,"so":1,"solution":1,"source":2,"spatial":1,"special":1,"spoofing":2,"stack":2,"staff":1,"stage":3,"stakeholders":1,"streams":1,"strong":4,"structurally":1,"structure":1,"submit":1,"suncorp":1,"support":1,"tang":1,"taxation":1,"team":1,"tech":1,"technical":1,"technically":1,"telefónica":1,"telus":1,"tender":1,"test":1,"than":1,"that":3,"the":20,"then":1,"there":1,"third":1,"this":3,"three":1,"through":1,"times":1,"to":4,"today":1,"together":1,"track":1,"transparent":1,"trial":1,"trusted":1,"type":1,"under":1,"underlying":1,"use":1,"used":1,"users":3,"verifiable":1,"verification":5,"verifications":1,"via":3,"was":1,"wcag":1,"we":1,"what":3,"where":2,"who":1,"why":2,"with":6,"without":3,"work":1,"would":1,"www":1,"yet":1,"zk":2}},{"dl":77,"n":"page-index","s":"pages/page-index","secs":[{"h":"Curated Pages Index","l":1,"t":"- [[opportunity-overview]] — what the ATO is asking and why SABLE fits - [[ato-myid-context]] — myID today and where it's heading - [[key-dates]] — close date, lodgement, internal milestones - [[response-structure]] — five documents we have to submit - [[evaluation-criteria]] — every M / D / O requirement verbatim - [[addenda-clarifications]] — the 15 Q&A clarifications + closing-date extension - [[sable-fit]] — per-requirement SABLE compliance position - [[gaps-and-risks]] — honest gap analysis - [[source-index]] — raw extracts of every attachment"}],"tf":{"15":1,"a":1,"addenda":1,"analysis":1,"and":3,"asking":1,"ato":2,"attachment":1,"clarifications":2,"close":1,"closing":1,"compliance":1,"context":1,"criteria":1,"curated":1,"d":1,"date":2,"dates":1,"documents":1,"evaluation":1,"every":2,"extension":1,"extracts":1,"fit":1,"fits":1,"five":1,"gap":1,"gaps":1,"have":1,"heading":1,"honest":1,"index":2,"internal":1,"is":1,"it":1,"key":1,"lodgement":1,"m":1,"milestones":1,"myid":2,"o":1,"of":1,"opportunity":1,"overview":1,"pages":1,"per":1,"position":1,"q":1,"raw":1,"requirement":2,"response":1,"risks":1,"s":1,"sable":3,"source":1,"structure":1,"submit":1,"the":2,"to":1,"today":1,"verbatim":1,"we":1,"what":1,"where":1,"why":1}},{"dl":479,"n":"response-structure","s":"pages/response-structure","secs":[{"h":"Response Structure","l":1,"t":"What we need to submit, in the form the ATO has specified."},{"h":"Five required documents","l":5,"t":"| # | Form | Format | Source template | Our draft | |---|---|---|---|---| | 1 | **Part 3 — Response Form (General)** | DOCX | `attachments/03-part3-response-general.docx` | `draft/part3-general.md` (then export) | | 2 | **Part 3a — Response Form (Technical)** | XLSX | `attachments/04-part3a-response-technical.xlsx` | `draft/part3a-technical-compliance-matrix.md` (then fill spreadsheet) | | 3 | **Part 4 — Response Form (Financial)** | DOCX | `attachments/05-part4-response-financial.docx` | `draft/part4-financial.md` (then export) | | 4 | **Part 4a — Response Form (Pricing Table)** | XLSX | `attachments/06-part4a-response-pricing.xlsx` | `draft/part4a-pricing.md` (then fill spreadsheet) | | 5 | **Attachment A — FOCI Form** | DOCX | `attachments/07-foci-information-form.docx` | `draft/attachment-a-foci.md` (then export) | The RFI explicitly says: *\"suppliers should respond to the questions, and supply the information and materials, in the same order and under the same headings as shown in these Response Forms.\"* So we mirror the section structure exactly."},{"h":"Part 3 — General — what goes in each section","l":17,"t":"- **Section 1 — Conditions for Participation** - Judicial decisions / employee entitlements declaration - Workplace Gender Equality Act status (Anuna Research Cooperative is under the 100-employee threshold — not a \"relevant employer\") - Statement of Tax Record commitment (forward-looking — for any second stage) - Indigenous Procurement Policy commitment (forward-looking) - Commonwealth Supplier Code of Conduct acknowledgement - **Section 2 — Respondent's details** — company info, ABN, registration, etc. - **Section 3 — Respondent information** — general capability overview, narrative on the offer - **Section 4 — Respondent's Declaration** — signed declaration"},{"h":"Part 3a — Technical — compliance matrix","l":29,"t":"One row per requirement (LV-1..6, TV-1..3, S-1..2, P-1..2, A-1, H-1..2, IN-1..5, SC-1..8, OP-1..10, VISM-1..7, M-1, RM-1..4, UX-1..4) with: - **Column D:** Response Compliance (Compliant / Partially Compliant / Non-Compliant) - **Column E:** Vendor Comments — how SABLE meets (or partially meets) the requirement See [[sable-fit]] for the per-requirement narrative we'll fill in."},{"h":"Part 4 — Financial — what goes in each section","l":38,"t":"- **Section 1** — Respondent (legal name, ABN/ACN/ARBN) - **Section 2** — Financial capacity (last 3 years' financials at high level; Anuna Research Cooperative is early-stage so this is summary-only) - **Section 3** — Pricing & payment basis (currency, GST exclusivity, indexation) - **Section 4** — Response price (signpost to Part 4a spreadsheet)"},{"h":"Part 4a — Pricing — spreadsheet tables","l":45,"t":"- **T1 — Software Licensing** — both perpetual (SP1.1) and subscription (SP1.2) models required for evaluation - **T2 — Tiered Discounts** - **T3 — One-off costs** (integration, training, environment setup) - **T4 — Ongoing Support & Maintenance** - **T5 — Labour Rates** GST-exclusive; AUD assumed unless foreign currency nominated. 12-month + 36-month term options requested."},{"h":"FOCI form — what goes in","l":55,"t":"Foreign Ownership, Control or Influence questions: 1. DISP / HCF status 2. Ultimate Beneficial Owners + corporate structure 3. State ownership / control by foreign government 4. Politically Exposed Persons 5. Access to ATO systems / networks / data 6. Cloud / hosting providers and data flows 7. Subcontractors and supply-chain risk Anuna Research Cooperative: privately-held Australian company, founder-owned, no state ownership, no PEPs, Australian-incorporated, hosting plan = AWS Sydney (ap-southeast-2)."},{"h":"Linked notes","l":69,"t":"- [[evaluation-criteria]] — what's being asked - [[sable-fit]] — how we answer - [[gaps-and-risks]] — what we acknowledge openly"}],"tf":{"1":18,"10":1,"100":1,"12":1,"2":9,"3":8,"36":1,"3a":2,"4":8,"4a":3,"5":3,"6":2,"7":2,"8":1,"a":3,"abn":2,"access":1,"acknowledge":1,"acknowledgement":1,"acn":1,"act":1,"and":7,"answer":1,"anuna":3,"any":1,"ap":1,"arbn":1,"as":1,"asked":1,"assumed":1,"at":1,"ato":2,"attachment":1,"aud":1,"australian":2,"aws":1,"basis":1,"being":1,"beneficial":1,"both":1,"by":1,"capability":1,"capacity":1,"chain":1,"cloud":1,"code":1,"column":2,"comments":1,"commitment":2,"commonwealth":1,"company":2,"compliance":2,"compliant":3,"conditions":1,"conduct":1,"control":2,"cooperative":3,"corporate":1,"costs":1,"criteria":1,"currency":2,"d":1,"data":2,"decisions":1,"declaration":3,"details":1,"discounts":1,"disp":1,"documents":1,"docx":3,"draft":1,"e":1,"each":2,"early":1,"employee":2,"employer":1,"entitlements":1,"environment":1,"equality":1,"etc":1,"evaluation":2,"exactly":1,"exclusive":1,"exclusivity":1,"explicitly":1,"export":3,"exposed":1,"fill":3,"financial":3,"financials":1,"fit":2,"five":1,"flows":1,"foci":2,"for":4,"foreign":3,"form":8,"format":1,"forms":1,"forward":2,"founder":1,"gaps":1,"gender":1,"general":3,"goes":3,"government":1,"gst":2,"h":1,"has":1,"hcf":1,"headings":1,"held":1,"high":1,"hosting":2,"how":2,"in":8,"incorporated":1,"indexation":1,"indigenous":1,"influence":1,"info":1,"information":2,"integration":1,"is":3,"judicial":1,"labour":1,"last":1,"legal":1,"level":1,"licensing":1,"linked":1,"ll":1,"looking":2,"lv":1,"m":1,"maintenance":1,"materials":1,"matrix":1,"meets":2,"mirror":1,"models":1,"month":2,"name":1,"narrative":2,"need":1,"networks":1,"no":2,"nominated":1,"non":1,"not":1,"notes":1,"of":2,"off":1,"offer":1,"on":1,"one":2,"ongoing":1,"only":1,"op":1,"openly":1,"options":1,"or":2,"order":1,"our":1,"overview":1,"owned":1,"owners":1,"ownership":3,"p":1,"part":9,"partially":2,"participation":1,"payment":1,"peps":1,"per":2,"perpetual":1,"persons":1,"plan":1,"policy":1,"politically":1,"price":1,"pricing":3,"privately":1,"procurement":1,"providers":1,"questions":2,"rates":1,"record":1,"registration":1,"relevant":1,"requested":1,"required":2,"requirement":3,"research":3,"respond":1,"respondent":4,"response":8,"rfi":1,"risk":1,"risks":1,"rm":1,"row":1,"s":4,"sable":3,"same":2,"says":1,"sc":1,"second":1,"section":11,"see":1,"setup":1,"should":1,"shown":1,"signed":1,"signpost":1,"so":2,"software":1,"source":1,"southeast":1,"sp1":2,"specified":1,"spreadsheet":4,"stage":2,"state":2,"statement":1,"status":2,"structure":3,"subcontractors":1,"submit":1,"subscription":1,"summary":1,"supplier":1,"suppliers":1,"supply":2,"support":1,"sydney":1,"systems":1,"t1":1,"t2":1,"t3":1,"t4":1,"t5":1,"table":1,"tables":1,"tax":1,"technical":2,"template":1,"term":1,"the":12,"then":5,"these":1,"this":1,"threshold":1,"tiered":1,"to":4,"training":1,"tv":1,"ultimate":1,"under":2,"unless":1,"ux":1,"vendor":1,"vism":1,"we":5,"what":6,"with":1,"workplace":1,"xlsx":2,"years":1}},{"dl":2766,"n":"sable-fit","s":"pages/sable-fit","secs":[{"h":"SABLE Fit — Per-Requirement Position","l":1,"t":"Maps every M / D requirement in [[evaluation-criteria]] to SABLE's current capability and the gap (if any). Source: `../sable/README.md`, `../sable/IMPLEMENTATION_STATUS.md`, `../sable/docs/`. Compliance values use Part 3a's drop-down options: **Compliant** / **Partially Compliant** / **Non-Compliant**."},{"h":"Biometric Capture & Liveness Detection (LV)","l":5,"t":"| ID | SABLE Position | Compliance | Commentary | |---|---|---|---| | **LV-1** | ✅ SABLE captures face embeddings via standard smartphone camera; image-quality controls operate at capture time | **Compliant** | We extract 1024-dim face embeddings; image-quality scoring against ISO/IEC 29794-5 profile is integrated in the capture pipeline (sable-core `biometric` module). Quality profile output is exposed via the FFI. | | **LV-2** | ✅ Automated quality controls + UI guidance for re-capture | **Compliant** | The capture SDK rejects out-of-spec frames and returns user-facing guidance codes (face-too-close, low-light, off-axis, motion-blur). UI guidance text is configurable per ATO branding. | | **LV-3** | ✅ Spatial-flash PAD based on Tang et al., NDSS 2018 | **Compliant** | Active liveness via screen-flash challenge-response. The screen flashes split-screen colours over 3 rounds; the camera captures how light reflects off the face. A real 3D face reflects differently in upper vs lower regions; a flat photo/screen reflects identically. | | **LV-4** | ✅ Capture + PAD in a single continuous workflow | **Compliant** | The Halo2 ZK proof binds capture and PAD into a single composite proof (~250 ms generation). The PAD fingerprints feed directly into the same circuit as the face-match check — they cannot be decoupled or replayed. | | **LV-5** | ⚠️ Defensible against current photo/screen replay attacks, but **not yet ISO/IEC 30107-3 EAL-2 (Level B) tested** | **Partially Compliant** | The technique (controlled-illumination reflectance analysis) is published peer-reviewed methodology; engagement of an ILAC-accredited testing laboratory for formal EAL-2 (Level B) certification is planned and can be completed inside a typical procurement timeline (3-4 months). No lab arrangement in place at the RFI stage. | | **LV-6** | ⚠️ Pending third-party PAD test report (see LV-5) | **Partially Compliant** | We will provide vendor self-assessment evidence now (NDSS 2018 paper, internal red-team testing against printed photos / phone-screen replays / video replays) and commit to producing an ISO/IEC 30107-3 third-party test report by end of any procurement evaluation phase. |"},{"h":"Technical Verification & Biometric Binding (TV)","l":16,"t":"| ID | SABLE Position | Compliance | Commentary | |---|---|---|---| | **TV-1** | ⚠️ ICAO Doc 9303 ePassport NFC reading is not yet in SABLE core | **Partially Compliant** | The SABLE architecture has an `attestation` module designed for X.509-style chain validation; ICAO 9303 PKI verification including CSCA/Master List handling and CRL checking is a planned addition (estimated 8-12 weeks). Existing open-source libraries (e.g. jMRTD, BSI) can be wrapped. | | **TV-2** | ✅ Single-continuous-workflow capture + PAD + binding is the SABLE flagship feature | **Compliant** | The Halo2 composite proof binds biometric capture, PAD, and credential binding in one atomic operation. PAD operates at point of capture; the entire pipeline runs before any proof is submitted for verification. Data-capture-subsystem signals and system-level monitoring (frame timing, sensor metadata, challenge nonce binding) all feed the circuit per ISO/IEC 30107-1. | | **TV-3** | ⚠️ Quantitative FMR/FNMR benchmarking against ISO/IEC TS 19795-9:2019 protocol is planned | **Partially Compliant** | SABLE's matching uses Pedersen-committed Poseidon-hashed embeddings with a configurable Hamming-distance threshold inside the Halo2 circuit. The underlying face embeddings are based on a 1024-dim feature extractor; matching accuracy depends on the embedding model. We commit to running an ISO/IEC TS 19795-9 evaluation against a standard test corpus and reporting FMR/FNMR at the 90 % confidence interval within the procurement evaluation window. |"},{"h":"Scalability, Performance, Availability","l":24,"t":"| ID | SABLE Position | Compliance | Commentary | |---|---|---|---| | **S-1** | ✅ Architecturally horizontally scalable — verification is stateless | **Compliant** | Halo2 verification is ~1.8 ms per proof. The SaaS verification endpoint is stateless (no session affinity, no shared memory) and trivially horizontal — capacity scales linearly with EC2/EKS instances. | | **S-2** | ✅ A SaaS verification endpoint is the deployment target | **Compliant** | The proposed deployment wraps the open-source SABLE library in a hosted SaaS verification service on AWS Sydney. The library itself remains client-side (in the user's myID app instance) — only the proof reaches the SaaS. | | **P-1** | ✅ 10 000 verifications/hour at p95 ≤ 1000 ms is comfortable | **Compliant** | 10 000/hour = ~2.8/sec average; SABLE verification at 1.8 ms means a single t3.medium handles this with >99 % headroom. Proof generation (~250 ms, on-device) is amortised across millions of devices, not on the server. Full performance numbers in P-2 narrative. | | **P-2** | ✅ Documented benchmark methodology in `sable/bench/` | **Compliant** | We provide a Software Capacity Plan with: (i) measured verification latency distributions on Apple Silicon + AWS Graviton3 reference instances; (ii) AWS infrastructure design with EKS auto-scaling group + ALB; (iii) capacity-curve projection at 10×, 100×, 1000× peak. | | **A-1** | ✅ 99.95 % uptime achievable on AWS Sydney with multi-AZ design | **Compliant** | Multi-AZ EKS deployment behind ALB; data plane is stateless (no DB writes per verification); RTO < 5 min, RPO = 0. **Bonus:** SABLE's on-device proof generation means the user-facing capture/liveness flow is 100 % available even if the SaaS endpoint is degraded — only final verification needs the SaaS. |"},{"h":"Hosting, Integration","l":34,"t":"| ID | SABLE Position | Compliance | Commentary | |---|---|---|---| | **H-1** | ✅ SaaS wrapper on AWS Sydney | **Compliant** | Vendor-managed, secure, scalable. Library is open-source (Apache 2.0); SaaS shell + integration + ops is the commercial scope. | | **H-2** | ✅ AWS PrivateLink-ready | **Compliant** | We propose a VPC Endpoint Service in `ap-southeast-2` so the ATO's AWS account connects to SABLE Verification API via PrivateLink — no internet egress, no public endpoint. Resources required from ATO: VPC Endpoint creation in their account, IAM cross-account role for telemetry export, DNS resolver entry. | | **IN-1** | ⚠️ MAUI bindings not yet shipped; Android JNI + iOS Swift are in core today | **Partially Compliant** | SABLE has FFI for Android (JNI) and iOS (Swift). Generating .NET/MAUI bindings on top of the C ABI (sable-core exposes via cbindgen) is mechanical and estimated at 4-6 weeks including sample MAUI integration project. We commit to delivering MAUI bindings inside a procurement evaluation phase. | | **IN-2** | ✅ Browser support via WASM Halo2 | **Compliant** | The demo web frontend (`demo/web/`) already runs Halo2 proof generation in-browser via WASM, with camera capture via getUserMedia and spatial-flash liveness via the browser canvas. Verified working in Chrome, Safari, Edge, Firefox on desktop and mobile. | | **IN-3** | ✅ No server affinity required | **Compliant** | Stateless verification; any request can hit any pod. No sticky sessions. | | **IN-4** | ✅ IaC-driven deployment | **Compliant** | Deployment is fully IaC (Terraform modules provided); ATO can run `terraform apply` against their AWS account for fully silent deployment. CI pipelines provided (GitHub Actions templates). | | **IN-5** | ⚠️ SABLE specifically is pre-production; Anuna Research Cooperative is currently delivering directly-relevant government eGov work | **Partially Compliant** | SABLE itself is pre-production (519 tests passing; demo deployed; no live government deployments). **Anuna is currently delivering eGov services for the Bangsamoro Autonomous Region in Muslim Mindanao (BARMM)** — digital identity, citizen-facing services, advisory — production go-live July 2026 (so live well before any plausible ATO post-RFI procurement stage). **BARMM does not currently deploy SABLE**; future SABLE deployment at BARMM is a candidate natural extension of the existing engagement. Early international dialogue on the SABLE approach is under way with **Germany's Bundesamt für Sicherheit in der Informationstechnik (BSI)**. Adjacent government-context engagements: **UK Government Digital Service (GovUK)**; **CSIRO Data61**. Adjacent large-scale enterprise: Microsoft, Autodesk, Suncorp, IAG, Telus, Telefónica, Kellogg, University of Wollongong. PoC against ATO's myID cohort offered as the most direct evidence for SABLE in the ATO-specific context. |"},{"h":"Security & Confidentiality","l":46,"t":"| ID | SABLE Position | Compliance | Commentary | |---|---|---|---| | **SC-1** | ⚠️ ISM / Essential 8 alignment work to be done | **Partially Compliant** | The SaaS shell will be designed against ISM and Essential 8 from day one (multi-factor admin auth, application allow-listing, patch-management cadence, daily backups, etc.). Full IRAP assessment is a procurement-stage activity. | | **SC-2** | ✅ Privacy by construction | **Compliant** | SABLE's defining property is that **biometric data never leaves the user's device**. APP 1 (open and transparent management): open-source codebase. APP 3 (collection of solicited PI): we collect only the ZK proof + minimal metadata, never the biometric. APP 11 (security): biometric data is committed-and-hidden in Pedersen commitments; even an SaaS breach exposes no biometric data. | | **SC-3** | ⚠️ Uses NIST-aligned primitives, ASD HACE catalogue review pending | **Partially Compliant** | SABLE uses BLS12-381 (128-bit security), Poseidon (peer-reviewed ZK-friendly hash), ChaCha20-Poly1305 (NIST/ISM-listed). BLS12-381 itself is not yet on the ASD HACE list but is widely deployed and aligned with NIST proposals. We commit to replacing any primitive that fails ASD/IRAP review with an ASD-approved equivalent (e.g. P-256 with SHA-256 in pure-classical mode, alongside the BLS12-381 ZK path). | | **SC-4** | ✅ Halo2 proof IS the integrity control | **Compliant** | The Halo2 ZK proof cryptographically binds (a) the captured biometric, (b) the PAD liveness fingerprints, (c) the session-binding nonce, and (d) any selectively-disclosed credential attributes — a single ~2 KB proof. Tampering with any component invalidates the proof. | | **SC-5** | ✅ Personal Information never crosses the boundary at all | **Compliant** | Biometric PI never leaves the user's device. Only the ZK proof, the session nonce, and (optionally) selectively-disclosed predicates traverse the network. ATO's SaaS endpoint receives no PI. | | **SC-6** | ⚠️ PROTECTED certification not yet held | **Partially Compliant** | We commit to engaging an IRAP assessor for PROTECTED-level certification of the SaaS shell + integration within the procurement evaluation phase. Open-source codebase + minimised attack surface (no PI server-side) materially simplifies the IRAP path. | | **SC-7** | ✅ AWS ap-southeast-2 (Sydney) hosting | **Compliant** | All operational data (verification logs, audit trail, configuration) hosted in `ap-southeast-2`. Data Hosting Certification Framework: AWS Sydney holds the Certified Strategic Hosting Provider classification. | | **SC-8** | ✅ Full SBOM provided | **Compliant** | Open-source SBOM produced via `cargo cyclonedx`; every dependency, license, and access scope documented. Third-party components: Halo2 (PSE/zcash), Poseidon (academic), ChaCha20-Poly1305 (RustCrypto). |"},{"h":"Operations, Vendor Implementation Support & Maintenance, Maintainability","l":59,"t":"| ID | SABLE Position | Compliance | Commentary | |---|---|---|---| | **OP-1** | ✅ Standard SaaS architecture | **Compliant** | dev / staging / prod environments, all monitored 24×7 via CloudWatch + PagerDuty integration. | | **OP-2** | ✅ CI/CD with ephemeral test environments | **Compliant** | GitHub Actions pipelines spin up per-PR test environments via Terraform; integration tests run automatically. | | **OP-3** | ✅ AWS Sydney + CloudWatch Service Health | **Compliant** | Data sovereignty enforced via IAM SCPs preventing replication outside `ap-southeast-2`; real-time status via internal CloudWatch + public status page. | | **OP-4** | ✅ CloudTrail + GuardDuty | **Compliant** | All access to ATO data and all privileged operations logged via CloudTrail; GuardDuty monitors for anomalous patterns. | | **OP-5** | ✅ ATO IP allow-list at VPC PrivateLink | **Compliant** | Access enforced at the VPC endpoint level + at the API authentication layer (mTLS); IP ranges configurable per environment. | | **OP-6** | ⚠️ Personnel coercion-detection is a specialist domain | **Partially Compliant** | We do not currently operate behavioural-analytics tooling for personnel monitoring. We will partner with an Australian managed-SOC provider for managed insider-risk detection if required (no such arrangement in place at the RFI stage), or accept this as a desirable-not-met. | | **OP-7** | ✅ Real-time alerting on biometric failure patterns | **Compliant** | EventBridge → SNS → PagerDuty for high-risk patterns (PAD failure clusters, brute-force enrolment attempts, geographic anomalies). | | **OP-8** | ✅ Tiered alerting via severity tags | **Compliant** | Critical / High / Medium / Low alert tiers route to different channels with different SLAs; data-loss-prevention covered by abnormal-access detection on the verification API. | | **OP-9** | ⚠️ NV1-cleared staff and iRAP-certified portal not yet held | **Partially Compliant** | Anuna Research Cooperative will engage an Australian Security Vetting Agency–cleared support subcontractor for NV1-cleared L2 support, and sponsor founder NV1 clearance in parallel, inside a procurement evaluation phase. Incident management via an IRAP-assessed Australian incident management portal. No subcontractor or portal arrangement is in place at the RFI stage. | | **OP-10** | ⚠️ No prior government identity-system deliveries (see IN-5) | **Partially Compliant** | We offer: (a) dedicated helpdesk with named L2/L3 engineers; (b) public fraud-prevention roadmap; (c) knowledge-transfer commitment via documentation, on-site workshops, and pair-programming during transition. We acknowledge limited prior government identity-system delivery history (see IN-5). | | **VISM-1** | ✅ Helpdesk via dedicated email + status page | **Compliant** | Tiered support (P1/P2/P3/P4) with SLA-bound response times; AusGov.au-hosted ticketing portal. | | **VISM-2** | ✅ Open-source documentation + ops runbooks | **Compliant** | All `docs/` is public; ops runbooks for the SaaS shell will be ATO-private and version-controlled. | | **VISM-3** | ✅ Monthly security patch cadence, weekly minor updates | **Compliant** | Documented patching schedule; CVE response SLA: 4 hours triage / 24 hours patch for Critical, 7 days for High. | | **VISM-4** | ✅ Ongoing maintenance is the commercial subscription scope | **Compliant** | Subscription tier includes platform maintenance, dependency patching, ZK circuit revisions as cryptographic best practice evolves. | | **VISM-5** | ✅ Public roadmap | **Compliant** | Codeberg-hosted public roadmap; quarterly stakeholder review cycles. Items already on roadmap: BBS+ selective disclosure rollout, post-quantum migration (CRYSTALS-Dilithium signature path), multi-spectral liveness (IR), continuous authentication. | | **VISM-6** | ⚠️ Limited government track record (see IN-5, OP-10) | **Partially Compliant** | Honest disclosure. We propose a paid PoC against ATO's myID test cohort as the most decisive evidence. | | **VISM-7** | ✅ Active research programme | **Compliant** | Anuna Research Cooperative publishes on identity, biometrics, and digital trust. Recommendations include: BBS+ for selective disclosure; post-quantum identity (NIST PQC integration); zero-knowledge KYC; offline-first identity proofs. | | **M-1** | ✅ Patching is a published SLA commitment | **Compliant** | See VISM-3. Third-party components are tracked via `cargo audit` in CI; out-of-date dependencies block merges. |"},{"h":"Reporting & Monitoring, User Experience & Accessibility","l":82,"t":"| ID | SABLE Position | Compliance | Commentary | |---|---|---|---| | **RM-1** | ✅ CloudWatch Logs with optional log-shipping to ATO's SIEM | **Compliant** | All API activity, configuration changes, and security-relevant events logged; Kinesis Firehose for ATO log-shipping. | | **RM-2** | ✅ CloudWatch / Grafana dashboards | **Compliant** | Out-of-the-box dashboards for: capture-time distribution, PAD pass/fail rates, FMR/FNMR over time, regional latency, error rates. ATO can customise via Grafana. | | **RM-3** | ✅ ATO read access via IAM cross-account roles | **Compliant** | Cross-account read role for ATO to query CloudWatch Logs Insights directly; sample CloudWatch Logs Insights queries provided in the runbook. | | **RM-4** | ✅ Monitoring integration options documented | **Compliant** | Native integration with: CloudWatch (default), Datadog (via Lambda), Splunk (via HEC), ATO's existing SIEM (via log-shipping). | | **UX-1** | ✅ Mobile-first capture flow + responsive web fallback | **Compliant** | Native iOS / Android first-class; responsive web demo verified on phones, tablets, desktops. | | **UX-2** | ✅ UI standards + Figma + user-flow docs | **Compliant** | Brand-customisable UI; Figma library; user-flow maps for enrolment, authentication, account recovery, error states. | | **UX-3** | ⚠️ WCAG 2.1 AA audit not yet completed | **Partially Compliant** | Capture flow uses standard form patterns + ARIA labels + sufficient contrast ratios. Formal WCAG 2.1 AA audit by an accredited Australian accessibility audit firm is planned and can be completed in 4-6 weeks (no audit firm arrangement in place at the RFI stage). Accessibility-mode liveness alternative (audio prompts, larger UI elements) on roadmap. | | **UX-4** | ✅ Customisable UI via configuration | **Compliant** | Branding (colours, fonts, logos), copy (multi-language), capture flow steps, and even challenge parameters are configuration-driven, not code changes. |"},{"h":"Cross-cutting business-requirement narrative","l":95,"t":"- **Secure** — Halo2 ZK proof gives cryptographic guarantees stronger than any statistical match-rate threshold. Spatial-flash PAD defeats current photo/screen/replay attacks; ongoing R&D into deepfake / 3D-mask defences. FMR/FNMR benchmarking against ISO/IEC TS 19795-9 commitment per TV-3. - **User-friendly** — Capture flow is ~10 seconds (face capture + 3 spatial-flash rounds); no special device required; no internet required for capture; biometric data never leaves device. - **Device compatibility** — Any smartphone with a front-facing camera and modern browser; specifically tested on iOS 14+, Android 9+, Chrome / Safari / Edge / Firefox. - **Accessible** — WCAG 2.1 AA commitment (UX-3); accessibility-mode liveness alternative on roadmap; multi-language support. - **Scalable** — Stateless verification at ~1.8 ms; capacity scales linearly with EKS pods. - **Cost-effective** — Open-source library means no per-seat ZK proof licence; commercial scope is SaaS shell + integration + ops. Pricing model in Part 4a covers both perpetual and subscription tiers. - **Compliant** — Aligned with Digital ID Act 2024 data-minimisation principles by construction; ISM / Essential 8 / Australian Privacy Principles addressed in SC-* responses. - **Integratable & maintainable** — MAUI bindings (IN-1, 4-6 weeks); IaC deployment (IN-4); public SBOM (SC-8). - **Value for money** — The privacy-by-construction architecture removes the need for expensive ongoing breach-mitigation, data-sovereignty audits, and consent-management infrastructure that traditional biometric solutions accrue over their lifecycle."},{"h":"Linked notes","l":107,"t":"- [[gaps-and-risks]] — consolidated view of every Partially Compliant / Non-Compliant position - [[evaluation-criteria]] — the source requirements - [[ato-myid-context]]"}],"tf":{"0":2,"000":2,"1":22,"10":6,"100":2,"1000":2,"1024":2,"11":1,"12":1,"128":1,"14":1,"19795":3,"2":21,"2018":2,"2019":1,"2024":1,"2026":1,"24":2,"250":2,"256":2,"29794":1,"3":17,"30107":3,"381":3,"3a":1,"3d":2,"4":13,"4a":1,"5":11,"509":1,"519":1,"6":7,"7":5,"8":11,"9":5,"90":1,"9303":2,"95":1,"99":2,"a":27,"aa":3,"abi":1,"abnormal":1,"academic":1,"accept":1,"access":5,"accessibility":4,"accessible":1,"account":7,"accredited":2,"accrue":1,"accuracy":1,"achievable":1,"acknowledge":1,"across":1,"act":1,"actions":2,"active":2,"activity":2,"addition":1,"addressed":1,"adjacent":2,"admin":1,"advisory":1,"affinity":2,"against":10,"agency":1,"al":1,"alb":2,"alert":1,"alerting":2,"aligned":3,"alignment":1,"all":8,"allow":2,"alongside":1,"already":2,"alternative":2,"amortised":1,"an":11,"analysis":1,"analytics":1,"and":34,"android":4,"anomalies":1,"anomalous":1,"anuna":4,"any":11,"ap":1,"apache":1,"api":4,"app":4,"apple":1,"application":1,"approach":1,"approved":1,"architecturally":1,"architecture":3,"are":4,"aria":1,"arrangement":4,"as":5,"asd":4,"assessed":1,"assessment":2,"assessor":1,"at":17,"ato":19,"atomic":1,"attack":1,"attacks":2,"attempts":1,"attributes":1,"au":1,"audio":1,"audit":5,"audits":1,"ausgov":1,"australian":5,"auth":1,"authentication":3,"auto":1,"autodesk":1,"automated":1,"automatically":1,"autonomous":1,"availability":1,"available":1,"average":1,"aws":11,"axis":1,"az":2,"b":4,"backups":1,"bangsamoro":1,"barmm":3,"based":2,"bbs":2,"be":7,"before":2,"behavioural":1,"behind":1,"benchmark":1,"benchmarking":2,"best":1,"binding":5,"bindings":4,"binds":3,"biometric":12,"biometrics":1,"bit":1,"block":1,"bls12":3,"blur":1,"bonus":1,"both":1,"bound":1,"boundary":1,"box":1,"brand":1,"branding":2,"breach":2,"browser":4,"brute":1,"bsi":2,"bundesamt":1,"business":1,"but":2,"by":6,"c":3,"cadence":2,"camera":4,"can":6,"candidate":1,"cannot":1,"canvas":1,"capability":1,"capacity":4,"capture":20,"captured":1,"captures":2,"catalogue":1,"cbindgen":1,"cd":1,"certification":4,"certified":2,"chacha20":2,"chain":1,"challenge":3,"changes":2,"channels":1,"check":1,"checking":1,"chrome":2,"ci":3,"circuit":4,"citizen":1,"class":1,"classical":1,"classification":1,"clearance":1,"cleared":3,"client":1,"close":1,"cloudtrail":2,"cloudwatch":8,"clusters":1,"code":1,"codebase":2,"codeberg":1,"codes":1,"coercion":1,"cohort":2,"collect":1,"collection":1,"colours":2,"comfortable":1,"commentary":7,"commercial":3,"commit":5,"commitment":4,"commitments":1,"committed":2,"compatibility":1,"completed":3,"compliance":8,"compliant":61,"component":1,"components":2,"composite":2,"confidence":1,"confidentiality":1,"configurable":3,"configuration":4,"connects":1,"consent":1,"consolidated":1,"construction":3,"context":3,"continuous":3,"contrast":1,"control":1,"controlled":2,"controls":2,"cooperative":3,"copy":1,"core":4,"corpus":1,"cost":1,"covered":1,"covers":1,"creation":1,"credential":2,"criteria":2,"critical":2,"crl":1,"cross":4,"crosses":1,"cryptographic":2,"cryptographically":1,"crystals":1,"csca":1,"csiro":1,"current":3,"currently":4,"curve":1,"customisable":2,"customise":1,"cutting":1,"cve":1,"cycles":1,"d":3,"daily":1,"dashboards":2,"data":13,"data61":1,"datadog":1,"date":1,"day":1,"days":1,"db":1,"decisive":1,"decoupled":1,"dedicated":2,"deepfake":1,"default":1,"defeats":1,"defences":1,"defensible":1,"defining":1,"degraded":1,"deliveries":1,"delivering":3,"delivery":1,"demo":3,"dependencies":1,"dependency":2,"depends":1,"deploy":1,"deployed":2,"deployment":8,"deployments":1,"der":1,"design":2,"designed":2,"desirable":1,"desktop":1,"desktops":1,"detection":4,"dev":1,"device":7,"devices":1,"dialogue":1,"different":2,"differently":1,"digital":4,"dilithium":1,"dim":2,"direct":1,"directly":3,"disclosed":2,"disclosure":3,"distance":1,"distribution":1,"distributions":1,"dns":1,"do":1,"doc":1,"docs":1,"documentation":2,"documented":4,"does":1,"domain":1,"done":1,"down":1,"driven":2,"drop":1,"during":1,"e":2,"eal":2,"early":1,"ec2":1,"edge":2,"effective":1,"egov":2,"egress":1,"eks":4,"elements":1,"email":1,"embedding":1,"embeddings":4,"end":1,"endpoint":8,"enforced":2,"engage":1,"engagement":2,"engagements":1,"engaging":1,"engineers":1,"enrolment":2,"enterprise":1,"entire":1,"entry":1,"environment":1,"environments":3,"epassport":1,"ephemeral":1,"equivalent":1,"error":2,"essential":3,"estimated":2,"et":1,"etc":1,"evaluation":8,"even":3,"eventbridge":1,"events":1,"every":3,"evidence":3,"evolves":1,"existing":3,"expensive":1,"experience":1,"export":1,"exposed":1,"exposes":2,"extension":1,"extract":1,"extractor":1,"face":8,"facing":4,"factor":1,"fail":1,"fails":1,"failure":2,"fallback":1,"feature":2,"feed":2,"ffi":2,"figma":2,"final":1,"fingerprints":2,"firefox":2,"firehose":1,"firm":2,"first":3,"fit":1,"flagship":1,"flash":5,"flashes":1,"flat":1,"flow":7,"fmr":4,"fnmr":4,"fonts":1,"for":26,"force":1,"form":1,"formal":2,"founder":1,"frame":1,"frames":1,"framework":1,"fraud":1,"friendly":2,"from":2,"front":1,"frontend":1,"full":3,"fully":2,"future":1,"für":1,"g":2,"gap":1,"gaps":1,"generating":1,"generation":4,"geographic":1,"germany":1,"getusermedia":1,"github":2,"gives":1,"go":1,"government":7,"govuk":1,"grafana":2,"graviton3":1,"group":1,"guarantees":1,"guardduty":2,"guidance":3,"h":2,"hace":2,"halo2":10,"hamming":1,"handles":1,"handling":1,"has":2,"hash":1,"hashed":1,"headroom":1,"health":1,"hec":1,"held":2,"helpdesk":2,"hidden":1,"high":3,"history":1,"hit":1,"holds":1,"honest":1,"horizontal":1,"horizontally":1,"hosted":4,"hosting":4,"hour":2,"hours":2,"how":1,"i":1,"iac":3,"iag":1,"iam":3,"icao":2,"id":8,"identically":1,"identity":6,"iec":7,"if":3,"ii":1,"iii":1,"ilac":1,"illumination":1,"image":2,"implementation":1,"in":41,"incident":2,"include":1,"includes":1,"including":2,"information":1,"informationstechnik":1,"infrastructure":2,"inside":4,"insider":1,"insights":2,"instance":1,"instances":2,"integratable":1,"integrated":1,"integration":10,"integrity":1,"internal":2,"international":1,"internet":2,"interval":1,"into":3,"invalidates":1,"ios":4,"ip":2,"ir":1,"irap":6,"is":43,"ism":4,"iso":7,"items":1,"itself":3,"jmrtd":1,"jni":2,"july":1,"kb":1,"kellogg":1,"kinesis":1,"knowledge":2,"kyc":1,"l2":2,"l3":1,"lab":1,"labels":1,"laboratory":1,"lambda":1,"language":2,"large":1,"larger":1,"latency":2,"layer":1,"leaves":3,"level":5,"libraries":1,"library":5,"licence":1,"license":1,"lifecycle":1,"light":2,"limited":2,"linearly":2,"linked":1,"list":3,"listed":1,"listing":1,"live":3,"liveness":8,"log":3,"logged":2,"logos":1,"logs":4,"loss":1,"low":2,"lower":1,"lv":8,"m":2,"maintainability":1,"maintainable":1,"maintenance":3,"managed":3,"management":5,"maps":2,"mask":1,"master":1,"match":2,"matching":2,"materially":1,"maui":5,"means":3,"measured":1,"mechanical":1,"medium":2,"memory":1,"merges":1,"met":1,"metadata":2,"methodology":2,"microsoft":1,"migration":1,"millions":1,"min":1,"mindanao":1,"minimal":1,"minimisation":1,"minimised":1,"minor":1,"mitigation":1,"mobile":2,"mode":3,"model":2,"modern":1,"module":2,"modules":1,"money":1,"monitored":1,"monitoring":4,"monitors":1,"monthly":1,"months":1,"most":2,"motion":1,"ms":6,"mtls":1,"multi":6,"muslim":1,"myid":4,"named":1,"narrative":2,"native":2,"natural":1,"ndss":2,"need":1,"needs":1,"net":1,"network":1,"never":5,"nfc":1,"nist":4,"no":19,"non":2,"nonce":3,"not":12,"notes":1,"now":1,"numbers":1,"nv1":3,"of":13,"off":2,"offer":1,"offered":1,"offline":1,"on":23,"one":2,"ongoing":3,"only":4,"op":11,"open":9,"operate":2,"operates":1,"operation":1,"operational":1,"operations":2,"ops":4,"optional":1,"optionally":1,"options":2,"or":3,"out":3,"output":1,"outside":1,"over":3,"p":4,"p1":1,"p2":1,"p3":1,"p4":1,"p95":1,"pad":12,"page":2,"pagerduty":2,"paid":1,"pair":1,"paper":1,"parallel":1,"parameters":1,"part":2,"partially":16,"partner":1,"party":4,"pass":1,"passing":1,"patch":3,"patching":3,"path":3,"patterns":4,"peak":1,"pedersen":2,"peer":2,"pending":2,"per":9,"performance":2,"perpetual":1,"personal":1,"personnel":2,"phase":4,"phone":1,"phones":1,"photo":3,"photos":1,"pi":4,"pipeline":2,"pipelines":2,"pki":1,"place":4,"plan":1,"plane":1,"planned":4,"platform":1,"plausible":1,"poc":2,"pod":1,"pods":1,"point":1,"poly1305":2,"portal":4,"poseidon":3,"position":9,"post":3,"pqc":1,"pr":1,"practice":1,"pre":2,"predicates":1,"preventing":1,"prevention":2,"pricing":1,"primitive":1,"primitives":1,"principles":2,"printed":1,"prior":2,"privacy":3,"private":1,"privatelink":3,"privileged":1,"procurement":8,"prod":1,"produced":1,"producing":1,"production":3,"profile":2,"programme":1,"programming":1,"project":1,"projection":1,"prompts":1,"proof":17,"proofs":1,"property":1,"proposals":1,"propose":2,"proposed":1,"protected":2,"protocol":1,"provide":2,"provided":4,"provider":2,"pse":1,"public":7,"published":2,"publishes":1,"pure":1,"quality":4,"quantitative":1,"quantum":2,"quarterly":1,"queries":1,"query":1,"r":1,"ranges":1,"rate":1,"rates":2,"ratios":1,"re":1,"reaches":1,"read":2,"reading":1,"ready":1,"real":3,"receives":1,"recommendations":1,"record":1,"recovery":1,"red":1,"reference":1,"reflectance":1,"reflects":3,"region":1,"regional":1,"regions":1,"rejects":1,"relevant":2,"remains":1,"removes":1,"replacing":1,"replay":2,"replayed":1,"replays":2,"replication":1,"report":2,"reporting":2,"request":1,"required":5,"requirement":3,"requirements":1,"research":4,"resolver":1,"resources":1,"response":3,"responses":1,"responsive":2,"returns":1,"review":3,"reviewed":2,"revisions":1,"rfi":5,"risk":2,"risks":1,"rm":4,"roadmap":6,"role":2,"roles":1,"rollout":1,"rounds":2,"route":1,"rpo":1,"rto":1,"run":2,"runbook":1,"runbooks":2,"running":1,"runs":2,"rustcrypto":1,"s":17,"saas":15,"sable":29,"safari":2,"same":1,"sample":2,"sbom":3,"sc":10,"scalability":1,"scalable":3,"scale":1,"scales":2,"scaling":1,"schedule":1,"scope":4,"scoring":1,"scps":1,"screen":7,"sdk":1,"seat":1,"sec":1,"seconds":1,"secure":2,"security":6,"see":5,"selective":2,"selectively":2,"self":1,"sensor":1,"server":3,"service":4,"services":2,"session":3,"sessions":1,"severity":1,"sha":1,"shared":1,"shell":5,"shipped":1,"shipping":3,"sicherheit":1,"side":2,"siem":2,"signals":1,"signature":1,"silent":1,"silicon":1,"simplifies":1,"single":5,"site":1,"sla":3,"slas":1,"smartphone":2,"sns":1,"so":2,"soc":1,"software":1,"solicited":1,"solutions":1,"source":10,"southeast":1,"sovereignty":2,"spatial":4,"spec":1,"special":1,"specialist":1,"specific":1,"specifically":2,"spectral":1,"spin":1,"split":1,"splunk":1,"sponsor":1,"staff":1,"stage":6,"staging":1,"stakeholder":1,"standard":4,"standards":1,"stateless":5,"states":1,"statistical":1,"status":3,"steps":1,"sticky":1,"strategic":1,"stronger":1,"style":1,"subcontractor":2,"submitted":1,"subscription":3,"subsystem":1,"such":1,"sufficient":1,"suncorp":1,"support":6,"surface":1,"swift":2,"sydney":6,"system":3,"t3":1,"tablets":1,"tags":1,"tampering":1,"tang":1,"target":1,"team":1,"technical":1,"technique":1,"telefónica":1,"telemetry":1,"telus":1,"templates":1,"terraform":2,"test":6,"tested":2,"testing":2,"tests":2,"text":1,"than":1,"that":3,"the":80,"their":3,"they":1,"third":4,"this":2,"threshold":2,"ticketing":1,"tier":1,"tiered":2,"tiers":2,"time":5,"timeline":1,"times":1,"timing":1,"to":12,"today":1,"too":1,"tooling":1,"top":1,"track":1,"tracked":1,"traditional":1,"trail":1,"transfer":1,"transition":1,"transparent":1,"traverse":1,"triage":1,"trivially":1,"trust":1,"ts":3,"tv":5,"typical":1,"ui":6,"uk":1,"under":1,"underlying":1,"university":1,"up":1,"updates":1,"upper":1,"uptime":1,"use":1,"user":9,"uses":4,"ux":5,"validation":1,"value":1,"values":1,"vendor":3,"verification":17,"verifications":1,"verified":2,"version":1,"vetting":1,"via":26,"video":1,"view":1,"vism":8,"vpc":4,"vs":1,"wasm":2,"way":1,"wcag":3,"we":14,"web":3,"weekly":1,"weeks":4,"well":1,"widely":1,"will":5,"window":1,"with":22,"within":2,"wollongong":1,"work":2,"workflow":2,"working":1,"workshops":1,"wrapped":1,"wrapper":1,"wraps":1,"writes":1,"x":1,"yet":7,"zcash":1,"zero":1,"zk":9}},{"dl":310,"n":"atm-landing","s":"sources/atm-landing","secs":[{"h":"src: ATM Landing — RFI-15434","l":1,"t":"**Source URL:** https://www.tenders.gov.au/Atm/Show/cea1b989-ceb0-4b36-8b48-ac1330062362 **Captured:** 2026-05-31 (authenticated session, ar-crawl session) ---"},{"h":"Current ATM View — RFI-15434","l":8,"t":""},{"h":"Biometric Verification Capability","l":10,"t":""},{"h":"Contact Details","l":12,"t":"- **Name:** Alison Buchanan - **Email:** RFI15434@ato.gov.au"},{"h":"Metadata","l":16,"t":"| Field | Value | |---|---| | ATM ID | RFI-15434 | | Agency | Australian Taxation Office | | Category | 43230000 — Software | | Close Date & Time | **4-Jun-2026 2:00 pm (ACT Local Time)** | | Publish Date | 23-Apr-2026 | | Location | ACT, NSW, VIC, SA, WA, QLD, NT, TAS (Canberra, Sydney, Melbourne, Adelaide, Perth, Brisbane, Darwin, Hobart) | | ATM Type | Request for Information | | Multi Agency Access | No | | Panel Arrangement | No | | Multi-stage | No | | Address for Lodgement | 26 Narellan Street, Canberra City ACT 2601 |"},{"h":"Description","l":31,"t":"> The ATO is seeking responses from the market for potential products and/or solutions for the requirement of a Biometric Liveness Detection Solution that can support the strategic objectives of the myID App. The intent of this RFI is identify the viability of potential solutions, the implementation and integration costs and the potential benefits of implementing this platform."},{"h":"Conditions for Participation","l":34,"t":"> Refer to attached documentation"},{"h":"Timeframe for Delivery","l":37,"t":"> Not applicable"},{"h":"Addenda","l":40,"t":"- Addendum 1 (FINAL VERSION) — see attachments - Addendum 2 (FINAL) — see attachments"},{"h":"Attached Documents","l":44,"t":"| # | Title | Format | Size | URL | |---|---|---|---|---| | 1 | RFI-15434 Part 1 — Conditions of Request for Information (Final) | PDF | – | `/Atm/DownloadSoftCopy/.../?docType=Atm&fileName=RFI-15434_%20Part%201_Conditions%20of%20Request%20for%20Information_Final.pdf` | | 2 | RFI-15434 Part 2 — Statement of Requirements (Final) | DOCX | 468 KB | `/Atm/DownloadSoftCopy/.../?docType=Atm&fileName=RFI-15434_Part%202_%20Statement%20of%20Requirements_Final.docx` | | 3 | RFI-15434 Part 3 — Response Form (General Response, Final) | DOCX | – | `/Atm/DownloadSoftCopy/.../?docType=Atm&fileName=RFI-15434_Part%203%20-%20Response%20Form_General%20Response_Final.docx` | | 4 | RFI-15434 Part 3a — Response Form (Technical) | XLSX | 34 KB | `/Atm/DownloadSoftCopy/.../?docType=Atm&fileName=RFI-15434_Part%203a%20-%20Response%20Form_Technical.xlsx` | | 5 | RFI-15434 Part 4 — Response Form (Financial, Final) | DOCX | 145 KB | `/Atm/DownloadSoftCopy/.../?docType=Atm&fileName=RFI-15434_Part%204%20-%20Response%20Form_Financial_Final.docx` | | 6 | RFI-15434 Part 4a — Response Form (Pricing, Final) | XLSX | 182 KB | `/Atm/DownloadSoftCopy/.../?docType=Atm&fileName=RFI-15434_Part%204a%20-%20Response%20Form_Pricing_Final.xlsx` | | 7 | RFI-15434 ATO Supplier FOCI Information Form v1.0 | DOCX | 101 KB | `/Atm/DownloadSoftCopy/.../?docType=Atm&fileName=RFI-15434_ATO%20Supplier%20FOCI%20Information%20Form_v1.0.docx` | | 8 | RFI-15434 Addendum 1 (FINAL VERSION) | PDF | 155 KB | `/Atm/DownloadAddenda/...?addendaId=d2cc9be7-31d4-4149-981d-a678553d8727&docType=Add` | | 9 | RFI-15434 Addendum 2 (FINAL) | PDF | 102 KB | `/Atm/DownloadAddenda/...?addendaId=ec0c48df-cc5a-4f7c-a6db-e0349e70460d&docType=Add` |"}],"tf":{"0":1,"00":1,"05":1,"1":4,"101":1,"102":1,"145":1,"15434":12,"155":1,"182":1,"2":5,"2026":3,"23":1,"26":1,"2601":1,"3":2,"31":1,"34":1,"3a":1,"4":3,"43230000":1,"468":1,"4a":1,"4b36":1,"5":1,"6":1,"7":1,"8":1,"8b48":1,"9":1,"a":1,"ac1330062362":1,"access":1,"act":3,"addenda":1,"addendum":4,"address":1,"adelaide":1,"agency":2,"alison":1,"and":3,"app":1,"applicable":1,"apr":1,"ar":1,"arrangement":1,"atm":5,"ato":3,"attached":2,"attachments":2,"au":2,"australian":1,"authenticated":1,"benefits":1,"biometric":2,"brisbane":1,"buchanan":1,"can":1,"canberra":2,"capability":1,"captured":1,"category":1,"cea1b989":1,"ceb0":1,"city":1,"close":1,"conditions":2,"contact":1,"costs":1,"crawl":1,"current":1,"darwin":1,"date":2,"delivery":1,"description":1,"details":1,"detection":1,"documentation":1,"documents":1,"docx":4,"email":1,"field":1,"final":9,"financial":1,"foci":1,"for":7,"form":5,"format":1,"from":1,"general":1,"gov":2,"hobart":1,"https":1,"id":1,"identify":1,"implementation":1,"implementing":1,"information":3,"integration":1,"intent":1,"is":2,"jun":1,"kb":7,"landing":1,"liveness":1,"local":1,"location":1,"lodgement":1,"market":1,"melbourne":1,"metadata":1,"multi":2,"myid":1,"name":1,"narellan":1,"no":3,"not":1,"nsw":1,"nt":1,"objectives":1,"of":7,"office":1,"or":1,"panel":1,"part":6,"participation":1,"pdf":3,"perth":1,"platform":1,"pm":1,"potential":3,"pricing":1,"products":1,"publish":1,"qld":1,"refer":1,"request":2,"requirement":1,"requirements":1,"response":5,"responses":1,"rfi":13,"rfi15434":1,"sa":1,"see":2,"seeking":1,"session":2,"show":1,"size":1,"software":1,"solution":1,"solutions":2,"source":1,"src":1,"stage":1,"statement":1,"strategic":1,"street":1,"supplier":1,"support":1,"sydney":1,"tas":1,"taxation":1,"technical":1,"tenders":1,"that":1,"the":9,"this":2,"time":2,"timeframe":1,"title":1,"to":1,"type":1,"url":2,"v1":1,"value":1,"verification":1,"version":2,"viability":1,"vic":1,"view":1,"wa":1,"www":1,"xlsx":2}},{"dl":150,"n":"source-index","s":"sources/source-index","secs":[{"h":"Source Extracts Index","l":1,"t":"Markdown extractions of every attachment + the AusTender landing page. | Source | Original attachment | Notes | |---|---|---| | [[atm-landing]] | (web — `Atm/Show/cea1b989…`) | ATM landing page metadata captured 2026-05-31 | | [[src-01-part1-conditions]] | `01-part1-conditions.docx` | RFI conditions of tender (terms, definitions, instructions) | | [[src-02-part2-statement-of-requirements]] | `02-part2-statement-of-requirements.docx` | **The key document** — all LV / TV / S / P / A / H / IN / SC / OP / VISM / M / RM / UX requirements | | [[src-03-part3-response-general]] | `03-part3-response-general.docx` | General response form (conditions, declarations) | | [[src-04-part3a-response-technical]] | `04-part3a-response-technical.xlsx` | Technical response form (the compliance spreadsheet) | | [[src-05-part4-response-financial]] | `05-part4-response-financial.docx` | Financial response form | | [[src-06-part4a-response-pricing]] | `06-part4a-response-pricing.xlsx` | Pricing tables (T1 Licensing, T2 Discounts, T3 One-off, T4 Support, T5 Labour Rates) | | [[src-07-foci-information-form]] | `07-foci-information-form.docx` | Foreign Ownership / Control / Influence form (Attachment A) | | [[src-08-addendum-1]] | `08-addendum-1.pdf` | Issued addendum 1 (corrections / clarifications) | | [[src-09-addendum-2]] | `09-addendum-2.pdf` | Issued addendum 2 (corrections / clarifications) | All attachments live in `attachments/` (binary). Their downloaded SHAs are in `attachments/INDEX.md`."}],"tf":{"01":1,"02":1,"03":1,"04":1,"05":2,"06":1,"07":1,"08":1,"09":1,"1":2,"2":2,"2026":1,"31":1,"a":2,"addendum":4,"all":2,"are":1,"atm":2,"attachment":3,"attachments":1,"austender":1,"binary":1,"captured":1,"clarifications":2,"compliance":1,"conditions":3,"control":1,"corrections":2,"declarations":1,"definitions":1,"discounts":1,"document":1,"downloaded":1,"every":1,"extractions":1,"extracts":1,"financial":2,"foci":1,"foreign":1,"form":5,"general":2,"h":1,"in":3,"index":1,"influence":1,"information":1,"instructions":1,"issued":2,"key":1,"labour":1,"landing":3,"licensing":1,"live":1,"lv":1,"m":1,"markdown":1,"metadata":1,"notes":1,"of":3,"off":1,"one":1,"op":1,"original":1,"ownership":1,"p":1,"page":2,"part1":1,"part2":1,"part3":1,"part3a":1,"part4":1,"part4a":1,"pricing":2,"rates":1,"requirements":2,"response":7,"rfi":1,"rm":1,"s":1,"sc":1,"shas":1,"source":2,"spreadsheet":1,"src":9,"statement":1,"support":1,"t1":1,"t2":1,"t3":1,"t4":1,"t5":1,"tables":1,"technical":2,"tender":1,"terms":1,"the":3,"their":1,"tv":1,"ux":1,"vism":1,"web":1}},{"dl":7316,"n":"src-01-part1-conditions","s":"sources/src-01-part1-conditions","secs":[{"h":"","l":1,"t":"[TABLE] ![](media/image1.png) Part 1 – Conditions of Response"},{"h":"Conditions of Response","l":7,"t":""},{"h":"Introduction","l":9,"t":""},{"h":"About the Australian Taxation Office","l":11,"t":"The Australian Taxation Office is the Australian Government’s principal revenue collection agency. Its role is to manage and shape tax, excise and superannuation systems that fund services for Australians, and its national headquarters are located in Canberra, ACT. - The [*ATO Charter*](https://www.ato.gov.au/about-ato/commitments-and-reporting/ato-charter/) outlines the rights and obligations of Australian Taxation Office clients under the law as well as the service and other standards they can expect in dealing with the Australian Taxation Office. - Employees of the Australian Taxation Office are subject to the *Australian Public Service Values* and are bound by the *APS Code of Conduct* contained in Part 3 of the *Public Service Act 1999* (Cth). The [*APS Values* and *Code of Conduct*](https://www.apsc.gov.au/working-aps/integrity) are available on the Australian Public Service Commission website. - The [*Ethical business relationship statement*](https://www.ato.gov.au/About-ATO/ATO-tenders-and-procurement/Complying-with-procurement-policy-and-legislation/Ethical-business-relationship-statement/) sets out what contractors can expect from the Australian Taxation Office and its employees in their business dealings. - The [*ATO Environmental Policy Statement*](https://www.ato.gov.au/About-ATO/Managing-the-tax-and-super-system/In-detail/Other-policies/ATO-environmental-policy-statement/) outlines the Australian Taxation Office's commitment, through integrated environmental management principles, to reduce its environmental footprint. Further information about the Australian Taxation Office can be found at [www.ato.gov.au](http://www.ato.gov.au). | ![Information](media/image3.svg) | For information on doing business with the Australian Government, see the [Selling to Government (Procurement) page](https://www.finance.gov.au/business/selling-government-procurement) on the Department of Finance website [www.finance.gov.au](http://www.finance.gov.au). | |----|----|"},{"h":"What the Australian Taxation Office expects of its contractors","l":28,"t":"The Australian Taxation Office requires its contractors to act in a manner consistent with: - the [*ATO Charter*](https://www.ato.gov.au/about-ato/commitments-and-reporting/ato-charter/), the [*APS Values* and *Code of Conduct*](https://www.apsc.gov.au/working-aps/integrity), the [*Ethical business relationship statement*](https://www.ato.gov.au/About-ATO/ATO-tenders-and-procurement/Complying-with-procurement-policy-and-legislation/Ethical-business-relationship-statement/), and the [*ATO Environmental Policy Statement*](https://www.ato.gov.au/About-ATO/Managing-the-tax-and-super-system/In-detail/Other-policies/ATO-environmental-policy-statement/) (see paragraph [1](#about-the-australian-taxation-office)), and - the [*ATO information security guidelines for contractors*](https://www.ato.gov.au/About-ATO/ATO-tenders-and-procurement/In-detail/ATO-information-security-guidelines-for-contractors/), the [*Work health and safety requirements for contractors and suppliers to the ATO*](https://www.ato.gov.au/About-ATO/ATO-tenders-and-procurement/In-detail/Work-health-and-safety-requirements-for-contractors-and-suppliers-to-the-ATO/), and [*Information management for our contractors*](https://www.ato.gov.au/About-ATO/ATO-tenders-and-procurement/Complying-with-procurement-policy-and-legislation/Information-management-for-our-contractors/)."},{"h":"About this Request for Response","l":36,"t":"This Request for Response (**RFI**) has 7 parts: Accessibility - [Part 1 – Conditions of Response](#_Ref141431744), - Part 2 – Statement of Requirements, (SOR) - Part 3 – Response Form – General - Part 3a – Response Form – Technical Requirements (Excel Spreadsheet) - Part 4 – Tender Response Form – Financial, - Part 4a – Tender Response Form – Financial Pricing (Excel Spreadsheet)"},{"h":"About this Part","l":52,"t":"This [Part 1 – Conditions of Response](#_Ref141431744) sets out requirements, instructions, and guidance for preparing and lodging Responses in response to this Request for Information (RFI)."},{"h":"Invitation to Response","l":56,"t":""},{"h":"Invitation to Response","l":58,"t":"In this RFI, the **ATO** means the Commonwealth of Australia, represented by and acting through the Australian Taxation Office (ABN 51 824 753 556). | Invitation details |  | |----|----| | Invitation: | The ATO invites Respondents to provide information about potential products and solutions for a Biometric Liveness detection solutions that can support the strategic objectives of the myID App in response to the requirements outlined in the Part 2 – Statement of Requirements. | | Closing Time: | Responses must be fully lodged by 2:00pm on 28/05/2026 local time in the ACT. | | Required Supplies: | The goods and/or services that the ATO requires, and its requirements, objectives, and outcomes in relation to them, are detailed in Part 2 – Statement of Requirements. | | Requirement in brief: | The RFI is to acquire a The Australian Taxation Office (ATO) is seeking information from the market on biometric liveness detection solutions that can support the strategic objectives of the myID app. The solution must support secure, seamless, and scalable identity verification for users accessing online services. | | Part Responses: | The ATO will not consider a Response for only part of the Required Supplies. |"},{"h":"RFI objectives and expected outcomes","l":70,"t":"The ATO is seeking responses from the market for potential products and/or solutions for the requirement of a Biometric Liveness Detection Solution that can support the strategic objectives of the myID App. The intent of this RFI is identify the viability of potential solutions, the implementation and integration costs and the potential benefits of implementing this platform. The insights from this RFI process will be utilised to inform internal decision making regarding this capability. The ATO expects to gain valuable insights and information from the industry to inform a future approach to potentially investing in a product or solution for this requirement. As a direct result of this RFI, the ATO may proceed with a second stage that includes any of the following options after an analysis of responses to this RFI: - Shortlist to potential viable solutions, - Request for Tender (RFT), - Request for Quote (RFQ), - Limited (LT), - Proof of Concept (POC), - Product demonstration or trial (PD), and - RFI closure. To be considered for any potential second stage following this RFI process, Respondents should have provided a response to this RFI. The ATO will communicate with Respondents once analysis of responses to this RFI is complete. Any Respondents selected to progress to potential further stages of the RFI process will be advised. The ATO intends to use this RFI and any potential subsequent second stage following this RFI process to ensure the efficient and ethical use of public money by ensuring that the potential **Required Supplies**: - Are delivered cost effectively and meet or exceed the quality levels, and the ATO’s requirements, objectives and outcomes, as detailed in the Part 2 – Statement of Requirements, - Incorporate industry leading practices so that they meet the ATO’s needs in a cost effective and environmentally sustainable manner, and - Are continuously improved to meet emerging needs and take advantage of industry developments in a cost effective and environmentally sustainable manner."},{"h":"Group Responses","l":104,"t":"The ATO may consider a Response from a **Responding Group** – a group of individual legal entities that lodges the Response collectively (for example a consortium, joint venture or partnership) – but may reject it: 1.  If that Response does not provide sufficient information to enable the ATO to clearly identify and properly evaluate the individual legal entities of the Responding Group and their proposed business model. 2.  If that Response does not identify a lead member of the Responding Group (that lead member must be authorised to negotiate, act on behalf of, and bind, all members of the Responding Group) and a single point of contact for that lead member. 3.  If the composition of the Responding Group changes from that specified in that Response (the ATO may accept a change in composition, and may impose any conditions on it accepting any such change), or; 4.  If that Response proposes the ATO contract with any legal entity that does not exist at the time the Response is lodged or proposes that the ATO contract with two or more legal entities who will not be jointly and severally liable (to the extent allowable at law)."},{"h":"Part Responses and Alternative Responses","l":116,"t":"Whether or not the ATO will consider a Response for only part of the Required Supplies is identified in [Part 1 – Conditions of Response](#_Ref141431744) – paragraph [5](#invitation-to-response-1). The ATO may consider a Response that proposes alternatives to some or all of the Required Supplies (but which otherwise complies with this (RFI) but only if that Response: - Proposes an alternative solution which clearly satisfies the ATO’s requirements, objectives and outcomes as set out in Part 2 – Statement of Requirements. - Specifies each instance of change, the effect of the change (including effect on the prices and pricing provided), the reasons for the change, and how it may benefit the ATO, and; - Provides sufficient detail about the alternative solution to enable its proper evaluation by the ATO."},{"h":"No contract or undertaking","l":126,"t":"The ATO is not proposing to enter into a contract directly following this RFI. No other binding contract (including a process contract), express or implied, will exist between the ATO and any Respondent. Neither this RFI, nor any statement or conduct by the ATO, will be or be deemed to be: - An offer to enter into a contract, or; - A binding undertaking of any kind by the ATO (including, without limitation, an undertaking that could give rise to any rights based on promissory estoppel, quantum meruit or any other contractual, quasi contractual or restitutionary grounds, or any rights with a similar legal or equitable basis whatsoever)."},{"h":"RFI Process","l":136,"t":""},{"h":"This RFI published through AusTender","l":138,"t":"This RFI is published through AusTender, the online tendering system for Australian Government Agencies. AusTender allows respondents to download RFI documentation and upload responses. - A supplier proposing to lodge a Response in response to this RFI must first register as a user with AusTender at [www.tenders.gov.au](http://www.tenders.gov.au) (access to and use of AusTender is subject to Terms of Use). - If that supplier has obtained this RFI other than from AusTender, it must visit AusTender, register as a user, and download this RFI. - If that supplier’s registered user details are or have become incorrect when it downloads this RFI, it should amend its details and download this RFI again. - If there is any inconsistency between versions of this RFI, the version last published through AusTender will take precedence."},{"h":"Use of AusTender","l":150,"t":"Before using AusTender for any matter related to this RFI, a supplier must inform itself of – and make its own assessment of – all security measures and other aspects of the AusTender technical environment (including operating system and browser version level minimum standards) as described on AusTender. Neither the ATO nor the Commonwealth warrants that unauthorised access to information and data transmitted via the internet will not occur or takes any responsibility for any issues that may arise from a supplier’s infrastructure or internet connectivity or with respect to its use or attempted use of AusTender."},{"h":"Additional information","l":156,"t":"Respondents should visit the AusTender page for this RFI to identify whether the ATO has prepared additional information relevant to this RFI (such as an information pack), and if so, the basis upon which the ATO will make that additional information available to respondents. | ![Information](media/image3.svg) | If the ATO has prepared e.g. an Information Pack that contains commercially sensitive information, the ATO may require respondents to first sign confidentiality undertakings or the like before providing it to them. | |----|----|"},{"h":"Indicative timetable","l":163,"t":"The table set out below identifies proposed dates for key milestones for this RFI. This is an indicative timetable only – the ATO may alter and add to this timetable and may undertake other activities. | Invitation details | Proposed date | |----|----| | Release Approach to Market | Thursday, 23 April 2026 | | Closing Date for clarifications: | Thursday, 21 May 2026 | | Closing date for Responses | Thursday, 28 May 2026 | | Completion of evaluation of Responses | Thursday, 11 June 2026 | | RFI Period | ***180 days from date of response submission*** |"},{"h":"Industry Briefings","l":175,"t":"Industry briefings, if conducted, are for the purpose of providing background information only. Respondents should not rely on statements made at industry briefings as varying, supplementing or clarifying this RFI, as the ATO will notify respondents in accordance with [Part 1 – Conditions of Response](#_Ref141431744) – paragraph [16](#notification-of-rfi-variations-and-etc.) if it does so."},{"h":"Variation or termination of RFI process","l":179,"t":"The ATO may at any time and at any stage of the RFI process, including during the evaluation process: - Vary, supplement and clarify this RFI or any aspect or Part of it (including timing, assessment and other processes, Part 2 – Statement of Requirement, and Part 5 – Draft Contract). - Seek and obtain clarification of, and additional information in relation to, Responses from anyone, and use any such information for the evaluation of Responses. - Publish or disclose the names of respondents lodging Responses (whether successful or not). - Seek amended Responses, call for new Responses, and suspend and re-start this RFI process. - Use material a Respondent provides in response to one evaluation criterion to assess that Respondent against any another evaluation criteria. - Shortlist Respondents and their Responses, and; - Terminate this RFI process and not proceed with any potential second stage following this RFI process, if the ATO determines that no Response meets the Conditions for Participation or represents value for money, that no Respondent is fully capable of fulfilling the RFI requirements, or that it is in the public interest to do so. Where the ATO has a right under this RFI, the ATO is not obliged – and a Respondent has no right to require the ATO – to exercise that right, take any action, or provide any reasons if it does or doesn’t do so."},{"h":"Notification of RFI variations and etc.","l":199,"t":"If the ATO varies, supplements, or clarifies this RFI, or terminates, suspends or restarts this RFI process, reasonable efforts will be made to inform suppliers as follows: - By the ATO posting notices and other addenda on the AusTender page for this RFI – the ATO will accept no responsibility if a supplier fails to become aware of any notice or other addendum which would have been apparent from a visit to the AusTender page for this RFI. - By AusTender sending notifications of addenda to the email addresses as identified by suppliers in their registered user details when they downloaded this RFI from AusTender – suppliers are to log in to AusTender and collect addenda as notified. If the ATO varies or supplements this RFI after a Respondent had submitted a Response, it may seek an amended Response from that Respondent."},{"h":"Public Interest Certificates","l":209,"t":"If a Public Interest Certificate (**PIC**) is or has been issued by the ATO in relation to this procurement, that PIC will be published on the AusTender page for this RFI."},{"h":"Coordinated Procurement","l":213,"t":"Respondents should note that, should the ATO progress to any potential second stage following this RFI process, the Commonwealth has proposed to establish coordinated procurement contracting frameworks for use by Commonwealth bodies that are subject to the *Public Governance, Performance and Accountability Act 2013* (Cth), such as the ATO. It is possible that the Commonwealth may approve the procurement of some or all of the Required Supplies under a coordinated process: - Before the ATO completes the RFI process – in which case the ATO may discontinue the process, or remove the relevant Required Supplies from the scope of this RFI process, or; - After the ATO has completed the RFI process – in which case this may impact the ATO’s approach following the completion of this RFI process."},{"h":"Cooperative Procurement (piggy-backing)","l":221,"t":"This RFI process does not intend to award a contract following completion of this RFI process. However, subsequent stages of this process could result in the award of a contract that allows for other Commonwealth Agencies to place orders under that contract. Respondents should note that: - Any future contract may allow such orders to be placed by Nominated Agencies (other Commonwealth departments and agencies nominated by the Respondent or the ATO for that purpose). - Except as disclosed in the Part 2 – Statement of Requirements, no other Commonwealth department or agency has advised the ATO of their plans to obtain Required Supplies through such orders, but; - The volume of Required Supplies to be provided by the Respondent in connection with any potential future arrangement may increase as a consequence of Nominated Agencies placing such orders."},{"h":"ATO’s Contact Officer","l":231,"t":"The **ATO’s Contact Officer** is the person (and his/her relevant addresses are those) identified as such in the table below, or such other person (or addresses) as the ATO otherwise notifies a supplier. | ATO’s Contact Officer |  | |----|----| | Name: Alison Buchanan, ICT Procurement, ATO Sourcing, Commercial Services and Leasing |  | | Email address: | RFI15434@ato.gov.au | The ATO’s Contact Officer is to be the sole contact point for any queries, requests for any information or complaints in relation to this RFI until this RFI process has concluded."},{"h":"Complaints","l":242,"t":"Any complaints Respondents may have concerning this RFI, or the ATO’s management of it, should be directed in writing to the ATO’s Contact Officer. The ATO may have those concerns reviewed by an ATO officer, or refer them to a probity advisor, with a view to them being investigated and resolved. Information on how to lodge a complaint is available on the [ATO’s website](https://www.ato.gov.au/About-ATO/ATO-tenders-and-procurement/Procurement-related-complaints/)."},{"h":"General enquiries and questions","l":248,"t":"Respondents should contact the ATO’s Contact Officer: - By email – if they have questions or requests for clarification in relation to this RFI. Respondents submit their questions or requests for clarification on the basis that the ATO can provide their questions and requests (without disclosing their source), and the ATO’s responses to them, to other respondents either directly or by posting them on the AusTender page for this RFI (see [Part 1 – Conditions of Response](#_Ref141431744) – paragraph 15)."},{"h":"Notices","l":256,"t":"Any notice given by a supplier to the ATO in connection with this RFI must be: - In writing, marked to the attention of the ATO’s Contact Officer, and - Sent by email to the ATO Contact Officer’s relevant address. The ATO must give notices in connection with this RFI to a supplier in writing: - By posting them on the AusTender page for this RFI, or; - By hand delivery, post or email to a relevant address the supplier has identified (for example in its registered user details or its Response). A supplier can identify in its Response information that it does not wish to receive by email, but in any event information that is classified “Protected” or higher will not be exchanged by email."},{"h":"Suppliers participate in this RFI at their own risk","l":272,"t":"Participation in any stage of this RFI process, or in relation to any matter concerning this RFI, will be at a participating supplier’s sole risk, cost and expense. The ATO will not be responsible in any circumstance for any costs or expenses incurred by a supplier in preparing or lodging a Response (or an amended or new Response), or in otherwise taking part in or taking any other action related to this RFI process. The ATO will not be liable (whether in negligence or on the basis of any promissory estoppel, quantum meruit or on any other contractual, quasi contractual or restitutionary grounds whatsoever) to a supplier for any loss, cost, expense, claim or damage as a consequence of: - The ATO varying, suspending or terminating this RFI, or the ATO exercising (or not exercising) any of its other rights under or in relation to this RFI (whether the supplier is informed or not). - Any other matter or thing relating or incidental to the supplier’s participation in this RFI process, or; - The Respondent not being invited to participate in any process following completion of this RFI process. The laws for the time being in force in the Australian Capital Territory apply to this RFI and RFI process."},{"h":"Preparing a Response","l":286,"t":""},{"h":"Conditions for Participation","l":288,"t":"The Conditions for Participation are set out in Part 3 – RFI Response Form – General. Before preparing a Response, a supplier should first ensure that it (and all relevant subcontractors it proposes to identify in its Response) can meet the Conditions for Participation. The ATO: - Will not consider a Respondents’ Response unless that Respondent complies (and all its relevant subcontractors comply) with the Conditions for Participation that apply as at the Closing Time. - Will not further consider a respondent’s Response if that supplier (or any of its relevant subcontractors) ceases to comply with the Conditions for Participation at any subsequent time in the RFI process, and; | ![Information](media/image3.svg) | The Conditions of Participation correspond to particular Commonwealth policies that preclude agencies such as the ATO entering into certain procurement contracts with certain organisations. | |----|----|"},{"h":"Form of Response","l":299,"t":"The RFI Response Forms are provided to assist Respondents in preparing their Responses. - Respondents may use the RFI Response Forms for the purpose of their Response. - Respondents should respond to the questions, and supply the information and materials, in the same order and under the same headings as shown in those RFI Response Forms. - Respondents must respond to the questions, and provide the information and materials requested, in each Item of those RFI Response Forms honestly and completely. If a supplier does not, it will be evaluated as not complying with the relevant question or request. Respondents must not make false or misleading statements in their Responses. Respondents should note that Division 137.1 of the *Criminal Code*, a Schedule to the *Criminal Code Act 1995* (Cth), makes it an offence to knowingly provide false or misleading information to a Commonwealth entity."},{"h":"Language and measurement","l":311,"t":"Unless otherwise specified, all Responses (including annexures) and supporting documentation must: - Be written in the English language, and; - Refer only to Australian legal units of measurement."},{"h":"Response Price and pricing basis","l":319,"t":"The pricing information provided by a Respondent must: - Remain unalterable for the RFI Period and not vary according to the mode of payment. - Be expressed in Australian dollars (except for any component which the Respondent considers involves a foreign currency risk). - Identify the GST exclusive amount/s, any GST amount/s applicable, and the total amount/s, and; - Meet the Pricing Basis requirements set out in the Part 4 – RFI Response Form."},{"h":"Competitive neutrality","l":331,"t":"Competitive neutrality requires that Government businesses should not enjoy net competitive advantages over their private sector competitors by virtue of public sector ownership. Respondents from the public sector must demonstrate in their Response that the requirements of competitive neutrality have been met, including as to payment of relevant taxes and charges, rates of return, and cost of funds."},{"h":"Subcontracting","l":335,"t":"A Respondent must indicate in its Response if it intends any person or body who is not an employee to perform work in relation to the Required Supplies, and if so, must identify the full names of its proposed subcontractors and details of the work proposed to be undertaken by them."},{"h":"Risk and Insurance","l":339,"t":"In its Response, a supplier must provide details of its current insurance cover for the purposes of the provision of the Required Supplies under the Contract (if its Response is accepted)."},{"h":"Conflict of interest","l":343,"t":"A Respondent must identify in its Response whether, to the best of its knowledge after making diligent enquiry, a conflict of interest (concerning itself or any related entity) exists or is likely to arise which does, may or may appear to: - Impair its ability to provide the potential Required Supplies diligently and independently, or; - Prejudice the impartial conduct of this RFI process or bring disrepute to or embarrass the ATO. If such a conflict of interest arises or becomes likely to arise during this RFI process after a Respondent has lodged a Response, the Respondent must immediately notify the ATO of all details of the conflict. The ATO may exclude a Response if such a conflict of interest is identified (by the Respondent or the ATO) and: - The Respondent has not disclosed that conflict as above, or fails to take such steps as the ATO reasonably requires to resolve or otherwise deal with that conflict, or; - The ATO considers that conflict cannot be resolved or otherwise dealt with to its satisfaction."},{"h":"Collusive and anti-competitive conduct","l":359,"t":"A Respondent (and its officers, employees, agents and advisers) must not engage in any collusive (other than a Group Response to the extent permitted by this RFI), or any anti-competitive or similar conduct with any other person or body, in relation to the preparation or lodgement of its Response or this RFI process. A Respondent must fully disclose in its Response: - Whether its Response has been prepared with any consultation, communication, contract, arrangement, understanding or agreement with any competitor, and if so, the nature and extent of that consultation, communication, contract, arrangement, understanding or agreement, and; - Whether it or any person associated with its Response (including directors and senior management) are or have been subject to proceedings relating to anti-competitive conduct in Australia or overseas. The ATO may exclude a Response: - If the ATO suspects any such collusive or anti-competitive conduct (and may report that suspicion to, and provide all relevant documents, information and assistance to, the appropriate authority). - If the supplier does not make full disclosure of such matters in its Response, or; - If the supplier, or any person or body associated with its Response, has ever contravened the anti-competitive provisions of the *Competition and Consumer Act 2010* (Cth) or equivalent laws in Australia or overseas."},{"h":"Improper information or assistance","l":377,"t":"In preparing a Response, a Respondent must not: - Rely on any warranty, representation or conduct that is not expressly provided for in this RFI, or; - Use the improper assistance of the ATO’s employees, former employees, contractors or ex-contractors or information unlawfully obtained or in breach of an obligation of confidentiality."},{"h":"Improper influence","l":385,"t":"A supplier must not, and must not attempt to or procure or encourage any other person or body, in connection with its Response or this RFI process, to: - Improperly influence any Australian Government employee or officer. - Violate and applicable laws or Commonwealth policies regarding the offering of inducements, or; - Breach the *Lobbying Code of Conduct* available at [www.ag.gov.au/integrity/publications/lobbying-code-conduct](http://www.ag.gov.au/integrity/publications/lobbying-code-conduct))."},{"h":"Future Matters","l":395,"t":"Information provided by the ATO to Respondents in this RFI or during this RFI process concerning current, past or expected requirements, volumes, locations, environments or other relevant matters: - Has not been (and will not be) independently audited or verified. - May be based on projections from historical information which may not be accurate, and; - May assume trends, events or other matters that may not be valid, or may not eventuate as and when expected or at all. The ATO will have no liability to any supplier should any information or material provided in respect to this RFI be out of date, inaccurate or incomplete, or if actual requirements, volumes, locations, environments or other relevant matters vary from those as identified in this RFI or during the RFI process."},{"h":"Commonwealth Legislation","l":407,"t":"Respondents must familiarise (and will be taken to have familiarised) themselves with all relevant Commonwealth legislation, including: - The *Privacy Act 1988* (Cth) – which imposes certain requirements on, particularly, Commonwealth contractors and their subcontractors. - The *Freedom of Information Act 1982* (Cth) – which gives members of the public rights of access to certain documents of the Commonwealth. - The *Auditor-General Act 1997* (Cth) – which allows the Auditor-General to conduct a review or examination, at any time, of any aspect of the operations of Australian Government agencies. - The *Ombudsman Act 1976* (Cth) – which authorises the Ombudsman to investigate the administrative actions of Australian Government departments and agencies and to investigate the actions of certain Australian Government contractors, and; - The *Government Procurement (Judicial Review) Act 2018* (Cth) – which provides suppliers the basis to seek the grant of an injunction or the award of compensation in relation to the contravention of relevant Commonwealth Procurement Rules (so far as those this relates to a covered procurement). Respondents should obtain (and will be taken to have obtained) their own advice on the impact of such legislation on their participation in this RFI process and/or any resultant contract."},{"h":"Respondents to inform themselves","l":423,"t":"A supplier is responsible for: - Examining this RFI, all documents referred to in this RFI, and all other information made available in writing by the ATO to respondents in connection with this RFI process. - Obtaining and examining all further information which is obtainable by making reasonable enquiries relevant to the risks, contingencies and other circumstances having an effect on its Response, and; - Satisfying itself as to the correctness and sufficiency of its Response (including its Response Price), the nature and effect of any laws regulating the provision of the Required Supplies, the terms and conditions of Part 5 – Draft Contract, and its ability to comply with those terms and conditions."},{"h":"Lodging a Response","l":433,"t":""},{"h":"Lodgement and Closing Time","l":435,"t":"Responses must be lodged electronically via AusTender by the Closing Time in accordance with this and the lodgement procedures and instructions on AusTender. - The **Closing Time** is identified in [Part 1 – Conditions of Response](#_Ref141431744) – paragraph [5](#invitation-to-response-1). The ATO may extend the Closing Time by posting an addendum or notice on the AusTender page for this RFI, in which case the new Closing Time will apply to all respondents. - The time displayed on AusTender is deemed correct and will be the means by which the ATO will determine whether a Response has been lodged by the Closing Time. The ATO’s decision is final. - If there is any inconsistency between this RFI and the lodgement procedures and instructions on AusTender, this RFI will prevail. - A Response lodged by a supplier through AusTender will be deemed to be authorised by the supplier."},{"h":"Uploading Responses to AusTender","l":447,"t":"Respondents must lodge their Responses from the AusTender page for this RFI, by uploading their Response documents as electronic files to AusTender. - AusTender allows a supplier to include, in each upload, a maximum of 5 electronic files. The electronic files included in a single upload must not exceed a combined size of 50 megabytes. - The files included in a single upload should be zipped (compressed) for transmission to AusTender and uploaded from a high level directory on a supplier’s desktop computer, so as not to impede the upload process. Where a supplier lodges its Tender as multiple uploads, it should clearly identify each upload as part of its Response. - When a given upload by a supplier has completed successfully, AusTender provides an official receipt on screen (the supplier should print and save that as proof of lodgement), and an email confirmation (sent according to the supplier’s registered user details). If the supplier does not receive that receipt, that upload has not completed successfully. - Where a given upload by a supplier has completed successfully, and AusTender system logs confirm that the transmission of that upload commenced before, but concluded after, the Closing Time, the relevant response documents in that upload will be taken to have been lodged by the Closing Time. - Where – due to a failure of the AusTender web site – a supplier has problems uploading its documents to AusTender prior to the Closing Time or has not received a lodgement receipt, the supplier should notify the ATO’s Contact Officer immediately. If the ATO advises the supplier in writing of alternative arrangements for the lodgement of those Response documents, and the supplier lodges them strictly in accordance with those alternative arrangements, those Response documents will be taken to have been lodged electronically via AusTender by the Closing Time. - Responses and Response documents lodged after the Closing Time are late Responses and will not be accepted unless the delay is due solely to mishandling by the ATO. Respondents must allow sufficient time for their Response lodgement, including time that may be required for any problem analysis and resolution prior to the Closing Time."},{"h":"Response document files","l":465,"t":"Respondents must ensure that the electronic files comprising their Response documents comply with the following requirements (otherwise the relevant Response document/s will not be accepted and/or excluded from evaluation): - Response documents must be in Microsoft Word or Excel format (or if not available to a supplier, another format/s agreed in writing by the ATO’s Contact Officer) and must be capable of being read (and if encrypted, decrypted) by the ATO’s Contact Officer. - Response documents must be free of viruses, worms, malicious code or other disabling features which may affect AusTender and/or the ATO computing environment. The ATO may also refuse to accept and/or exclude from consideration any Response document it believes to potentially contain any such virus, worm, malicious code or other disabling feature. - The file name of a Response document (when combined with the filepath) must identify the supplier, must not exceed 100 characters, and must not contain special characters (e.g. \\\\ / : \\* ?“\" \\< \\> \\|). Where the supplier’s Response comprises multiple files, each must have a unique name reflecting its content. - Scanned or imaged material may be included in an electronic file comprising a (or part of a) Response document, so long the file does not thereby exceed the 50 megabyte file size limit. Such scanned or imaged material that exceeds that size limit may be provided separately to the ATO’s Contact Officer no later than 2 business days after the Closing Time. If the ATO requires the supplier to courier or security post originals of those scanned or imaged material to the ATO’s Contact Officer, the supplier must do so within 2 business days of that request."},{"h":"Supporting material","l":477,"t":"Responses must be completely self-contained. No hyperlinked or other material may be incorporated by reference. Supporting material which elaborates or clarifies the Response, but which does not alter it in any material respect, must be provided to the ATO’s Contact Officer no later than 2 business days after the Closing Time. The ATO will not consider any material presented by a supplier as supporting material which, in the ATO’s opinion, materially alters the supplier’s Response."},{"h":"Revised Responses","l":481,"t":"Where a supplier wishes to alter the Response it has lodged, it must lodge a revised Response prior to the Closing Time. The revised Response will (and will be taken to) supersede the supplier’s previous Response/s, and those previous Response/s will be excluded and not considered by the ATO."},{"h":"Confidentiality of Responses","l":485,"t":"Respondents should note the following: - Subject to paragraph [48](#ownership-and-use-of-documents), the ATO will keep all Responses confidential prior to it accepting a Response and afterwards will keep all unsuccessful Responses confidential (for the successful Response, the provisions of the Contract will apply). For the purposes of this and the next paragraph, a supplier’s Response includes all additional information the supplier provides to the ATO in the course of this RFI. - Rights of access to information in, or in relation to, Responses and contracts exist under a range of Commonwealth legislation (including the *Freedom of Information Act 1982*, the *Auditor-General Act 1997*, and the *Ombudsman Act 1976* ), and the Parliament and the courts also have rights to access a wide range of information. - The ATO is required to report certain details of agreements, contracts and standing offers it enters into with an estimated liability (including GST where applicable) of \\$10,000 or more on AusTender and list on its website certain details of its current contracts which have a value of \\$100,000 or more. - Information on those publishing and listing requirements, and confidentiality, can be found in the [*Commonwealth Procurement Rules*](https://www.finance.gov.au/government/procurement/commonwealth-procurement-rules), [*Resource Management Guide No. 423 Procurement Publishing and Reporting Obligations*](https://www.finance.gov.au/publications/resource-management-guides/procurement-publishing-and-reporting-obligations-rmg-423), [*Resource Management Guide No. 403 Meeting the Senate Order for Entity Contracts*](https://www.finance.gov.au/publications/resource-management-guides/meeting-senate-order-entity-contracts-rmg-403) and [*Confidentiality throughout the Procurement Cycle*](https://www.finance.gov.au/government/procurement/buying-australian-government/confidentiality-throughout-procurement-cycle) (available at [www.finance.gov.au](http://www.finance.gov.au))."},{"h":"Confidential Information","l":497,"t":"By lodging its Response, a supplier accepts that the ATO and a supplier may each only disclose the other’s Confidential Information if that disclosure doesn’t breach any law and is made: - To its employees, officers or professional advisers for purposes of (or relating to) this RFI process and/or any resultant contract. - In the case of the ATO – to its responsible Minister or in response to a request by a House or a Committee of the Parliament of the Commonwealth of Australia. - With the other’s express written approval, or; - As required or authorised by applicable government direction, policy or law. **Confidential Information** of the ATO or of a supplier (as the case may be) means information concerning it or its operations, business or clients that is by its nature confidential and that the other knows, or reasonably ought to know, is confidential."},{"h":"Ownership and use of documents","l":511,"t":"Response documents become the property of the ATO on their submission. The ATO may (and by lodging its Response, a supplier will be taken to have expressly authorised the ATO in writing to) use, retain, copy and disclose its Response (and the information contained in it) for the purposes of: - Response evaluation. - The preparation and management of any resultant contract, and; - Any other related matter (including Governmental and Parliamentary requirements)."},{"h":"Response evaluation","l":521,"t":""},{"h":"Evaluation of Responses","l":523,"t":"A **Respondent** means a supplier (or a member of a Responding Group) that has lodged a Response. The ATO: - Will not consider, and will exclude, any Response if the Respondent (or any subcontractor it identifies in its Response) does not comply with the Conditions for Participation (see [Part 1 – Conditions of Response](#_Ref141431744) – paragraph [27](#form-of-response)). - May undertake one or more shortlisting or other processes at any time, and may exclude any Response that in the ATO’s opinion fails to comply with these Conditions of Response, is materially incomplete, does not clearly satisfy the ATO’s requirements, or is otherwise clearly non-competitive."},{"h":"Presentations, meetings, visits, demonstrations and reference checks","l":531,"t":"The evaluation of Responses may involve presentations by Respondents, meetings with Respondents. Such presentations, meetings, visits, demonstrations and reference checks may be held with, or in relation to, some or all of the Respondents."},{"h":"Clarification","l":535,"t":"The ATO may seek clarification in relation to Responses and/or their Respondents. Respondents are to respond in the manner and form, and within the time period, specified by the ATO. The ATO is not under any obligation to take into account additional information provided by a Respondent in response to a clarification request and will not do so where that would introduce unfairness into the evaluation process."},{"h":"Correction of clerical & etc. errors","l":539,"t":"The ATO may allow a supplier to correct or clarify unintentional errors in the supplier’s Response documents after the Closing Time, but only if the ATO is satisfied that the relevant correction or clarification proposed by the supplier does not alter its Response in any material respect and is only to rectify an unintentional error which is clerical or administrative, or an unintentional error of form."},{"h":"Conducting security, probity and financial checks","l":543,"t":"The ATO may perform such security, probity and financial investigations and procedures as the ATO may determine are necessary in relation to any Respondent, its employees, officers, partners, associates, subcontractors or related entities. A Response may be excluded by the ATO if the Respondent does not provide, at its cost, all reasonable assistance to the ATO in this regard."},{"h":"Substitution of Respondent","l":547,"t":"If the composition or control, or the business, of a Respondent changes, the ATO may (at its discretion): - Allow the substitution of another legal entity for the Respondent upon receipt of a joint written request by that Respondent and that other legal entity (in which case the ATO will take into account the expected impact of the event on the information provided in the Response when evaluating the Response), or; - Exclude the Response and not consider it further."},{"h":"Evaluation process and criteria","l":555,"t":"Responses not otherwise excluded will be assessed by the ATO against the evaluation criteria: - Responses will be evaluated by the Response Evaluation Team. - The Response Evaluation Team will conduct that evaluation in such (technical, financial or other) evaluation stages as the Evaluation Plan requires or permits, will evaluate those Responses against the Evaluation Criteria described in the Evaluation Plan (as outlined below), and will provide its report and recommendations to the Delegate. - The Delegate will provide direction based on the details of the report submitted by the Evaluation team. - The criteria for any potential second stage of the procurement process are not yet known but will be provided to potential respondents at the time they are invited to make submissions in a second and/or later stages. - Only Respondents deemed to have suitably met the criteria outlined below and the mandatory requirements outlined the RFI Part 2 – Statement of Requirements would be invited to any potential second stage of the procurement process. - The Response Evaluation Team with assess responses based on the following criteria: [TABLE] Respondents should note that that the ATO: - May request demonstrations from shortlisted Respondents (this may or may not be part of PoC activity). - The evaluation criteria set out in the above table are not set out in any order of importance. - Will not consider, and will exclude, any Response if the Respondent (or any subcontractor it identifies in its Response) does not comply with the Conditions for Participation (set out in the Part 3 – RFI Response Form). - Will undertake a comprehensive review and assessment against the Evaluation Criteria of any Response that complies with the Conditions for Participation and will take into consideration the ability of the broader industry to satisfy the ATO’s requirements at a high standard and at an acceptable risk on a whole-of-life basis. - May undertake one or more shortlisting or other processes at any time to exclude any Response that in the ATO’s opinion fails to comply with the Conditions of this RFI, is materially incomplete, or does not clearly satisfy the ATO’s requirements. - Neither the lowest priced Response, nor the Response which by comparison provides the greater value for money to the ATO, will necessarily be accepted by the ATO, and; - The ATO may not accept any Response at all."},{"h":"Response selection","l":589,"t":""},{"h":"Offer Period of a Response","l":591,"t":"A Respondents must hold its Response open for acceptance by the ATO for the **Offer Period**, being: - The minimum duration of the Offer Period identified in [Part 1 – Conditions of Response](#_Ref141431744) – paragraph [5](#invitation-to-response-1), or; - If that Respondents has nominated a longer Offer Period in its Respondents response – that longer period. The ATO may request an extension of the Offer Period."},{"h":"Statements by Respondents","l":601,"t":"Respondent must not furnish any information, make any statement or issue any document or other written or printed material concerning the acceptance of any Response in response to this RFI for publication in any media without the prior written approval of the ATO. The ATO will not withhold its approval to the extent the Respondents is required to disclose information by the rules of a stock exchange."},{"h":"Debriefing of Respondents","l":605,"t":"Respondents will be promptly notified following the: - Rejection of their submission, or; - The award of a contract in relation to this RFI. Respondents will be offered an oral debriefing following the award of a contract in relation to this RFI. Respondents requiring a debriefing should contact the ATO’s Contact Officer. Where a debriefing is requested, Respondents will be debriefed against the evaluation criteria (see [Part 1 – Conditions of Response](#_Ref141431744) – paragraph [55](#offer-period-of-a-response)). In accordance with Commonwealth policy, a Respondents will not be provided with information concerning other Responses, except for publicly available information such as the name of the successful Respondents and the total price of the successful Response. [TABLE]"}],"tf":{"000":2,"00pm":1,"05":1,"1":16,"10":1,"100":2,"11":1,"137":1,"15":1,"16":1,"180":1,"1976":2,"1982":2,"1988":1,"1995":1,"1997":2,"1999":1,"2":13,"2010":1,"2013":1,"2018":1,"2026":5,"21":1,"23":1,"27":1,"28":2,"3":5,"3a":1,"4":3,"403":2,"423":2,"48":1,"4a":1,"5":6,"50":2,"51":1,"55":1,"556":1,"7":1,"753":1,"824":1,"a":150,"ability":3,"abn":1,"about":17,"above":2,"accept":4,"acceptable":1,"acceptance":2,"accepted":4,"accepting":2,"accepts":1,"access":5,"accessibility":1,"accessing":1,"accordance":4,"according":2,"account":2,"accountability":1,"accurate":1,"acquire":1,"act":16,"acting":1,"action":2,"actions":2,"activities":1,"activity":1,"actual":1,"add":1,"addenda":3,"addendum":2,"additional":6,"address":3,"addresses":3,"administrative":2,"advantage":1,"advantages":1,"advice":1,"advised":2,"advisers":2,"advises":1,"advisor":1,"affect":1,"after":10,"afterwards":1,"ag":2,"again":1,"against":5,"agencies":8,"agency":2,"agents":1,"agreed":1,"agreement":2,"agreements":1,"alison":1,"all":21,"allow":4,"allowable":1,"allows":4,"also":2,"alter":4,"alternative":5,"alternatives":1,"alters":1,"amend":1,"amended":3,"amount":3,"an":25,"analysis":3,"and":231,"annexures":1,"another":3,"anti":5,"any":99,"anyone":1,"app":3,"apparent":1,"appear":1,"applicable":4,"apply":4,"approach":3,"appropriate":1,"approval":3,"approve":1,"april":1,"aps":5,"apsc":2,"are":21,"arise":3,"arises":1,"arrangement":3,"arrangements":2,"as":43,"aspect":2,"aspects":1,"assess":2,"assessed":1,"assessment":3,"assist":1,"assistance":4,"associated":2,"associates":1,"assume":1,"at":23,"ato":181,"attempt":1,"attempted":1,"attention":1,"au":28,"audited":1,"auditor":3,"austender":40,"australia":4,"australian":26,"australians":1,"authorised":4,"authorises":1,"authority":1,"available":8,"award":5,"aware":1,"background":1,"backing":1,"based":4,"basis":8,"be":68,"become":3,"becomes":1,"been":9,"before":5,"behalf":1,"being":5,"believes":1,"below":4,"benefit":1,"benefits":1,"best":1,"between":3,"bind":1,"binding":2,"biometric":3,"bodies":1,"body":4,"bound":1,"breach":3,"brief":1,"briefings":3,"bring":1,"broader":1,"browser":1,"buchanan":1,"business":13,"businesses":1,"but":9,"buying":1,"by":69,"call":1,"can":10,"canberra":1,"cannot":1,"capability":1,"capable":2,"capital":1,"case":6,"ceases":1,"certain":7,"certificate":1,"certificates":1,"change":5,"changes":2,"characters":2,"charges":1,"charter":4,"checks":3,"circumstance":1,"circumstances":1,"claim":1,"clarification":7,"clarifications":1,"clarifies":2,"clarify":2,"clarifying":1,"classified":1,"clearly":6,"clerical":2,"clients":2,"closing":20,"closure":1,"code":10,"collect":1,"collection":1,"collectively":1,"collusive":3,"combined":2,"commenced":1,"commercial":1,"commercially":1,"commission":1,"commitment":1,"commitments":2,"committee":1,"commonwealth":21,"communicate":1,"communication":2,"comparison":1,"compensation":1,"competition":1,"competitive":10,"competitor":1,"competitors":1,"complaint":1,"complaints":4,"complete":1,"completed":4,"completely":2,"completes":1,"completion":4,"complies":3,"comply":8,"complying":4,"component":1,"composition":3,"comprehensive":1,"compressed":1,"comprises":1,"comprising":2,"computer":1,"computing":1,"concept":1,"concerning":7,"concerns":1,"concluded":2,"conditions":26,"conduct":15,"conducted":1,"conducting":1,"confidential":7,"confidentiality":6,"confirm":1,"confirmation":1,"conflict":8,"connection":5,"connectivity":1,"consequence":2,"consider":10,"consideration":2,"considered":2,"considers":2,"consistent":1,"consortium":1,"consultation":2,"consumer":1,"contact":19,"contain":2,"contained":3,"contains":1,"content":1,"contingencies":1,"continuously":1,"contract":22,"contracting":1,"contractors":13,"contracts":6,"contractual":4,"contravened":1,"contravention":1,"control":1,"cooperative":1,"coordinated":3,"copy":1,"correct":2,"correction":2,"correctness":1,"correspond":1,"cost":7,"costs":2,"could":2,"courier":1,"course":1,"courts":1,"cover":1,"covered":1,"criminal":2,"criteria":10,"criterion":1,"cth":9,"currency":1,"current":3,"cycle":2,"damage":1,"data":1,"date":5,"dates":1,"days":4,"deal":1,"dealing":1,"dealings":1,"dealt":1,"debriefed":1,"debriefing":4,"decision":2,"decrypted":1,"deemed":4,"delay":1,"delegate":2,"delivered":1,"delivery":1,"demonstrate":1,"demonstration":1,"demonstrations":3,"department":2,"departments":2,"described":2,"desktop":1,"detail":5,"detailed":2,"details":13,"detection":3,"determine":2,"determines":1,"developments":1,"diligent":1,"diligently":1,"direct":1,"directed":1,"direction":2,"directly":2,"directors":1,"directory":1,"disabling":2,"disclose":5,"disclosed":2,"disclosing":1,"disclosure":2,"discontinue":1,"discretion":1,"displayed":1,"disrepute":1,"division":1,"do":4,"document":6,"documentation":2,"documents":16,"does":19,"doesn":2,"doing":1,"dollars":1,"download":3,"downloaded":1,"downloads":1,"draft":2,"due":2,"duration":1,"during":4,"e":2,"each":6,"effect":4,"effective":2,"effectively":1,"efficient":1,"efforts":1,"either":1,"elaborates":1,"electronic":5,"electronically":2,"email":8,"embarrass":1,"emerging":1,"employee":2,"employees":7,"enable":2,"encourage":1,"encrypted":1,"engage":1,"english":1,"enjoy":1,"enquiries":2,"enquiry":1,"ensure":3,"ensuring":1,"enter":2,"entering":1,"enters":1,"entities":4,"entity":7,"environment":2,"environmental":6,"environmentally":2,"environments":2,"equitable":1,"equivalent":1,"error":2,"errors":2,"establish":1,"estimated":1,"estoppel":2,"etc":3,"ethical":5,"evaluate":2,"evaluated":2,"evaluating":1,"evaluation":26,"event":2,"events":1,"eventuate":1,"ever":1,"ex":1,"examination":1,"examining":2,"example":2,"exceed":4,"exceeds":1,"excel":3,"except":3,"exchange":1,"exchanged":1,"excise":1,"exclude":8,"excluded":4,"exclusive":1,"exercise":1,"exercising":2,"exist":3,"exists":1,"expect":2,"expected":4,"expects":2,"expense":2,"expenses":1,"express":2,"expressed":1,"expressly":2,"extend":1,"extension":1,"extent":4,"fails":4,"failure":1,"false":2,"familiarise":1,"familiarised":1,"far":1,"feature":1,"features":1,"file":4,"filepath":1,"files":7,"final":1,"finance":10,"financial":5,"first":3,"following":14,"follows":1,"footprint":1,"for":86,"force":1,"foreign":1,"form":11,"format":2,"former":1,"forms":4,"found":2,"frameworks":1,"free":1,"freedom":2,"from":23,"fulfilling":1,"full":2,"fully":3,"fund":1,"funds":1,"furnish":1,"further":5,"future":4,"g":2,"gain":1,"general":6,"give":2,"given":3,"gives":1,"goods":1,"gov":28,"governance":1,"government":15,"governmental":1,"grant":1,"greater":1,"grounds":2,"group":9,"gst":3,"guidance":1,"guide":2,"guidelines":2,"guides":2,"had":1,"hand":1,"has":26,"have":18,"having":1,"headings":1,"headquarters":1,"health":2,"held":1,"her":1,"high":2,"higher":1,"his":1,"historical":1,"hold":1,"honestly":1,"house":1,"how":2,"however":1,"http":5,"https":17,"hyperlinked":1,"ict":1,"identified":8,"identifies":3,"identify":11,"identity":1,"if":44,"image1":1,"image3":3,"imaged":3,"immediately":2,"impact":3,"impair":1,"impartial":1,"impede":1,"implementation":1,"implementing":1,"implied":1,"importance":1,"impose":1,"imposes":1,"improper":3,"improperly":1,"improved":1,"in":145,"inaccurate":1,"incidental":1,"include":1,"included":3,"includes":2,"including":15,"incomplete":3,"inconsistency":2,"incorporate":1,"incorporated":1,"incorrect":1,"increase":1,"incurred":1,"independently":2,"indicate":1,"indicative":2,"individual":2,"inducements":1,"industry":7,"influence":2,"inform":5,"information":57,"informed":1,"infrastructure":1,"injunction":1,"insights":2,"instance":1,"instructions":3,"insurance":2,"integrated":1,"integration":1,"integrity":4,"intend":1,"intends":2,"intent":1,"interest":7,"internal":1,"internet":2,"into":8,"introduce":1,"introduction":1,"investigate":2,"investigated":1,"investigations":1,"investing":1,"invitation":8,"invited":3,"invites":1,"involve":1,"involves":1,"is":49,"issue":1,"issued":1,"issues":1,"it":33,"item":1,"its":62,"itself":3,"joint":2,"jointly":1,"judicial":1,"june":1,"keep":2,"key":1,"kind":1,"know":1,"knowingly":1,"knowledge":1,"known":1,"knows":1,"language":2,"last":1,"late":1,"later":3,"law":4,"laws":4,"lead":3,"leading":1,"leasing":1,"legal":8,"legislation":7,"level":2,"levels":1,"liability":2,"liable":2,"life":1,"like":1,"likely":2,"limit":2,"limitation":1,"limited":1,"list":1,"listing":1,"liveness":3,"lobbying":3,"local":1,"located":1,"locations":2,"lodge":4,"lodged":11,"lodgement":8,"lodges":3,"lodging":6,"log":1,"logs":1,"long":1,"longer":2,"loss":1,"lowest":1,"lt":1,"made":4,"make":6,"makes":1,"making":3,"malicious":2,"manage":1,"management":10,"managing":2,"mandatory":1,"manner":4,"marked":1,"market":3,"material":13,"materially":3,"materials":2,"matter":4,"matters":5,"maximum":1,"may":59,"means":4,"measurement":2,"measures":1,"media":5,"meet":5,"meeting":2,"meetings":3,"meets":1,"megabyte":1,"megabytes":1,"member":4,"members":2,"meruit":2,"met":2,"microsoft":1,"milestones":1,"minimum":2,"minister":1,"mishandling":1,"misleading":2,"mode":1,"model":1,"money":3,"more":5,"multiple":2,"must":42,"myid":3,"name":4,"names":2,"national":1,"nature":3,"necessarily":1,"necessary":1,"needs":2,"negligence":1,"negotiate":1,"neither":3,"net":1,"neutrality":3,"new":3,"next":1,"no":13,"nominated":4,"non":1,"nor":3,"not":73,"note":5,"notice":3,"notices":3,"notification":2,"notifications":1,"notified":2,"notifies":1,"notify":3,"objectives":7,"obligation":2,"obligations":3,"obliged":1,"obtain":3,"obtainable":1,"obtained":3,"obtaining":1,"occur":1,"of":222,"offence":1,"offer":7,"offered":1,"offering":1,"offers":1,"office":13,"officer":17,"officers":3,"official":1,"ombudsman":3,"on":40,"once":1,"one":3,"online":2,"only":10,"open":1,"operating":1,"operations":2,"opinion":3,"options":1,"or":199,"oral":1,"order":4,"orders":4,"organisations":1,"originals":1,"other":41,"otherwise":9,"ought":1,"our":2,"out":10,"outcomes":4,"outlined":4,"outlines":2,"over":1,"overseas":2,"own":3,"ownership":3,"pack":2,"page":9,"paragraph":10,"parliament":2,"parliamentary":1,"part":38,"participate":2,"participating":1,"participation":13,"particular":1,"particularly":1,"partners":1,"partnership":1,"parts":1,"past":1,"payment":2,"pd":1,"perform":2,"performance":1,"period":10,"permits":1,"permitted":1,"person":7,"pic":2,"piggy":1,"place":1,"placed":1,"placing":1,"plan":2,"plans":1,"platform":1,"png":1,"poc":2,"point":2,"policies":4,"policy":9,"possible":1,"post":2,"posting":4,"potential":16,"potentially":2,"practices":1,"precedence":1,"preclude":1,"prejudice":1,"preparation":2,"prepared":3,"preparing":6,"presentations":3,"presented":1,"prevail":1,"previous":2,"price":3,"priced":1,"prices":1,"pricing":5,"principal":1,"principles":1,"print":1,"printed":1,"prior":5,"privacy":1,"private":1,"probity":3,"problem":1,"problems":1,"procedures":3,"proceed":2,"proceedings":1,"process":45,"processes":3,"procure":1,"procurement":32,"product":2,"products":2,"professional":1,"progress":2,"projections":1,"promissory":2,"promptly":1,"proof":2,"proper":1,"properly":1,"property":1,"proposed":7,"proposes":5,"proposing":2,"protected":1,"provide":12,"provided":14,"provides":6,"providing":2,"provision":2,"provisions":2,"public":11,"publication":1,"publications":4,"publicly":1,"publish":1,"published":4,"publishing":3,"purpose":3,"purposes":4,"quality":1,"quantum":2,"quasi":2,"queries":1,"question":1,"questions":6,"quote":1,"range":2,"rates":1,"re":1,"read":1,"reasonable":3,"reasonably":2,"reasons":2,"receipt":4,"receive":2,"received":1,"recommendations":1,"rectify":1,"reduce":1,"ref141431744":9,"refer":2,"reference":3,"referred":1,"reflecting":1,"refuse":1,"regard":1,"regarding":2,"register":2,"registered":4,"regulating":1,"reject":1,"rejection":1,"related":6,"relates":1,"relating":3,"relation":16,"relationship":4,"release":1,"relevant":19,"rely":2,"remain":1,"remove":1,"report":4,"reporting":4,"representation":1,"represented":1,"represents":1,"request":12,"requested":2,"requests":4,"require":2,"required":17,"requirement":4,"requirements":28,"requires":6,"requiring":1,"resolution":1,"resolve":1,"resolved":2,"resource":4,"respect":4,"respond":3,"respondent":34,"respondents":57,"responding":6,"response":149,"responses":41,"responsibility":2,"responsible":3,"restarts":1,"restitutionary":2,"result":2,"resultant":3,"retain":1,"return":1,"revenue":1,"review":3,"reviewed":1,"revised":3,"rfi":112,"rfi15434":1,"rfq":1,"rft":1,"right":3,"rights":7,"rise":1,"risk":5,"risks":1,"rmg":2,"role":1,"rules":4,"s":53,"safety":2,"same":2,"satisfaction":1,"satisfied":1,"satisfies":1,"satisfy":3,"satisfying":1,"save":1,"scalable":1,"scanned":3,"schedule":1,"scope":1,"screen":1,"seamless":1,"second":8,"sector":3,"secure":1,"security":6,"see":5,"seek":5,"seeking":2,"selected":1,"selection":1,"self":1,"selling":2,"senate":2,"sending":1,"senior":1,"sensitive":1,"sent":2,"separately":1,"service":4,"services":4,"set":7,"sets":2,"severally":1,"shape":1,"shortlist":2,"shortlisted":1,"shortlisting":2,"should":22,"shown":1,"sign":1,"similar":2,"single":3,"site":1,"size":3,"so":12,"sole":2,"solely":1,"solution":5,"solutions":6,"some":3,"sor":1,"source":1,"sourcing":1,"special":1,"specified":3,"specifies":1,"spreadsheet":2,"stage":9,"stages":4,"standard":1,"standards":2,"standing":1,"start":1,"statement":18,"statements":3,"steps":1,"stock":1,"strategic":3,"strictly":1,"subcontracting":1,"subcontractor":2,"subcontractors":6,"subject":5,"submission":3,"submissions":1,"submit":1,"submitted":2,"subsequent":3,"substitution":2,"successful":4,"successfully":3,"such":22,"sufficiency":1,"sufficient":3,"suitably":1,"super":2,"superannuation":1,"supersede":1,"supplement":1,"supplementing":1,"supplements":2,"supplier":58,"suppliers":7,"supplies":13,"supply":1,"support":4,"supporting":4,"suspects":1,"suspend":1,"suspending":1,"suspends":1,"suspicion":1,"sustainable":2,"svg":3,"system":5,"systems":1,"t":2,"table":6,"take":7,"taken":6,"takes":1,"taking":2,"tax":3,"taxation":13,"taxes":1,"team":4,"technical":3,"tender":4,"tendering":1,"tenders":8,"terminate":1,"terminates":1,"terminating":1,"termination":1,"terms":3,"territory":1,"than":4,"that":87,"the":500,"their":24,"them":9,"themselves":2,"there":2,"thereby":1,"these":1,"they":5,"thing":1,"this":102,"those":14,"through":7,"throughout":2,"thursday":4,"time":31,"timetable":3,"timing":1,"to":212,"total":2,"transmission":2,"transmitted":1,"trends":1,"trial":1,"two":1,"unalterable":1,"unauthorised":1,"under":9,"understanding":2,"undertake":4,"undertaken":1,"undertaking":3,"undertakings":1,"unfairness":1,"unintentional":3,"unique":1,"units":1,"unlawfully":1,"unless":3,"unsuccessful":1,"until":1,"upload":11,"uploaded":1,"uploading":3,"uploads":1,"upon":2,"use":15,"user":6,"users":1,"using":1,"utilised":1,"valid":1,"valuable":1,"value":3,"values":3,"variation":1,"variations":2,"varies":2,"vary":3,"varying":2,"venture":1,"verification":1,"verified":1,"version":2,"versions":1,"via":3,"viability":1,"viable":1,"view":1,"violate":1,"virtue":1,"virus":1,"viruses":1,"visit":3,"visits":2,"volume":1,"volumes":2,"warrants":1,"warranty":1,"web":1,"website":4,"well":1,"what":2,"whatsoever":2,"when":6,"where":9,"whether":9,"which":25,"who":2,"whole":1,"wide":1,"will":64,"wish":1,"wishes":1,"with":51,"withhold":1,"within":2,"without":3,"word":1,"work":4,"working":2,"worm":1,"worms":1,"would":3,"writing":7,"written":5,"www":27,"yet":1,"zipped":1}},{"dl":3247,"n":"src-02-part2-statement-of-requirements","s":"sources/src-02-part2-statement-of-requirements","secs":[{"h":"","l":1,"t":"[TABLE] ![](media/image1.png) Statement of Requirements [TABLE]"},{"h":"Table of Contents","l":9,"t":"[Background [4](#background)](#background) [About myID [4](#about-myid)](#about-myid) [High-level system architecture diagram [5](#high-level-system-architecture-diagram)](#high-level-system-architecture-diagram) [Request for Information [5](#request-for-information)](#request-for-information) [Vision [6](#vision)](#vision) [Overview of Business Requirements [6](#overview-of-business-requirements)](#overview-of-business-requirements) [High Level Requirements & Prioritisation [7](#high-level-requirements-prioritisation)](#high-level-requirements-prioritisation) [Technical requirements [8](#technical-requirements)](#technical-requirements) [Biometric Capture and liveness Detection [8](#biometric-capture-and-liveness-detection)](#biometric-capture-and-liveness-detection) [Technical Verification and Biometric Binding [8](#technical-verification-and-biometric-binding)](#technical-verification-and-biometric-binding) [Scalability [9](#scalability)](#scalability) [Performance [9](#performance)](#performance) [Availability [9](#availability)](#availability) [Hosting [10](#hosting)](#hosting) [Integration [10](#integration)](#integration) [Compliance [10](#compliance)](#compliance) [Security and Confidentiality [10](#security-and-confidentiality)](#security-and-confidentiality) [Operations, Support and Maintenance [11](#operations-support-and-maintenance)](#operations-support-and-maintenance) [Operations [11](#operations)](#operations) [Vendor Implementation, Support & Maintenance [12](#vendor-implementation-support-maintenance)](#vendor-implementation-support-maintenance) [Maintainability [12](#maintainability)](#maintainability) [Reporting and Monitoring [13](#reporting-and-monitoring)](#reporting-and-monitoring) [Usability & Accessibility [13](#usability-accessibility)](#usability-accessibility) [User Experience and Accessibility [13](#user-experience-and-accessibility)](#user-experience-and-accessibility) [Response Instructions [14](#response-instructions)](#response-instructions) [Appendices [14](#appendices)](#appendices) [Appendix 1 – Legislation, Guidelines and Standards [14](#appendix-1-legislation-guidelines-and-standards)](#appendix-1-legislation-guidelines-and-standards) [ATO procedures and guidelines [14](#ato-procedures-and-guidelines)](#ato-procedures-and-guidelines) [Specific Requirements IT Goods [14](#specific-requirements-it-goods)](#specific-requirements-it-goods) [Indigenous Procurement Policy Reporting [15](#indigenous-procurement-policy-reporting)](#indigenous-procurement-policy-reporting)"},{"h":"Background","l":71,"t":"myID, managed by the Australian Taxation Office (ATO), is the Australian Government’s Digital ID Provider operating within the Australian Governments Digital ID System (AGDIS). myID is an app installed on a smart device that enables a user to prove who they are and logon to online services. myID is accredited under the AGDIS legal framework, the Digital ID Act 2024. The Digital ID Act 2024 and its associated Accreditation Rules establish a comprehensive framework for accrediting entities, such as identity providers, attribute service providers, and exchange providers within Australia’s Digital ID System. \\> For more information visit - [The Australian Government Digital ID System (AGDIS) \\| Digital ID System](https://www.digitalidsystem.gov.au/the-australian-government-digital-id-system-agdis)"},{"h":"About myID","l":81,"t":"myID currently supports three identity proofing (IP) levels: - **IP1 (Basic)** - verified email address and self-asserted name and date of birth - **IP2 (Standard)** - verified email address, verified name and date of birth through the verification of 2 Australian identity documents via the Document Verification Service (DVS) - **IP3 (Strong)** - verified email address, verified name and date of birth through the verification of 2-3 Australian identity documents via DVS and face biometric verification against a source document (Australian Passport or Driver Licence) via the Face Verification Service (FVS) In future myID will support additional IP level specified in the Digital Act including: - **IP1+** - verified email address, verified name and date of birth through the verification of 1 Australian identity document via DVS - **IP2 +** - verified email address, verified name and date of birth through the verification of 2 Australian identity documents via DVS and face biometric verification against a source document (where an Australian Passport is not used) via FVS to achieve a Strong myID, users must complete a liveness test to confirm they are a real, live person. The image captured during this process is securely transmitted to the relevant document source agency (e.g. the Australian Passport Office) via the Facial Verification Service (FVS) for a 1:1 face match against the official document photo. The result of this verification either a pass or fail is then returned to myID and displayed to the user. There are currently over 14 million myIDs with over 6 million who have verified their identity to IP3 (Strong). myID is currently used to access over 240 government online services with more services coming. In the last 12 months (August 2024 – August 2025) myID was used over 95 million times to login to government online services. Further growth in adoption is expected as myID becomes available to access more online services."},{"h":"High-level system architecture diagram","l":99,"t":"The below diagram demonstrates the high-level system architecture for myID. ![](media/image3.png) \\> More information visit - [Home \\| myID](https://www.myid.gov.au/)"},{"h":"Request for Information","l":107,"t":"Since the launch of Strong myID in 2021, the technology landscape for identity verification has evolved significantly, particularly in areas such as liveness detection and facial biometric matching. To ensure myID continues to meet the highest standards of security, usability, and inclusivity, the Australian Taxation Office (ATO) is seeking information from technology providers on their capabilities to support future enhancements. The ATO invites responses from suppliers with expertise in identity verification technologies, specifically in relation to: - **Liveness detection and facial image capture:** Solutions that can reliably detect and verify the presence of a live individual during identity verification. - **Biometric matching:** Capabilities that support use cases such as authentication during service access and account recovery. - **Technical verification of credentials:** Technologies such as NFC-enabled verification that can support identity verification for individuals located offshore through the verification of electronically readable identity documents (e.g. ePassports) The ATO is seeking to explore emerging technologies and innovative solutions to address several key challenges associated with identity verification within the myID platform. Since the initial procurement of Strong myID in 2021, advancements in biometric technologies particularly liveness detection and facial matching have accelerated. This RFI aims to understand what new capabilities exist in the market that could enhance the security, scalability, and inclusivity of myID. Specifically, the ATO is seeking to address the following challenges: - **Advancements in Liveness Detection** The current liveness detection solution was procured in 2021. Given the pace of innovation in this space, the ATO is interested in exploring the availability of solutions available in the market today. - **Scalable Biometric Authentication** With over 14 million myID users, the ATO is looking for biometric verification solutions that can support authentication at scale. This includes enabling users to verify their identity during login or account recovery without needing to re-prove their identity through manual processes which results in the need for call centre support. - **Verification of Offshore Individuals** myID currently supports verification only against Australian-issued identity documents. This presents a gap for offshore users who need to access services but cannot be verified through existing mechanisms. The ATO is seeking information on alternative biometric technical verification methods of document verification and biometric binding, such as NFC-enabled document reading that could support identity verification for individuals outside Australia."},{"h":"Vision","l":133,"t":"The ATO’s vision is to evolve myID into a future-ready, secure, and inclusive digital identity solution that meets the needs of a diverse and growing user base. We aim to leverage cutting-edge biometric technologies to enhance identity verification, streamline authentication, and improve account recovery, while maintaining the highest standards of privacy and user experience."},{"h":"Overview of Business Requirements","l":137,"t":"The Australian Taxation Office (ATO) is seeking information from the market on biometric liveness detection solutions that can support the strategic objectives of the myID app. The solution must support secure, seamless, and scalable identity verification for users accessing online services. To meet these objectives, the ATO requires a biometric liveness solution that satisfies the following core business requirements: - **Secure** – Must detect and prevent spoofing, deepfakes, and other identity threats as well as biometric match rates (incl. False accept and false reject rates) as defined in the Digital ID Act 2024. - **User-friendly experience** – Quick, simple, and accessible for all users, including those with accessibility needs - **Device compatibility** – Works reliably across a wide range of mobile devices, platforms, browser types and operating systems - **Accessible** – Must be tested and meet minimum WCAG requirements as defined in the Digital ID Act 2024 - **Scalable** – Supports high volumes of identity checks with consistent performance, reliability and up time - **Cost-effective** – Offers a sustainable pricing model aligned with government procurement frameworks demonstrating value for money. - **Comply with the law** – Complies with the relevant liveness and biometric verification standards and disclosure requirements prescribed in the Digital ID Act 2024. - **System integration** **and maintenance** – Seamlessly integrates with existing ATO infrastructure and future digital identity ecosystems/architecture. Upgrade and maintenance of solutions can be adopted with minimal effort and impact to production systems - **Provides value for money** – Solutions and associated costs must represent value for money for Government."},{"h":"High Level Requirements & Prioritisation","l":161,"t":"Requirements are prioritised as follows for this RFI:\\ \\ M – Mandatory: requirements that are essential; failure to comply will render a solution unviable.\\ D – Highly desirable: requirements that materially improve viability and performance.\\ O – Optional: value-added capabilities that are beneficial but not essential."},{"h":"Technical requirements","l":169,"t":""},{"h":"Biometric Capture and Liveness Detection","l":171,"t":"| **Requirement ID** | **Requirement Description** | **Priority (M/D/O)** | |----|----|:--:| | LV-1 | The solution MUST capture biometric images of sufficient quality for biometric comparison, complying with ISO/IEC 29794-5 when generating the image quality profile of the acquired image. | M | | LV-2 | The solution MUST implement automated image-quality controls within its biometric capability and provide clear user-interface guidance to direct a user to capture an image that meets the required image quality profile. | M | | LV-3 | The solution MUST employ presentation attack detection (PAD) to determine whether the acquired image originates from a living human subject present at the point of capture. | M | | LV-4 | The solution MUST complete image capture and presentation attack detection (PAD) as part of a single continuous process before the image is submitted to the ATO system for online biometric verification to prevent exploitation via separation of acquisition and PAD. | M | | LV-5 | The solution MUST ensure PAD technology meets at least Evaluation Assurance Level 2 (Level B) as defined by ISO/IEC 30107-3:2023 and the Digital ID (Accreditation) Data Standards. | M | | LV-6 | The solution MUST have been tested or validated by a qualified third-party biometric testing entity experienced in ISO/IEC 30107 to evidence the PAD meets Evaluation Assurance Level 2 (Level B) requirements. | M |"},{"h":"Technical Verification and Biometric Binding","l":182,"t":"[TABLE]"},{"h":"Scalability","l":186,"t":"| **Requirement ID** | **Requirement Description** | **Priority (M/D/O)** | |----|----|:--:| | S-1 | The solution MUST be scalable to ensure performance requirements are met under variable and increasing usage patterns. | M | | S-2 | The solution MUST support SaaS solution. | M |"},{"h":"Performance","l":193,"t":"[TABLE]"},{"h":"Availability","l":197,"t":"| **Requirement ID** | **Requirement Description** | **Priority (M/D/O)** | |----|----|:--:| | A-1 | The solution MUST achieve or exceed 99.95% availability. (Note: ATO provides cloud infrastructure where applicable.) | M |"},{"h":"Hosting","l":203,"t":"| **Requirement ID** | **Requirement Description** | **Priority (M/D/O)** | |----|----|:--:| | H-1 | The solution MUST be a cloud-hosted Software as a Service (SaaS) offering, delivered via a secure, scalable, and vendor-managed environment. | M | | H-2 | If cloud-based, the Tenderer MUST describe connectivity with current AWS technologies and services, connectivity methods (e.g., AWS PrivateLink) and resources required from ATO to support connectivity. | M |"},{"h":"Integration","l":210,"t":"| **Requirement ID** | **Requirement Description** | **Priority (M/D/O)** | |----|----|:--:| | IN-1 | The solution MUST support the Microsoft MAUI development environment and provide bindings for client API access. | M | | IN-2 | The solution MUST support operation through standard web browsers in addition to mobile platforms. This includes providing a seamless and secure user experience for individuals completing liveness verification via browser-based channels (e.g., Chrome, Safari, Edge, Firefox) | M | | IN-3 | Where the solution is not hosted within an ATO Software Service, the solution MUST not require server affinity. | M | | IN-4 | The solution MUST support silent automated deployments, including infrastructure setup (IaaS), where ATO is responsible for deployment. | M | | IN-5 | The Tenderer SHOULD provide two short case studies demonstrating delivery of similar services in high-volume, large-scale deployments, including references. | D |"},{"h":"Compliance","l":220,"t":""},{"h":"Security and Confidentiality","l":222,"t":"| **Requirement ID** | **Requirement Description** | **Priority (M/D/O)** | |----|----|:--:| | SC-1 | The solution MUST be able to show evidence of ability to comply to PSPF, ISM, Essential 8 requirements and other security requirements as defined in Digital ID ACT 2024. | M | | SC-2 | The solution MUST be able to demonstrate ability to comply with the Australian Privacy Principles. | M | | SC-3 | The solution SHOULD secure all collected, held or used data (Personal Information, ATO Data, ATO Material, and inter-agency information) in use and at rest using ASD-approved cryptographic algorithms consistent with the Australian Government ISM or NIST. | D | | SC-4 | The solution SHOULD include controls to ensure integrity of data generated within the client software or provided to the Facial Verification Service. | D | | SC-5 | The solution/service MUST NOT transfer Personal Information outside Australia. | M | | SC-6 | The solution MUST be capable of meeting relevant ISM controls to allow the ATO's Information Security Advisor to issue certification at the PROTECTED level. | M | | SC-7 | All Personal and ATO data MUST be hosted and stored in Australia and comply with Australian data sovereignty laws and the Data Hosting Certification Framework. | M | | SC-8 | The Tenderer SHOULD list all products used in delivery of Licensed Software, their function, whether third-party, and any access those products have to user data. | D |"},{"h":"Operations, Support and Maintenance","l":235,"t":""},{"h":"Operations","l":237,"t":"| **Requirement ID** | **Requirement Description** | **Priority (M/D/O)** | |----|----|:--:| | OP-1 | The Tenderer MUST Provide secure, isolated non-production (production environments) coupled with 24x7 monitoring. | M | | OP-2 | The solution SHOULD enable dynamic, automated test environments with integration testing. | D | | OP-3 | The provider MUST maintain data sovereignty and provide internal real-time service status visibility. | M | | OP-4 | The solution MUST continuously monitor access and privileged activities. | M | | OP-5 | The Tenderer MUST provide assurance that system access is limited to approved IP ranges that are regionally localised. | M | | OP-6 | The solution SHOULD provide mechanisms to detect early indicators of stress or coercion among personnel interacting with sensitive systems. | D | | OP-7 | The solution MUST deliver real-time alerts for high-risk or policy-violating behaviors, including biometric failures. | M | | OP-8 | The solution SHOULD support tiered alerting based on risk severity and detect abnormal access or potential data loss incidents. | D | | OP-9 | The solution MUST provide Australian-based NV1-cleared support, maintain compliance with ISM timelines, deliver governance reporting, and enable secure incident management via an iRAP-certified portal. | M | | OP-10 | The Tenderer MUST offer dedicated helpdesk, roadmap for fraud prevention, knowledge transfer, and demonstrate experience with government identity systems and security certifications as well as SLA mgt and governance. | M |"},{"h":"Vendor Implementation, Support & Maintenance","l":252,"t":"| **Requirement ID** | **Requirement Description** | **Priority (M/D/O)** | |----|----|:--:| | VISM-1 | The Tenderer MUST provide solution-specific support and troubleshooting via a formal helpdesk function. | M | | VISM-2 | The Tenderer MUST provide documented processes, manuals and operational instructions to support the solution. | M | | VISM-3 | The Tenderer MUST provide ongoing support to ensure software is kept up to date with regular patching and updates. | M | | VISM-4 | The solution MUST provide ongoing platform maintenance services. | M | | VISM-5 | The Tenderer SHOULD provide roadmaps and planned updates in fraud prevention and identity technology. | D | | VISM-6 | The Tenderer SHOULD demonstrate proven experience in successful implementation of similar systems in other Government Agencies. | D | | VISM-7 | The Tenderer SHOULD describe emerging technologies and recommendations based on vendor research. | D |"},{"h":"Maintainability","l":264,"t":"| **Requirement ID** | **Requirement Description** | **Priority (M/D/O)** | |----|----|:--:| | M-1 | The Tenderer MUST keep Licensed Software up-to-date through maintenance and patches (including security patches) for the Licensed Software and any third-party components. | M | ##"},{"h":"Reporting and Monitoring","l":272,"t":"| **Requirement ID** | **Requirement Description** | **Priority (M/D/O)** | |----|----|:--:| | RM-1 | The solution MUST centrally log system activity, including security setting modifications, verification activities, and support shipping logs to ATO’s logging system. | M | | RM-2 | The solution MUST provide configurable metrics, dashboards and drill-down visualisations (e.g., capture time statistics, failure to enrol/acquire rates). | M | | RM-3 | The solution MUST provide ATO with appropriate access to view logs (requests, response payloads and processing status) for troubleshooting. | M | | RM-4 | The Tenderer MUST describe monitoring capability or integration options. | M |"},{"h":"Usability & Accessibility","l":281,"t":""},{"h":"User Experience and Accessibility","l":283,"t":"| **Requirement ID** | **Requirement Description** | **Priority (M/D/O)** | |----|----|:--:| | UX-1 | The solution MUST support Mobile First and Responsive Web Design methodologies. | M | | UX-2 | The Tenderer MUST provide UI standards, UI screen designs, and UX documentation including user flow mappings. | M | | UX-3 | The solution MUST conform to WCAG 2.1 Level AA for mobile and web browser experiences. | M | | UX-4 | The solution MUST provide the ATO with the ability to customise user experience elements. | M |"},{"h":"Response Instructions","l":292,"t":"Respondents should provide responses in Part 3a Techincal response form, detailed written responses mapping their capabilities to each requirement identifier above. For each requirement, include technical details, architecture diagrams, implementation approach, security controls, validation/testing evidence, and relevant certifications(if needed attach information in separate documents). Attach case studies, third-party testing reports, and sample SLA terms where available. Responses should be concise, clearly referenced, and submitted per the AusTender process."},{"h":"Appendices","l":296,"t":""},{"h":"Appendix 1 – Legislation, Guidelines and Standards","l":298,"t":"Respondents must demonstrate compliance with relevant Commonwealth legislation, guidelines and standards including but not limited to: the Digital ID Act 2024 (commenced 1 December 2024), Digital ID (Accreditation) Rules 2024 and Accreditation Data Standards, the Australian Government Information Security Manual (ISM), Trusted Digital Identity Framework (TDIF), ASD Essential Eight, and ATO procedures and guidelines for contractors. [Digital ID Act 2024 - Federal Register of Legislation](https://www.legislation.gov.au/C2024A00025/asmade/text) [TABLE] For the purposes of clause 12. Additional Information of the RFI Part 1 Conditions of Tender, the applicable ATO procedures and guidelines are the: [*Ethical business relationship statement*](https://www.ato.gov.au/About-ATO/ATO-tenders-and-procurement/Complying-with-procurement-policy-and-legislation/Ethical-business-relationship-statement/) [*ATO information security guidelines for contractors*](https://www.ato.gov.au/About-ATO/ATO-tenders-and-procurement/In-detail/ATO-information-security-guidelines-for-contractors/) [*WH&S requirements for contractors and suppliers to the ATO*](https://www.ato.gov.au/About-ATO/ATO-tenders-and-procurement/In-detail/Work-health-and-safety-requirements-for-contractors-and-suppliers-to-the-ATO/) [*Recordkeeping management for our contractors*](https://www.ato.gov.au/About-ATO/ATO-tenders-and-procurement/Complying-with-procurement-policy-and-legislation/Records-management-for-our-contractors/)"},{"h":"Specific Requirements\\","l":316,"t":"IT Goods In the event of a procurement process post this RFI that progresses to a contract, the Respondent must: Have an EMS Certified or aligned to ISO 14001; or align business processes to the ISO 14001 within 6 months of the Contract being signed; and must maintain EMS certification or alignment to ISO 14001 during the term of the Contract, and Be a signatory to the Australian Packaging Covenant or comply with the requirements of the National Environment Protection (used packaging materials) measure (unless exempt by legislation)."},{"h":"Indigenous Procurement Policy Reporting","l":325,"t":"In the event of a procurement process post this RFI that progresses to a contract, the Respondent must provide such written reports and evidence of its compliance with their [Indigenous Procurement Policy](https://www.niaa.gov.au/indigenous-affairs/economic-development/indigenous-procurement-policy-ipp) obligations every quarter/6 months/year during the Term. **Security Requirements** The Vendor must: Complete and submit the following attachments: 1)  **Attachment A** – FOCI Form If already completed and returned to the ATO in the last 12 months, these are documents are not required. ![](media/image4.emf) **The ATO Cyber Security reserves the right to conduct a go-no-go penetration test.**"}],"tf":{"1":22,"10":5,"11":2,"12":5,"13":3,"14":7,"14001":3,"15":1,"2":15,"2021":3,"2023":1,"2024":11,"2025":1,"240":1,"24x7":1,"29794":1,"3":9,"30107":2,"3a":1,"4":9,"5":8,"6":9,"7":4,"8":6,"9":4,"95":2,"99":1,"a":35,"aa":1,"ability":3,"able":2,"abnormal":1,"about":8,"above":1,"accelerated":1,"accept":1,"access":10,"accessibility":9,"accessible":2,"accessing":1,"account":3,"accreditation":4,"accredited":1,"accrediting":1,"achieve":2,"acquire":1,"acquired":2,"acquisition":1,"across":1,"act":9,"activities":2,"activity":1,"added":1,"addition":1,"additional":2,"address":7,"adopted":1,"adoption":1,"advancements":2,"advisor":1,"affairs":1,"affinity":1,"against":4,"agdis":4,"agencies":1,"agency":2,"aim":1,"aims":1,"alerting":1,"alerts":1,"algorithms":1,"align":1,"aligned":2,"alignment":1,"all":4,"allow":1,"already":1,"alternative":1,"among":1,"an":6,"and":133,"any":2,"api":1,"app":2,"appendices":4,"appendix":4,"applicable":2,"approach":1,"appropriate":1,"approved":2,"architecture":7,"are":11,"areas":1,"as":17,"asd":2,"asmade":1,"asserted":1,"associated":3,"assurance":3,"at":5,"ato":47,"attach":2,"attachment":1,"attachments":1,"attack":2,"attribute":1,"au":8,"august":2,"austender":1,"australia":4,"australian":21,"authentication":4,"automated":3,"availability":6,"available":3,"aws":2,"b":2,"background":4,"base":1,"based":5,"basic":1,"be":11,"becomes":1,"been":1,"before":1,"behaviors":1,"being":1,"below":1,"beneficial":1,"binding":5,"bindings":1,"biometric":28,"birth":5,"browser":3,"browsers":1,"business":8,"but":3,"by":4,"c2024a00025":1,"call":1,"can":5,"cannot":1,"capabilities":5,"capability":2,"capable":1,"capture":10,"captured":1,"case":2,"cases":1,"centrally":1,"centre":1,"certification":3,"certifications":2,"certified":2,"challenges":2,"channels":1,"checks":1,"chrome":1,"clause":1,"clear":1,"cleared":1,"clearly":1,"client":2,"cloud":3,"coercion":1,"collected":1,"coming":1,"commenced":1,"commonwealth":1,"comparison":1,"compatibility":1,"complete":3,"completed":1,"completing":1,"compliance":7,"complies":1,"comply":6,"complying":3,"components":1,"comprehensive":1,"concise":1,"conditions":1,"conduct":1,"confidentiality":4,"configurable":1,"confirm":1,"conform":1,"connectivity":3,"consistent":2,"contents":1,"continues":1,"continuous":1,"continuously":1,"contract":4,"contractors":7,"controls":4,"core":1,"cost":1,"costs":1,"could":2,"coupled":1,"covenant":1,"credentials":1,"cryptographic":1,"current":2,"currently":4,"customise":1,"cutting":1,"cyber":1,"d":22,"dashboards":1,"data":11,"date":7,"december":1,"dedicated":1,"deepfakes":1,"defined":4,"deliver":2,"delivered":1,"delivery":2,"demonstrate":4,"demonstrates":1,"demonstrating":2,"deployment":1,"deployments":2,"describe":3,"description":11,"design":1,"designs":1,"desirable":1,"detail":2,"detailed":1,"details":1,"detect":4,"detection":12,"determine":1,"development":2,"device":2,"devices":1,"diagram":5,"diagrams":1,"digital":20,"digitalidsystem":1,"direct":1,"disclosure":1,"displayed":1,"diverse":1,"document":8,"documentation":1,"documented":1,"documents":7,"down":1,"drill":1,"driver":1,"during":6,"dvs":4,"dynamic":1,"e":5,"each":2,"early":1,"economic":1,"ecosystems":1,"edge":2,"effective":1,"effort":1,"eight":1,"either":1,"electronically":1,"elements":1,"email":5,"emerging":2,"emf":1,"employ":1,"ems":2,"enable":2,"enabled":2,"enables":1,"enabling":1,"enhance":2,"enhancements":1,"enrol":1,"ensure":5,"entities":1,"entity":1,"environment":3,"environments":2,"epassports":1,"essential":4,"establish":1,"ethical":2,"evaluation":2,"event":2,"every":1,"evidence":4,"evolve":1,"evolved":1,"exceed":1,"exchange":1,"exempt":1,"exist":1,"existing":2,"expected":1,"experience":10,"experienced":1,"experiences":1,"expertise":1,"exploitation":1,"explore":1,"exploring":1,"face":4,"facial":5,"fail":1,"failure":2,"failures":1,"false":2,"federal":1,"firefox":1,"first":1,"flow":1,"foci":1,"following":3,"follows":1,"for":40,"form":2,"formal":1,"framework":4,"frameworks":1,"fraud":2,"friendly":1,"from":5,"function":2,"further":1,"future":4,"fvs":3,"g":5,"gap":1,"generated":1,"generating":1,"given":1,"go":2,"goods":4,"gov":8,"governance":2,"government":11,"governments":1,"growing":1,"growth":1,"guidance":1,"guidelines":12,"h":2,"has":1,"have":5,"health":1,"held":1,"helpdesk":2,"high":12,"highest":2,"highly":1,"home":1,"hosted":3,"hosting":5,"https":8,"human":1,"iaas":1,"id":27,"identifier":1,"identity":26,"iec":3,"if":3,"image":10,"image1":1,"image3":1,"image4":1,"images":1,"impact":1,"implement":1,"implementation":6,"improve":2,"in":42,"incident":1,"incidents":1,"incl":1,"include":2,"includes":2,"including":9,"inclusive":1,"inclusivity":2,"increasing":1,"indicators":1,"indigenous":7,"individual":1,"individuals":4,"information":18,"infrastructure":3,"initial":1,"innovation":1,"innovative":1,"installed":1,"instructions":5,"integrates":1,"integration":7,"integrity":1,"inter":1,"interacting":1,"interested":1,"interface":1,"internal":1,"into":1,"invites":1,"ip":3,"ip1":2,"ip2":2,"ip3":2,"ipp":1,"irap":1,"is":21,"ism":5,"iso":6,"isolated":1,"issue":1,"issued":1,"it":4,"its":3,"keep":1,"kept":1,"key":1,"knowledge":1,"landscape":1,"large":1,"last":2,"launch":1,"law":1,"laws":1,"least":1,"legal":1,"legislation":10,"level":16,"levels":1,"leverage":1,"licence":1,"licensed":3,"limited":2,"list":1,"live":2,"liveness":14,"living":1,"localised":1,"located":1,"log":1,"logging":1,"login":2,"logon":1,"logs":2,"looking":1,"loss":1,"lv":6,"m":53,"maintain":3,"maintainability":4,"maintaining":1,"maintenance":12,"managed":2,"management":3,"mandatory":1,"manual":2,"manuals":1,"mapping":1,"mappings":1,"market":3,"match":2,"matching":3,"material":1,"materially":1,"materials":1,"maui":1,"measure":1,"mechanisms":2,"media":3,"meet":3,"meeting":1,"meets":4,"met":1,"methodologies":1,"methods":2,"metrics":1,"mgt":1,"microsoft":1,"million":4,"minimal":1,"minimum":1,"mobile":4,"model":1,"modifications":1,"money":3,"monitor":1,"monitoring":6,"months":4,"more":4,"must":50,"myid":26,"myids":1,"name":5,"national":1,"need":2,"needed":1,"needing":1,"needs":2,"new":1,"nfc":2,"niaa":1,"nist":1,"no":1,"non":1,"not":7,"note":1,"nv1":1,"o":12,"objectives":2,"obligations":1,"of":55,"offer":1,"offering":1,"offers":1,"office":4,"official":1,"offshore":3,"on":6,"ongoing":2,"online":6,"only":1,"op":10,"operating":2,"operation":1,"operational":1,"operations":8,"optional":1,"options":1,"or":16,"originates":1,"other":3,"our":2,"outside":2,"over":5,"overview":4,"pace":1,"packaging":2,"pad":5,"part":3,"particularly":2,"party":4,"pass":1,"passport":3,"patches":2,"patching":1,"patterns":1,"payloads":1,"penetration":1,"per":1,"performance":7,"person":1,"personal":3,"personnel":1,"photo":1,"planned":1,"platform":2,"platforms":2,"png":2,"point":1,"policy":9,"portal":1,"post":2,"potential":1,"prescribed":1,"presence":1,"present":1,"presentation":2,"presents":1,"prevent":2,"prevention":2,"pricing":1,"principles":1,"prioritisation":4,"prioritised":1,"priority":11,"privacy":2,"privatelink":1,"privileged":1,"procedures":5,"process":5,"processes":3,"processing":1,"procured":1,"procurement":16,"production":3,"products":2,"profile":2,"progresses":2,"proofing":1,"protected":1,"protection":1,"prove":2,"proven":1,"provide":19,"provided":1,"provider":2,"providers":4,"provides":2,"providing":1,"pspf":1,"purposes":1,"qualified":1,"quality":4,"quarter":1,"quick":1,"range":1,"ranges":1,"rates":3,"re":1,"readable":1,"reading":1,"ready":1,"real":3,"recommendations":1,"recordkeeping":1,"records":1,"recovery":3,"referenced":1,"references":1,"regionally":1,"register":1,"regular":1,"reject":1,"relation":1,"relationship":2,"relevant":5,"reliability":1,"reliably":2,"render":1,"reporting":9,"reports":2,"represent":1,"request":4,"requests":1,"require":1,"required":3,"requirement":24,"requirements":31,"requires":1,"research":1,"reserves":1,"resources":1,"respondent":2,"respondents":2,"response":6,"responses":4,"responsible":1,"responsive":1,"rest":1,"result":1,"results":1,"returned":2,"rfi":5,"right":1,"risk":2,"rm":4,"roadmap":1,"roadmaps":1,"rules":2,"s":8,"saas":2,"safari":1,"safety":1,"sample":1,"satisfies":1,"sc":8,"scalability":5,"scalable":5,"scale":2,"screen":1,"seamless":2,"seamlessly":1,"secure":8,"securely":1,"security":17,"seeking":5,"self":1,"sensitive":1,"separate":1,"separation":1,"server":1,"service":10,"services":10,"setting":1,"setup":1,"several":1,"severity":1,"shipping":1,"short":1,"should":12,"show":1,"signatory":1,"signed":1,"significantly":1,"silent":1,"similar":2,"simple":1,"since":2,"single":1,"sla":2,"smart":1,"software":7,"solution":42,"solutions":7,"source":3,"sovereignty":2,"space":1,"specific":5,"specifically":2,"specified":1,"spoofing":1,"standard":2,"standards":11,"statement":3,"statistics":1,"status":2,"stored":1,"strategic":1,"streamline":1,"stress":1,"strong":5,"studies":2,"subject":1,"submit":1,"submitted":2,"successful":1,"such":6,"sufficient":1,"suppliers":3,"support":29,"supports":3,"sustainable":1,"system":15,"systems":5,"table":6,"taxation":3,"tdif":1,"techincal":1,"technical":11,"technologies":7,"technology":4,"tender":1,"tenderer":15,"tenders":4,"term":2,"terms":1,"test":3,"tested":2,"testing":4,"text":1,"that":18,"the":160,"their":7,"then":1,"there":1,"these":2,"they":2,"third":4,"this":10,"those":2,"threats":1,"three":1,"through":9,"tiered":1,"time":4,"timelines":1,"times":1,"to":71,"today":1,"transfer":2,"transmitted":1,"troubleshooting":2,"trusted":1,"two":1,"types":1,"ui":2,"under":2,"understand":1,"unless":1,"unviable":1,"up":3,"updates":2,"upgrade":1,"usability":5,"usage":1,"use":2,"used":6,"user":15,"users":6,"using":1,"ux":5,"validated":1,"validation":1,"value":4,"variable":1,"vendor":7,"verification":35,"verified":11,"verify":2,"via":12,"viability":1,"view":1,"violating":1,"visibility":1,"vision":5,"visit":2,"vism":7,"visualisations":1,"volume":1,"volumes":1,"was":2,"wcag":2,"we":1,"web":3,"well":2,"wh":1,"what":1,"when":1,"where":5,"whether":2,"which":1,"while":1,"who":3,"wide":1,"will":2,"with":30,"within":7,"without":1,"work":1,"works":1,"written":2,"www":8,"year":1}},{"dl":1376,"n":"src-03-part3-response-general","s":"sources/src-03-part3-response-general","secs":[{"h":"","l":1,"t":"|     | |-----| [TABLE] ![](media/image1.png) Part 3 – Response Form – General"},{"h":"Response Form – General","l":10,"t":""},{"h":"Introduction","l":12,"t":""},{"h":"The RFI Response Forms","l":14,"t":"This Request for Information (**RFI**) includes 4 Response Forms: - [Part 3 – RFI Response Form – General](#_Ref141431774) - Part 3a- RFI Response Form – Technical Response (Excel Spreadsheet) - [Part 4 – RFI Response Form – Financial](#_Ref141431793) - Part 4a – RFI Response Form – Pricing Table - Attachment A – FOCI form In their Responses, suppliers should respond to the questions, and supply the information and materials, in the same order and under the same headings as shown in these Response Forms. [TABLE]"},{"h":"About this Part","l":32,"t":"This [Part 3 – RFI Response Form – General](#_Ref141431774) describes the Conditions for Participation, and the general and technical information that suppliers should provide in their Responses. It includes the following sections: - [Section 1 – The Conditions for Participation](#section-1-the-conditions-for-participation). - [Section 2 – Respondent’s details](#commonwealth-supplier-code-of-conduct). - [Section 3 – Respondent information](#section-3-respondent-information). - [Section 4 – Respondent’s Declaration](#section-4-respondents-declaration). [TABLE]"},{"h":"Section 1 – The Conditions for Participation","l":46,"t":""},{"h":"Judicial decisions relating to employee entitlements","l":48,"t":"Should the ATO progress to a potential second stage following this RFI process, it is a Condition for Participation that a Respondent (and each subcontractor that the Respondent identifies in its Response) must not have any unpaid claims in respect of judicial decisions (other than decisions subject to appeal) made against it relating to employee entitlements. | ![Information](media/image3.svg) | See paragraph 6.7 of the Commonwealth Procurement Rules (CPRs). The CPRs are published by the Department of Finance and Deregulation on its website at [www.finance.gov.au](http://www.finance.gov.au/). | |----|----|"},{"h":"Workplace Gender Equality","l":55,"t":"Should the ATO progress to a potential second stage following this RFI process, it is Commonwealth policy not to purchase goods or services from suppliers who do not comply with their obligations under the *Workplace Gender Equality Act 2012* (Cth) (the **WGE Act**). A supplier must: - identify in its Response whether or not it’s a relevant employer for the purposes of the WGE Act, and - if so either include a current letter of compliance (a letter stating it is compliant with that Act) from the Workplace Gender Equality Agency (**WGEA**) with its Response, or provide it to the ATO before entering into the Contract (if its Tender is successful). | ![Information](media/image3.svg) | Suppliers can contact WGEA to confirm if they are ‘relevant employers’ and, if so, obtain letters of compliance. Contact details are on its website at [www.wgea.gov.au](http://www.wgea.gov.au). | |----|----|"},{"h":"Satisfactory Statement of Tax Record","l":66,"t":"Should the ATO progress to a potential second stage following this RFI process, it is a Condition for Participation that a Respondent holds: - in relation to itself (or, if a Responding Group, each of its members) – either a valid and satisfactory Statement of Tax Record (STR) by the Closing Time, or a receipt demonstrating that a STR has been requested from the ATO by the Closing Time and a valid and satisfactory STR no later than (subject to the [Shadow Economy Procurement Connected Policy](https://treasury.gov.au/publication/p2019-t369466)) 4 business days after the Closing Time, and - in relation to each subcontractor that the Respondent proposes, as part of its Response, to have deliver Required Supplies of an estimated value of over \\$4 million (GST inclusive) – a copy of a valid and satisfactory Statement of Tax Record for that subcontractor by the Closing Time. The ATO may, before entering into the Contract (if the Respondent is successful), require the Respondent to ensure that any such STR that is not valid at that time is renewed. [TABLE]"},{"h":"Indigenous Procurement Policy","l":78,"t":"Should the ATO progress to a potential second stage following this RFI process, it is Commonwealth policy to stimulate Indigenous entrepreneurship and business development, providing Indigenous Australians with more opportunities to participate in the economy, including by requiring contractors to have Indigenous Participation Plans as described in the [Indigenous Procurement Policy](https://www.niaa.gov.au/resource-centre/indigenous-affairs/indigenous-procurement-policy) (**IPP**). As part of its Response to any future procurement process, a supplier must: - describe the supplier’s commitment to Indigenous participation and its current rate of Indigenous employment and supplier use, - provide the supplier’s proposed Indigenous Participation Plan, which should address the above, how it intends on meeting the minimum mandatory requirements (**MMR**, as described in the IPP), and if any part of the Required Supplies will be delivered in a Remote Area (as described in the IPP), how that will achieve significant Indigenous participation outcomes in that area, and - indicate if the supplier has been subject to MMR targets previously, and if so, provide details of its past performance in meeting them. If a future procurement process was undertaken for any parts or components of the Required Supplies that are to be delivered in a remote area, would be detailed in the Part 2 – Statement of Requirements (or similar document). | ![Information](media/image3.svg) | A supplier should note that, if its Response is successful, its Indigenous Participation Plan will be developed and attached to the resultant Contract, and the supplier will be required to comply with and report against that developed Indigenous Participation Plan during the term of the Contract. | |----|----|"},{"h":"Commonwealth Supplier Code of Conduct","l":95,"t":"The Commonwealth Supplier Code of Conduct (Code) is mandated by paragraph 6.12 of the Commonwealth Procurement Rules (CPRs), which requires the Code to be incorporated into all Commonwealth forms of contract entered into from 1 July 2024. A Commonwealth form of contract, in this context, is any contract that uses Commonwealth terms and conditions (as opposed to a contract that is based on a suppliers’ terms and conditions). The Code outlines the Commonwealth’s minimum expectations of suppliers and their subcontractors while under contract with the Commonwealth. The expectations in the Code cover ethical behaviour; corporate governance; business practices; and health, safety, and employee welfare. These expectations do not supersede or alter a supplier’s existing legislative, policy, regulatory or other contractual obligations. Where requested by the ATO, Respondents and suppliers must be able to demonstrate they have appropriate policies, frameworks, or similar, in place regarding ethics, governance and accountability to comply with these expectations. Failure to adhere to the Code may result in remedial action and/or termination in accordance with contractual provisions. | ![Information](media/image3.svg) | For information on the application of Commonwealth Supplier Code of Conduct, see the [Commonwealth Supplier Code of Conduct - Overview](https://www.finance.gov.au/government/procurement/commonwealth-supplier-code-conduct-overview) page on DoF’s website. | |----|----|"},{"h":"Outcome of this RFI Process","l":106,"t":"As a direct result of this RFI, the ATO may proceed with a second stage that includes any of the following options after an analysis of responses to this RFI: - Shortlist to potential viable solutions, - Request for Tender (RFT), - Request for Quote (RFQ), - Limited Tender (LT), - Proof of Concept (PoC), - Product demonstration or trial (PD), and/or - RFI closure. &nbsp; - To be considered for this potential second stage of the RFI process, Suppliers should have provided a response to this document (RFI-15434)."},{"h":"Section 2 – Respondent’s details","l":128,"t":""},{"h":"Information about the Respondent","l":130,"t":"The Respondent should provide the following company, firm and/or business details as appropriate. Where a Response is submitted by a Responding Group, these details should be provided for each member of that group. [TABLE]"},{"h":"Respondents’ compliance with conditions","l":136,"t":"The Respondent should provide the following details and information as appropriate (during this RFI the ATO will not request evidence of compliance with the below. However, if a procurement process is undertaken post this RFI, evidence will be requested where required to confirm compliance): [TABLE]"},{"h":"General information about the Response","l":142,"t":"The Respondent should provide the following details and information as appropriate: [TABLE]"},{"h":"Section 3 – Respondent information","l":148,"t":""},{"h":"Details of Response","l":150,"t":"The Respondent should provide the following details and information as appropriate. [TABLE] [TABLE] [TABLE]"},{"h":"Respondent’s responses in relation to Part 2 – Statement of Requirements","l":160,"t":"The Respondent should provide the following details and information as appropriate. **COMPLETE SEPERATE DOCUMENT** **PART 3a - RFI RESPONSE FORM – TECHNICAL** [TABLE]"},{"h":"Section 4 – Respondent’s Declaration","l":170,"t":""},{"h":"Respondent’s Declaration","l":172,"t":"The Respondent should provide, as part of its Response and in accordance with the following instructions, the Declaration set out below: [TABLE] [TABLE] #"}],"tf":{"1":4,"12":1,"15434":1,"2":4,"2012":1,"2024":1,"3":6,"3a":2,"4":7,"4a":1,"6":2,"7":1,"a":35,"able":1,"about":3,"above":1,"accordance":2,"accountability":1,"achieve":1,"act":4,"action":1,"address":1,"adhere":1,"affairs":1,"after":2,"against":2,"agency":1,"all":1,"alter":1,"an":2,"analysis":1,"and":38,"any":7,"appeal":1,"application":1,"appropriate":6,"are":4,"area":3,"as":14,"at":3,"ato":10,"attached":1,"attachment":1,"au":7,"australians":1,"based":1,"be":10,"been":2,"before":2,"behaviour":1,"below":2,"business":4,"by":8,"can":1,"centre":1,"claims":1,"closing":4,"closure":1,"code":11,"commitment":1,"commonwealth":15,"company":1,"complete":1,"compliance":5,"compliant":1,"comply":3,"components":1,"concept":1,"condition":2,"conditions":7,"conduct":6,"confirm":2,"connected":1,"considered":1,"contact":2,"context":1,"contract":9,"contractors":1,"contractual":2,"copy":1,"corporate":1,"cover":1,"cprs":3,"cth":1,"current":2,"days":1,"decisions":3,"declaration":5,"deliver":1,"delivered":2,"demonstrate":1,"demonstrating":1,"demonstration":1,"department":1,"deregulation":1,"describe":1,"described":3,"describes":1,"detailed":1,"details":11,"developed":2,"development":1,"direct":1,"do":2,"document":3,"dof":1,"during":2,"each":4,"economy":2,"either":2,"employee":3,"employer":1,"employers":1,"employment":1,"ensure":1,"entered":1,"entering":2,"entitlements":2,"entrepreneurship":1,"equality":3,"estimated":1,"ethical":1,"ethics":1,"evidence":2,"excel":1,"existing":1,"expectations":4,"failure":1,"finance":4,"financial":1,"firm":1,"foci":1,"following":12,"for":15,"form":10,"forms":4,"frameworks":1,"from":4,"future":2,"gender":3,"general":6,"goods":1,"gov":7,"governance":2,"government":1,"group":3,"gst":1,"has":2,"have":5,"headings":1,"health":1,"holds":1,"how":2,"however":1,"http":2,"https":3,"identifies":1,"identify":1,"if":12,"image1":1,"image3":4,"in":25,"include":1,"includes":3,"including":1,"inclusive":1,"incorporated":1,"indicate":1,"indigenous":13,"information":17,"instructions":1,"intends":1,"into":4,"introduction":1,"ipp":3,"is":15,"it":10,"its":14,"itself":1,"judicial":2,"july":1,"later":1,"legislative":1,"letter":2,"letters":1,"limited":1,"lt":1,"made":1,"mandated":1,"mandatory":1,"materials":1,"may":3,"media":5,"meeting":2,"member":1,"members":1,"million":1,"minimum":2,"mmr":2,"more":1,"must":4,"nbsp":1,"niaa":1,"no":1,"not":7,"note":1,"obligations":2,"obtain":1,"of":42,"on":6,"opportunities":1,"opposed":1,"options":1,"or":14,"order":1,"other":2,"out":1,"outcome":1,"outcomes":1,"outlines":1,"over":1,"overview":2,"p2019":1,"page":1,"paragraph":2,"part":14,"participate":1,"participation":12,"parts":1,"past":1,"pd":1,"performance":1,"place":1,"plan":3,"plans":1,"png":1,"poc":1,"policies":1,"policy":7,"post":1,"potential":6,"practices":1,"previously":1,"pricing":1,"proceed":1,"process":9,"procurement":10,"product":1,"progress":4,"proof":1,"proposed":1,"proposes":1,"provide":10,"provided":2,"providing":1,"provisions":1,"publication":1,"published":1,"purchase":1,"purposes":1,"questions":1,"quote":1,"rate":1,"receipt":1,"record":3,"ref141431774":2,"ref141431793":1,"regarding":1,"regulatory":1,"relating":2,"relation":3,"relevant":2,"remedial":1,"remote":2,"renewed":1,"report":1,"request":4,"requested":3,"require":1,"required":5,"requirements":3,"requires":1,"requiring":1,"resource":1,"respect":1,"respond":1,"respondent":22,"respondents":3,"responding":2,"response":23,"responses":4,"result":2,"resultant":1,"rfi":20,"rfq":1,"rft":1,"rules":2,"s":12,"safety":1,"same":2,"satisfactory":4,"second":6,"section":11,"sections":1,"see":2,"seperate":1,"services":1,"set":1,"shadow":1,"shortlist":1,"should":16,"shown":1,"significant":1,"similar":2,"so":3,"solutions":1,"spreadsheet":1,"stage":6,"statement":5,"stating":1,"stimulate":1,"str":4,"subcontractor":3,"subcontractors":1,"subject":3,"submitted":1,"successful":3,"such":1,"supersede":1,"supplier":15,"suppliers":8,"supplies":3,"supply":1,"svg":4,"t369466":1,"table":14,"targets":1,"tax":3,"technical":3,"tender":3,"term":1,"termination":1,"terms":2,"than":2,"that":20,"the":85,"their":4,"them":1,"these":4,"they":2,"this":15,"time":5,"to":37,"treasury":1,"trial":1,"under":3,"undertaken":2,"unpaid":1,"use":1,"uses":1,"valid":4,"value":1,"viable":1,"was":1,"website":3,"welfare":1,"wge":2,"wgea":4,"where":3,"whether":1,"which":2,"while":1,"who":1,"will":6,"with":12,"workplace":3,"would":1,"www":6}},{"dl":1632,"n":"src-04-part3a-response-technical","s":"sources/src-04-part3a-response-technical","secs":[{"h":"How-To","l":1,"t":"| **RFI-15434 Provision of Biometric Liveness Detection Solutions that can support the strategic objectives of the myID app.** |  |  | |----|----|----| |  | ***Steps to complete SoR Response Form*** | Notes | | 1.0 | In Column D - Select Response compliance for each criteria using the drop down menu |  | | 2.0 | Column E - Add response to criteria and include an explanation on how you meet the criteria |  | | 3.0 | Complete and Return the Security documents: FOCI Form |  | |  | The Tenderer should identify in the Part 3a RFI Response Form – Technical, each instance where either it, or its offer, only partially complies, or does not comply, with an item or paragraph in the Part 2 – Statement of Requirements: |  | |  | Where an item or paragraph is of an informative nature only, the Respondent should select “Partially complies” if it only partially understands and accepts it, or “Does not comply” if it does not understand and accept it, otherwise the Respondent will be taken to have understood and accepted it. |  | |  |  |  | |  | Should you wish to supply additional information that will not fit into the Excel document, please supply them as attachments to the response and indicate what attachment is relevant to the Statement of Requirement. |  |"},{"h":"SoR Response","l":14,"t":"| \\# | Description | Criticality | Response Compliance | Vendor Comments |  |  |  |  |  |  |  |  |  |  |  | |----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----| | Biometric Capture and Liveness Detection |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | LV-1 | The solution MUST capture biometric images of sufficient quality for biometric comparison, complying with ISO/IEC 29794-5 when generating the image quality profile of the acquired image. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  | Partially Compliant | | LV-2 | The solution MUST implement automated image-quality controls within its biometric capability and provide clear user-interface guidance to direct a user to capture an image that meets the required image quality profile. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  | Non-Compliant | | LV-3 | The solution MUST employ presentation attack detection (PAD) to determine whether the acquired image originates from a living human subject present at the point of capture. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | LV-4 | The solution MUST complete image capture and presentation attack detection (PAD) as part of a single continuous process before the image is submitted to the ATO system for online biometric verification to prevent exploitation via separation of acquisition and PAD. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | LV-5 | The solution MUST ensure PAD technology meets at least Evaluation Assurance Level 2 (Level B) as defined by ISO/IEC 30107-3:2023 and the Digital ID (Accreditation) Data Standards. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | LV-6 | The solution MUST have been tested or validated by a qualified third-party biometric testing entity experienced in ISO/IEC 30107 to evidence the PAD meets Evaluation Assurance Level 2 (Level B) requirements. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | Technical Verifaction and Biometric Binding |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | TV-1 | When performing technical verification of a foreign ePassport, the solution MUST: a. Comply with the relevant sections of ICAO Doc 9303 for remote Public Key Infrastructure (PKI) verification; and b. Check any published certificate revocation lists (CRLs) or equivalent mechanisms to determine if the ePassport has been cancelled. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | TV-2 | When conducting online biometric binding, the solution MUST: • Complete binding within a single continuous workflow; • Include liveness detection as part of presentation attack (PAD); • Execute PAD at the point of capture; • Complete capture and PAD prior to submission for biometric binding; and • Use PAD technology that incorporates data from both the data capture subsystem and system-level monitoring consistent with ISO/IEC 30107-1 | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | TV-3 | The solution MUST demonstrate, with a minimum 90% confidence interval, that its biometric matching algorithm achieves a False Match Rate (FMR) of no more than 0.01% and a False Non-Match Rate (FNMR) of no more than 3%, in accordance with ISO/IEC TS 19795-9:2019. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | Scalability |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | S-1 | The solution MUST be scalable to ensure performance requirements are met under variable and increasing usage patterns. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | S-2 | The solution MUST support SaaS solution. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | Performance |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | P-1 | The solution MUST support peak loads of 10,000 verifications per hour with a 95th percentile response time ≤ 1000 ms. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | P-2 | The Tenderer MUST provide: (i) Licensed Software performance metrics and test regimes used; (ii) Licensed Software infrastructure design specifications and (iii) A Software Capacity Plan and supplier strategies for scaling. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | Availability |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | A-1 | The solution MUST achieve or exceed 99.95% availability. (Note: ATO provides cloud infrastructure where applicable.) | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | Hosting |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | H-1 | The solution MUST be a cloud-hosted Software as a Service (SaaS) offering, delivered via a secure, scalable, and vendor-managed environment. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | H-2 | If cloud-based, the Tenderer MUST describe connectivity with current AWS technologies and services, connectivity methods (e.g., AWS PrivateLink) and resources required from ATO to support connectivity. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | Integration |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | IN-1 | The solution MUST support the Microsoft MAUI development environment and provide bindings for client API access. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | IN-2 | The solution MUST support operation through standard web browsers in addition to mobile platforms. This includes providing a seamless and secure user experience for individuals completing liveness verification via browser-based channels (e.g., Chrome, Safari, Edge, Firefox). | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | IN-3 | Where the solution is not hosted within an ATO Software Service, the solution MUST not require server affinity. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | IN-4 | The solution MUST support silent automated deployments, including infrastructure setup (IaaS), where ATO is responsible for deployment. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | IN-5 | The Tenderer SHOULD provide two short case studies demonstrating delivery of similar services in high-volume, large-scale deployments, including references. | Desireable |  |  |  |  |  |  |  |  |  |  |  |  |  |"},{"h":"Compliance","l":55,"t":"| \\# | Description | Criticality | Response Compliance | Vendor Comments |  |  |  |  |  |  |  |  |  |  |  | |----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----| | Security and Confidentiality |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | SC-1 | The solution MUST be able to show evidence of ability to comply to PSPF, ISM, Essential 8 requirements and other security requirements as defined in Digital ID ACT 2024. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  | Partially Compliant | | SC-2 | The solution MUST be able to demonstrate ability to comply with the Australian Privacy Principles. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  | Non-Compliant | | SC-3 | The solution SHOULD secure all collected, held or used data (Personal Information, ATO Data, ATO Material, and inter-agency information) in use and at rest using ASD-approved cryptographic algorithms consistent with the Australian Government ISM or NIST. | Desirable |  |  |  |  |  |  |  |  |  |  |  |  |  | | SC-4 | The solution SHOULD include controls to ensure integrity of data generated within the client software or provided to the Facial Verification Service. | Desirable |  |  |  |  |  |  |  |  |  |  |  |  |  | | SC-5 | The solution/service MUST NOT transfer Personal Information outside Australia. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | SC-6 | The solution MUST be capable of meeting relevant ISM controls to allow the ATO's Information Security Advisor to issue certification at the PROTECTED level. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | SC-7 | All Personal and ATO data MUST be hosted and stored in Australia and comply with Australian data sovereignty laws and the Data Hosting Certification Framework. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | SC-8 | The Tenderer SHOULD list all products used in delivery of Licensed Software, their function, whether third-party, and any access those products have to user data. | Desirable |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | Operations, Support and Maintenance |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | Operations |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | OP-1 | The Tenderer MUST Provide secure, isolated non-production (production environments) coupled with 24x7 monitoring. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | OP-2 | The solution SHOULD enable dynamic, automated test environments with integration testing. | Desirable |  |  |  |  |  |  |  |  |  |  |  |  |  | | OP-3 | The provider MUST maintain data sovereignty and provide internal real-time service status visibility. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | OP-4 | The solution MUST continuously monitor access and privileged activities. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | OP-5 | The Tenderer MUST provide assurance that system access is limited to approved IP ranges that are regionally localised. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | OP-6 | The solution SHOULD provide mechanisms to detect early indicators of stress or coercion among personnel interacting with sensitive systems. | Desirable |  |  |  |  |  |  |  |  |  |  |  |  |  | | OP-7 | The solution MUST deliver real-time alerts for high-risk or policy-violating behaviors, including biometric failures. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | OP-8 | The solution SHOULD support tiered alerting based on risk severity and detect abnormal access or potential data loss incidents. | Desirable |  |  |  |  |  |  |  |  |  |  |  |  |  | | OP-9 | The solution MUST provide Australian-based NV1-cleared support, maintain compliance with ISM timelines, deliver governance reporting, and enable secure incident management via an iRAP-certified portal. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | OP-10 | The Tenderer MUST offer dedicated helpdesk, roadmap for fraud prevention, knowledge transfer, and demonstrate experience with government identity systems and security certifications as well as SLA mgt and governance. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | Vendor Implementation, Support & Maintenance |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | VISM-1 | The Tenderer MUST provide solution-specific support and troubleshooting via a formal helpdesk function. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | VISM-2 | The Tenderer MUST provide documented processes, manuals and operational instructions to support the solution. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | VISM-3 | The Tenderer MUST provide ongoing support to ensure software is kept up to date with regular patching and updates. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | VISM-4 | The solution MUST provide ongoing platform maintenance services. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | VISM-5 | The Tenderer SHOULD provide roadmaps and planned updates in fraud prevention and identity technology. | Desirable |  |  |  |  |  |  |  |  |  |  |  |  |  | | VISM-6 | The Tenderer SHOULD demonstrate proven experience in successful implementation of similar systems in other Government Agencies. | Desirable |  |  |  |  |  |  |  |  |  |  |  |  |  | | VISM-7 | The Tenderer SHOULD describe emerging technologies and recommendations based on vendor research. | Desirable |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | Maintainability |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | M-1 | The Tenderer MUST keep Licensed Software up-to-date through maintenance and patches (including security patches) for the Licensed Software and any third-party components. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | Reporting and Monitoring |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | RM-1 | The solution MUST centrally log system activity, including security setting modifications, verification activities, and support shipping logs to ATO’s logging system. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | RM-2 | The solution MUST provide configurable metrics, dashboards and drill-down visualisations (e.g., capture time statistics, failure to enrol/acquire rates). | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | RM-3 | The solution MUST provide ATO with appropriate access to view logs (requests, response payloads and processing status) for troubleshooting. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | RM-4 | The Tenderer MUST describe monitoring capability or integration options. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | User Experience and Accessibility |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | UX-1 | The solution MUST support Mobile First and Responsive Web Design methodologies. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | UX-2 | The Tenderer MUST provide UI standards, UI screen designs, and UX documentation including user flow mappings. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | UX-3 | The solution MUST conform to WCAG 2.1 Level AA for mobile and web browser experiences. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  | | UX-4 | The solution MUST provide the ATO with the ability to customise user experience elements. | Mandatory |  |  |  |  |  |  |  |  |  |  |  |  |  |"}],"tf":{"0":4,"000":1,"01":1,"1":16,"10":2,"1000":1,"15434":1,"19795":1,"2":16,"2019":1,"2023":1,"2024":1,"24x7":1,"29794":1,"3":11,"30107":3,"3a":1,"4":7,"5":6,"6":4,"7":3,"8":3,"9":2,"90":1,"9303":1,"95":1,"95th":1,"99":1,"a":18,"aa":1,"ability":3,"able":2,"abnormal":1,"accept":1,"accepted":1,"accepts":1,"access":6,"accessibility":1,"accordance":1,"accreditation":1,"achieve":1,"achieves":1,"acquire":1,"acquired":2,"acquisition":1,"act":1,"activities":2,"activity":1,"add":1,"addition":1,"additional":1,"advisor":1,"affinity":1,"agencies":1,"agency":1,"alerting":1,"alerts":1,"algorithm":1,"algorithms":1,"all":3,"allow":1,"among":1,"an":7,"and":59,"any":3,"api":1,"app":1,"applicable":1,"appropriate":1,"approved":2,"are":2,"as":8,"asd":1,"assurance":3,"at":5,"ato":12,"attachment":1,"attachments":1,"attack":3,"australia":2,"australian":4,"automated":3,"availability":2,"aws":2,"b":3,"based":5,"be":7,"been":2,"before":1,"behaviors":1,"binding":4,"bindings":1,"biometric":12,"both":1,"browser":2,"browsers":1,"by":2,"can":1,"cancelled":1,"capability":2,"capable":1,"capacity":1,"capture":9,"case":1,"centrally":1,"certificate":1,"certification":2,"certifications":1,"certified":1,"channels":1,"check":1,"chrome":1,"clear":1,"cleared":1,"client":2,"cloud":3,"coercion":1,"collected":1,"column":2,"comments":2,"comparison":1,"complete":5,"completing":1,"compliance":5,"compliant":4,"complies":2,"comply":6,"complying":1,"components":1,"conducting":1,"confidence":1,"confidentiality":1,"configurable":1,"conform":1,"connectivity":3,"consistent":2,"continuous":2,"continuously":1,"controls":3,"coupled":1,"criteria":3,"criticality":2,"crls":1,"cryptographic":1,"current":1,"customise":1,"d":1,"dashboards":1,"data":12,"date":2,"dedicated":1,"defined":2,"deliver":2,"delivered":1,"delivery":2,"demonstrate":4,"demonstrating":1,"deployment":1,"deployments":2,"describe":3,"description":2,"design":2,"designs":1,"desirable":9,"desireable":1,"detect":2,"detection":5,"determine":2,"development":1,"digital":2,"direct":1,"doc":1,"document":1,"documentation":1,"documented":1,"documents":1,"does":3,"down":2,"drill":1,"drop":1,"dynamic":1,"e":4,"each":2,"early":1,"edge":1,"either":1,"elements":1,"emerging":1,"employ":1,"enable":2,"enrol":1,"ensure":4,"entity":1,"environment":2,"environments":2,"epassport":2,"equivalent":1,"essential":1,"evaluation":2,"evidence":2,"exceed":1,"excel":1,"execute":1,"experience":5,"experienced":1,"experiences":1,"explanation":1,"exploitation":1,"facial":1,"failure":1,"failures":1,"false":2,"firefox":1,"first":1,"fit":1,"flow":1,"fmr":1,"fnmr":1,"foci":1,"for":14,"foreign":1,"form":3,"formal":1,"framework":1,"fraud":2,"from":3,"function":2,"g":3,"generated":1,"generating":1,"governance":2,"government":3,"guidance":1,"h":2,"has":1,"have":3,"held":1,"helpdesk":2,"high":2,"hosted":3,"hosting":2,"hour":1,"how":2,"human":1,"i":1,"iaas":1,"icao":1,"id":2,"identify":1,"identity":2,"iec":5,"if":4,"ii":1,"iii":1,"image":8,"images":1,"implement":1,"implementation":2,"in":19,"incident":1,"incidents":1,"include":3,"includes":1,"including":6,"incorporates":1,"increasing":1,"indicate":1,"indicators":1,"individuals":1,"information":5,"informative":1,"infrastructure":4,"instance":1,"instructions":1,"integration":3,"integrity":1,"inter":1,"interacting":1,"interface":1,"internal":1,"interval":1,"into":1,"ip":1,"irap":1,"is":7,"ism":4,"iso":5,"isolated":1,"issue":1,"it":6,"item":2,"its":3,"keep":1,"kept":1,"key":1,"knowledge":1,"large":1,"laws":1,"least":1,"level":7,"licensed":5,"limited":1,"list":1,"lists":1,"liveness":4,"living":1,"loads":1,"localised":1,"log":1,"logging":1,"logs":2,"loss":1,"lv":6,"m":1,"maintain":2,"maintainability":1,"maintenance":4,"managed":1,"management":1,"mandatory":45,"manuals":1,"mappings":1,"match":2,"matching":1,"material":1,"maui":1,"mechanisms":2,"meet":1,"meeting":1,"meets":3,"menu":1,"met":1,"methodologies":1,"methods":1,"metrics":2,"mgt":1,"microsoft":1,"minimum":1,"mobile":3,"modifications":1,"monitor":1,"monitoring":4,"more":2,"ms":1,"must":45,"myid":1,"nature":1,"nist":1,"no":2,"non":4,"not":7,"note":1,"notes":1,"nv1":1,"objectives":1,"of":24,"offer":2,"offering":1,"on":3,"ongoing":2,"online":2,"only":3,"op":10,"operation":1,"operational":1,"operations":2,"options":1,"or":15,"originates":1,"other":2,"otherwise":1,"outside":1,"p":2,"pad":9,"paragraph":2,"part":4,"partially":5,"party":3,"patches":2,"patching":1,"patterns":1,"payloads":1,"peak":1,"per":1,"percentile":1,"performance":3,"performing":1,"personal":3,"personnel":1,"pki":1,"plan":1,"planned":1,"platform":1,"platforms":1,"please":1,"point":2,"policy":1,"portal":1,"potential":1,"present":1,"presentation":3,"prevent":1,"prevention":2,"principles":1,"prior":1,"privacy":1,"privatelink":1,"privileged":1,"process":1,"processes":1,"processing":1,"production":2,"products":2,"profile":2,"protected":1,"proven":1,"provide":18,"provided":1,"provider":1,"provides":1,"providing":1,"provision":1,"pspf":1,"public":1,"published":1,"qualified":1,"quality":4,"ranges":1,"rate":2,"rates":1,"real":2,"recommendations":1,"references":1,"regimes":1,"regionally":1,"regular":1,"relevant":3,"remote":1,"reporting":2,"requests":1,"require":1,"required":2,"requirement":1,"requirements":5,"research":1,"resources":1,"respondent":2,"response":10,"responsible":1,"responsive":1,"rest":1,"return":1,"revocation":1,"rfi":2,"risk":2,"rm":4,"roadmap":1,"roadmaps":1,"s":4,"saas":2,"safari":1,"sc":8,"scalability":1,"scalable":2,"scale":1,"scaling":1,"screen":1,"seamless":1,"sections":1,"secure":5,"security":7,"select":2,"sensitive":1,"separation":1,"server":1,"service":5,"services":3,"setting":1,"setup":1,"severity":1,"shipping":1,"short":1,"should":13,"show":1,"silent":1,"similar":2,"single":2,"sla":1,"software":10,"solution":41,"solutions":1,"sor":2,"sovereignty":2,"specific":1,"specifications":1,"standard":1,"standards":2,"statement":2,"statistics":1,"status":2,"steps":1,"stored":1,"strategic":1,"strategies":1,"stress":1,"studies":1,"subject":1,"submission":1,"submitted":1,"subsystem":1,"successful":1,"sufficient":1,"supplier":1,"supply":2,"support":16,"system":5,"systems":3,"taken":1,"technical":3,"technologies":2,"technology":3,"tenderer":17,"test":2,"tested":1,"testing":2,"than":2,"that":7,"the":93,"their":1,"them":1,"third":3,"this":1,"those":1,"through":2,"tiered":1,"time":4,"timelines":1,"to":39,"transfer":2,"troubleshooting":2,"ts":1,"tv":3,"two":1,"ui":2,"under":1,"understand":1,"understands":1,"understood":1,"up":2,"updates":2,"usage":1,"use":2,"used":3,"user":7,"using":2,"ux":5,"validated":1,"variable":1,"vendor":5,"verifaction":1,"verification":6,"verifications":1,"via":5,"view":1,"violating":1,"visibility":1,"vism":7,"visualisations":1,"volume":1,"wcag":1,"web":3,"well":1,"what":1,"when":3,"where":5,"whether":2,"will":2,"wish":1,"with":19,"within":4,"workflow":1,"you":2}},{"dl":297,"n":"src-05-part4-response-financial","s":"sources/src-05-part4-response-financial","secs":[{"h":"","l":1,"t":"|     | |-----| [TABLE] ![](media/image1.png) Part 4 – RFI Response Form – Financial"},{"h":"RFI Response Form – Financial","l":10,"t":""},{"h":"Introduction","l":12,"t":""},{"h":"The RFI Response Forms","l":14,"t":"This Request for Information (**RFI**) includes 5 RFI Response Forms: - [Part 3 – RFI Response Form – General](#_Ref141431774), - Part 3a – RFI Response Form – Technical (Excel Spreadsheet), - [Part 4 – RFI Response Form – Financial](#_Ref141431793) and - Part 4a – RFI Response Form – Pricing Table Response (Excel Spreadsheet). - Attachment A – FOCI form In their Responses, suppliers should respond to the questions, and supply the information and materials, in the same order and under the same headings as shown in these RFI Response Forms. [TABLE]"},{"h":"About this Part","l":32,"t":"This [Part 4 – RFI Response Form – Financial](#_Ref141431793) describes the Conditions for Participation, and the general and technical information that suppliers should provide in their Responses. It includes the following sections: - [Section 1 – The Respondent](#section) - [Section 2 – Financial capacity](#section-2-financial-capacity) - [Section 3 – Pricing and payment basis](#section-3-pricing-and-payment-basis) - [Section 4 – Response price](#section-4-response-price) | ![Information](media/image3.svg) | This RFI Response Form has tables with areas where suppliers can directly insert their responses. | |----|----| ##"},{"h":"Section 1 – The Respondent","l":49,"t":"The Respondent should provide the following information to identify itself. If this Response is submitted by a Responding Group, provide details for the lead member only. | Respondent’s details         |            |       |            | |------------------------------|------------|-------|------------| | Full legal name:             | \\<insert\\> |       |            | | Trading name (if different): | \\<insert\\> |       |            | | Entity identifier:           | ☐          | ABN:  | \\<insert\\> | |                              | ☐          | ACN:  | \\<insert\\> | |                              | ☐          | ARBN: | \\<insert\\> |"},{"h":"Section 2 – Financial capacity","l":61,"t":"[TABLE]"},{"h":"Section 3 – Pricing and payment basis","l":65,"t":"The Respondent’s prices and pricing must be supplied on the following basis: [TABLE]"},{"h":"Section 4 – Response price","l":71,"t":"The Respondent should provide full details of all the prices and price structure it responses as its Response Price, including all fees and charges the Respondent proposes to be paid by the ATO: [TABLE]"}],"tf":{"1":2,"2":3,"3":4,"3a":1,"4":6,"4a":1,"5":1,"a":2,"abn":1,"about":1,"acn":1,"all":2,"and":12,"arbn":1,"areas":1,"as":2,"ato":1,"attachment":1,"basis":4,"be":2,"by":2,"can":1,"capacity":3,"charges":1,"conditions":1,"describes":1,"details":3,"different":1,"directly":1,"entity":1,"excel":2,"fees":1,"financial":7,"foci":1,"following":3,"for":3,"form":9,"forms":3,"full":2,"general":2,"group":1,"has":1,"headings":1,"identifier":1,"identify":1,"if":2,"image1":1,"image3":1,"in":4,"includes":2,"including":1,"information":5,"insert":6,"introduction":1,"is":1,"it":2,"its":1,"itself":1,"lead":1,"legal":1,"materials":1,"media":2,"member":1,"must":1,"name":2,"of":1,"on":1,"only":1,"order":1,"paid":1,"part":7,"participation":1,"payment":3,"png":1,"price":5,"prices":2,"pricing":5,"proposes":1,"provide":4,"questions":1,"ref141431774":1,"ref141431793":2,"request":1,"respond":1,"respondent":7,"responding":1,"response":17,"responses":4,"rfi":12,"s":2,"same":2,"section":12,"sections":1,"should":4,"shown":1,"spreadsheet":2,"structure":1,"submitted":1,"supplied":1,"suppliers":3,"supply":1,"svg":1,"table":6,"tables":1,"technical":2,"that":1,"the":19,"their":3,"these":1,"this":5,"to":3,"trading":1,"under":1,"where":1,"with":1}},{"dl":928,"n":"src-06-part4a-response-pricing","s":"sources/src-06-part4a-response-pricing","secs":[{"h":"Cover","l":1,"t":"|  | Request for Quotation |  | |----|----|----| |  |  |  | |  |  |  | |  |  |  | |  | Provision of xxxxx |  | |  | RFI-15434 |  | |  |  |  | |  |  |  | |  |  |  | |  |  |  | |  |  |  | |  |  |  | |  |  |  | |  | Request for Information |  | |  | RFI-15434 - Biometric Verification Capabilities to Support myID |  | |  |  |  | |  |  |  | |  |  |  | |  | Attachment A – Pricing Tables |  | |  | Australian Taxation Office | Unclassified |"},{"h":"Notes","l":25,"t":"|     |     |     |     |     |     |     |     |     |     |     |     |     |     |     | |-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|-----|"},{"h":"Table of Contents","l":30,"t":"|  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----| |  | Table of Contents |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  | **Table** | Contents |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  | **Table T1** | *Software Licensing* |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  | Table T2 | Tiered Discounts |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  | Table T3 | *One off costs* |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  | Table T4 | *Ongoing Support and Maintenance* |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  | Table T5 | Labour Rates |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |"},{"h":"T1 - Software Licensing","l":43,"t":"| **Table T1 - Software Licensing** |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |----|----|----|----|----|----|----|----|----|----|----|----|----|----|----| | **Notes** |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | ***1. All charges associated with the provision of the Licensed Software (other than support) should be listed in this table.*** | ** | ** | ** | ** | ** | ** | ** | ** | ** | ** | ** | ** | ** |  | | **2. Additional categories or rows can be added as required.** |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | 3\\. For evaluation reasons, Tenderers MUST propose pricing for both a perpetual licence model (SP1.1), and a subscription pricing model if both models are commercially available by the Tenderer (SP1.2). |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | 4\\. In relation to a perpetual licence, please specify if it includes Year 1 Support and Maintenance, if not insert costs in T3 for Year 1, Year 2 and Year 3 as applicable. |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | 5\\. In relation to a subscription licence, please specify if it includes Support and Maintenance, if not insert costs in T3 |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | 6\\. If an unlimited licence option is available, please provide an unlimited licence option in addition to any standard licence models. |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | 7\\. All amounts are to be GST exclusive. |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | 8\\. For amounts subject to foreign currency variations nominate the currency. |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | INITIAL CONTRACT PERIOD SOFTWARE LICENSING - FROM COMMENCEMENT 12 MONTHS AND 36 MONTH TERM OPTION |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | **SP1.1 - Perpetual licence model** |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | **Perpetual Software Licence (One Time) \\[Tenderer to insert line items for each item of Software being licensed.\\]** | **Quantity** | **Rate** | **Total** | Foreign Currency | Pricing Assumptions |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  | | Total Software Licence cost |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | **SP1.2 - Subscription licence model** |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | **SP1.2.1 Subscription Software Licence \\[Tenderer to insert line items for each item of Software being licensed.\\]** | **Year 1** | **Year 2** | **Year 3** | **Total cost over term** | Foreign Currency | Pricing Assumptions |  |  |  |  |  |  |  |  | |  |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  | |  |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | Total Software Licence cost | 0.0 | 0.0 | 0.0 | 0.0 |  |  |  |  |  |  |  |  |  |  |"},{"h":"T2 - Tiered Discounts","l":80,"t":"| Table T2 - Tiered Discounts |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |----|----|----|----|----|----|----|----|----|----|----|----|----|----|----| | Notes |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | 1\\. A breakdown of each tier software package should be listed in this table. |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | 2\\. Additional categories or rows can be added as required. |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | 3\\. All amounts are to be GST exclusive. |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | 4\\. For amounts subject to foreign currency variations nominate the currency. |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | 5\\. There is no need to complete this table if tiered discounts do not apply |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | INITIAL CONTRACT PERIOD SOFTWARE LICENSING - FROM COMMENCEMENT 12 MONTHS TO FUTURE STATE |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | SP2.1 - Tier Licence Model |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | Product Description \\[Tenderer to insert line items for each tier system.\\] | Tier (Users) | Unit Type | Unit charge (GST exclusive) | Minimum Units | Invoicing Frequency |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  | | Total Software Licence cost |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | Example: |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | Product Description | Tier (Users) | Unit Type | Unit charge (GST exclusive) | Minimum Unit Requirements | Invoicing Frequency |  |  |  |  |  |  |  |  |  | | Software Product A | 1 - 50 | User | 7500.0 | 1.0 | Annually in advanced |  |  |  |  |  |  |  |  |  | | Software Product A | 51 - 100 | User | 5500.0 | 51.0 | Annually in advanced |  |  |  |  |  |  |  |  |  | | Software Product B | 1 - 50 | User | 8500.0 | 1.0 | Annually in advanced |  |  |  |  |  |  |  |  |  | | Software Product B | 51 - 100 | User | 8000.0 | 51.0 | Annually in advanced |  |  |  |  |  |  |  |  |  |"},{"h":"T3 - One off costs","l":110,"t":"| **Table T3 - One off costs** |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----| | **Notes** |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | ***1. Tenderers should identify all one off costs in this table (including any expected pass-though costs).*** | ** | ** | ** | ** | ** | ** |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | **2. Additional categories or rows can be added as required.** |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | **3. All amounts are to be GST exclusive.** |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | 4\\. For amounts subject to foreign currency variations nominate the currency. |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | ***5. Include in this section Training and One Time Services Implementation / Establishement costs*** |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | **SS2.1 - One off costs** |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | **SP2.1.1 One off costs \\[Tenderer to insert line items for each one off cost.\\]** | **Quantity** | **Rate** | **Total** | Foreign Currency | Pricing Assumptions |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | | Total One off costs |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |"},{"h":"T4 - Ongoing Support and Maint","l":129,"t":"| **Table T4 - Ongoing Support and Maintenance** |  |  |  |  |  |  |  |  |  |  |  |  | |----|----|----|----|----|----|----|----|----|----|----|----|----| | **Notes** |  |  |  |  |  |  |  |  |  |  |  |  | | 1\\. All ongoing monthly support and maintenance charges should be listed in this table (ie all charges required to deliver the Contract support and maintenance requirements other than those costs covered in Tables T1 and T2. For example, support and maintenance charges should include the recurring charges associated with requirement for support and maintenance of perpetual licences or additional support fees for subscription licenses. |  |  |  |  |  |  |  |  |  |  |  |  | | **2. Tenderers MAY either insert one line item for all support, or separate line items for each item of support.** |  |  |  |  |  |  |  |  |  |  |  |  | | **3. All amounts are to be GST exclusive.** |  |  |  |  |  |  |  |  |  |  |  |  | | 4\\. For amounts subject to foreign currency variations enter nominate the currency. |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  | | **SS3.1 - Ongoing Support and Maintenance** |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  | | **Ongoing Support and Maintenance costs \\[Tenderer to insert one line item for all support, or separate line items for each item of support.\\]** | **Year 1** | **Year 2** | **Year 3** | **Total cost over term** | Foreign Currency | Pricing Assumptions |  |  |  |  |  |  | |  |  |  |  | 0.0 |  |  |  |  |  |  |  |  | |  |  |  |  | 0.0 |  |  |  |  |  |  |  |  | |  |  |  |  | 0.0 |  |  |  |  |  |  |  |  | | Total Support costs | 0.0 | 0.0 | 0.0 | 0.0 |  |  |  |  |  |  |  |  |"},{"h":"T5 - Labour Rates","l":148,"t":"|  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----|----| |  | Table T5: Labour Rates |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  | \\[Note: Tenderers should insert in this Table T4 the daily labour rates that will apply to any ad hoc work agreed under a change order\\] |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  | Notes |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  | 1\\. This Table sets out the Labour Rates that will apply. |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  | 2\\. The Tenderer should provide a daily rate that will apply for the Contract Period. |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  | 3\\. All amounts are to be GST exclusive. |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  | **LR5.1 Labour Rates \\[Tenderer to insert daily rates for each possible required role.\\]** | Hourly rate (ex GST) | **Daily Rate 8 hours (ex GST)** |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  | |  |  |  | 0.0 |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |  |"}],"tf":{"0":92,"1":22,"100":2,"12":2,"15434":2,"2":11,"3":8,"36":1,"4":4,"5":3,"50":2,"51":4,"5500":1,"6":1,"7":1,"7500":1,"8":2,"8000":1,"8500":1,"a":10,"ad":1,"added":3,"addition":1,"additional":4,"advanced":4,"agreed":1,"all":11,"amounts":9,"an":2,"and":16,"annually":4,"any":3,"applicable":1,"apply":4,"are":6,"as":4,"associated":2,"assumptions":4,"attachment":1,"australian":1,"available":2,"b":2,"be":11,"being":2,"biometric":1,"both":2,"breakdown":1,"by":1,"can":3,"capabilities":1,"categories":3,"change":1,"charge":2,"charges":5,"commencement":2,"commercially":1,"complete":1,"contents":3,"contract":4,"cost":6,"costs":14,"cover":1,"covered":1,"currency":12,"daily":4,"deliver":1,"description":2,"discounts":4,"do":1,"each":8,"either":1,"enter":1,"establishement":1,"evaluation":1,"ex":2,"example":2,"exclusive":7,"expected":1,"fees":1,"for":22,"foreign":8,"frequency":2,"from":2,"future":1,"gst":9,"hoc":1,"hourly":1,"hours":1,"identify":1,"ie":1,"if":7,"implementation":1,"in":16,"include":2,"includes":2,"including":1,"information":1,"initial":2,"insert":10,"invoicing":2,"is":2,"it":2,"item":6,"items":6,"labour":6,"licence":14,"licences":1,"licensed":3,"licenses":1,"licensing":5,"line":8,"listed":3,"lr5":1,"maint":1,"maintenance":10,"may":1,"minimum":2,"model":5,"models":2,"month":1,"monthly":1,"months":2,"must":1,"myid":1,"need":1,"no":1,"nominate":4,"not":3,"note":1,"notes":6,"of":10,"off":8,"office":1,"one":12,"ongoing":6,"option":3,"or":6,"order":1,"other":2,"out":1,"over":2,"package":1,"pass":1,"period":3,"perpetual":5,"please":3,"possible":1,"pricing":7,"product":6,"propose":1,"provide":2,"provision":2,"quantity":2,"quotation":1,"rate":5,"rates":7,"reasons":1,"recurring":1,"relation":2,"request":2,"required":5,"requirement":1,"requirements":2,"rfi":2,"role":1,"rows":3,"section":1,"separate":2,"services":1,"sets":1,"should":7,"software":18,"sp1":5,"sp2":2,"specify":2,"ss2":1,"ss3":1,"standard":1,"state":1,"subject":4,"subscription":5,"support":19,"system":1,"t1":4,"t2":4,"t3":5,"t4":4,"t5":3,"table":20,"tables":2,"taxation":1,"tenderer":8,"tenderers":4,"term":3,"than":2,"that":3,"the":13,"there":1,"this":8,"those":1,"though":1,"tier":5,"tiered":4,"time":2,"to":23,"total":9,"training":1,"type":2,"unclassified":1,"under":1,"unit":5,"units":1,"unlimited":2,"user":4,"users":2,"variations":4,"verification":1,"will":3,"with":2,"work":1,"xxxxx":1,"year":10}},{"dl":673,"n":"src-07-foci-information-form","s":"sources/src-07-foci-information-form","secs":[{"h":"Foreign Ownership, Control or Influence (FOCI) Information Form","l":1,"t":""},{"h":"Purpose","l":3,"t":"This Information Form is issued to obtain information necessary for the **Australian Taxation Office (ATO)** to understand any potential FOCI associated with your organisation and the proposed goods or services. All potential suppliers *must* provide complete and accurate responses to all questions. Where a question is not applicable or information is unavailable, a clear explanation must be provided. Incomplete forms may require resubmission, and otherwise delay consideration and processing."},{"h":"Supplier Details","l":9,"t":"| Term                         | Definition | |------------------------------|------------| | **Legal entity name**        |            | | **ABN / ACN**                |            | | **Country of Incorporation** |            | | **Contact name / Position**  |            | | **Email / Phone**            |            |"},{"h":"FOCI Information Questions","l":19,"t":"1.  **Defence Industry Security Program (DISP) or Hosting Certification Framework (HCF) Status** Are you currently a member of the DISP or certified under the HCF? ☐No ☐Yes – If Yes, provide details below: 1.  Identify the relevant program (DISP and/or HCF), current membership level or certification status, and date granted. |     | |-----| 2.  Confirm whether the goods or services being provided under this process align with or differ from those covered by your DISP membership or HCF certification and explain any differences. |     | |-----| 2.  **Ultimate Ownership and Structure** Identify your organisation’s **Ultimate Beneficial Owner(s) (UBOs)** and, where available, attach a current corporate structure diagram or organisational chart showing ownership and control relationships: | UBO Full Legal Name | % Ownership / Control | Country of Incorporation / Citizenship | |----|----|----| |  |  |  | |  |  |  | |  |  |  | |  |  |  | If UBO and/or structure information is unavailable, explain why: |     | |-----| 3.  **State Ownership or Control** Is your organisation or any of its UBOs state-controlled, majority funded by, or financially connected to a foreign government or sovereign entity? ☐No ☐Yes – If Yes, provide details below: | Foreign Government or Entity | Nature and Extent of Ownership or Control or Financial Ties | |----|----| |  |  | |  |  | |  |  | |  |  | If **No**, but a special relationship exists with a foreign government that provides benefits such as preferential contracts, state funding, or special legal status, or other privileges that may enable direction, control or influence, describe these arrangements in detail: |     | |-----| 4.  **Politically Exposed Persons (PEPs)** Are any of your organisation’s senior executives, directors or UBOs classified as PEPs under **Key Definitions** at the end of this document? ☐No ☐Yes – If Yes, provide details below: | Full Name / Role | Public Position or Function | Country | |------------------|-----------------------------|---------| |                  |                             |         | |                  |                             |         | |                  |                             |         | |                  |                             |         | 5.  **Access to ATO Systems, Networks or Data** Will your organisation, or any personnel or systems involved in delivering the proposed goods or services, have access or connectivity to ATO systems, networks or data? ☐No ☐Yes – If Yes, provide details below: 1.  Describe how access or connectivity will occur (e.g. remote access/support, system integration, data hosting, on-site access etc): |     | |-----| 2.  Specify what type of ATO information will be accessed, stored, transformed or transmitted, and to/from which country and service provider this will occur: |     | |-----| 3.  Explain how access will be restricted to only what is required, and what safeguards or controls (e.g. authentication, encryption, segregation, monitoring etc) are in place to protect it: |     | |-----| 4.  Confirm whether any ATO information could be accessed from a foreign jurisdiction, and if so, specify the country(ies) and purpose for access: |     | |-----| **\\** 6.  **Subcontractors, Offshore Support, or Foreign-Based Personnel** Will you use any subcontractors, support providers, or foreign-based personnel to deliver or support the proposed goods or services? ☐No ☐Yes – If Yes, provide details below: | Entity / Individual | Country of Incorporation / Location | Nature of Work or Support Provided | Will They Have Access to ATO Systems, Networks or Data? If Yes, Describe the Access | |----|----|----|----| |  |  |  |  | |  |  |  |  | |  |  |  |  | If Yes, explain how you manage and control these parties and ensure access and data handling remain within agreed security parameters, including safeguards/controls in place: |     | |-----| 7.  **Jurisdictional Obligations** Is your organisation, UBOs, or any related entities subject to laws or obligations in a jurisdiction that could: - compel disclosure of information (including ATO information), - require the cooperation with, or - enable a foreign government to access, direct, or exercise control over the products, services, hardware, software or systems you provide? ☐No ☐Yes – If Yes, provide details below: | Country / Law / Regulation | Description of Obligation | Safeguards or Controls in Place | |----|----|----| |  |  |  | |  |  |  |"},{"h":"Key Definitions","l":146,"t":"[TABLE] *Note: The definitions below are specific to this document only.*"}],"tf":{"1":3,"2":3,"3":2,"4":2,"5":1,"6":1,"7":1,"a":10,"abn":1,"access":11,"accessed":2,"accurate":1,"acn":1,"agreed":1,"align":1,"all":2,"and":20,"any":8,"applicable":1,"are":4,"arrangements":1,"as":2,"associated":1,"at":1,"ato":7,"attach":1,"australian":1,"authentication":1,"available":1,"based":2,"be":4,"being":1,"below":7,"beneficial":1,"benefits":1,"but":1,"by":2,"certification":3,"certified":1,"chart":1,"citizenship":1,"classified":1,"clear":1,"compel":1,"complete":1,"confirm":2,"connected":1,"connectivity":2,"consideration":1,"contact":1,"contracts":1,"control":8,"controlled":1,"controls":3,"cooperation":1,"corporate":1,"could":2,"country":7,"covered":1,"current":2,"currently":1,"data":5,"date":1,"defence":1,"definition":1,"definitions":3,"delay":1,"deliver":1,"delivering":1,"describe":3,"description":1,"detail":1,"details":7,"diagram":1,"differ":1,"differences":1,"direct":1,"direction":1,"directors":1,"disclosure":1,"disp":4,"document":2,"e":2,"email":1,"enable":2,"encryption":1,"end":1,"ensure":1,"entities":1,"entity":4,"etc":2,"executives":1,"exercise":1,"exists":1,"explain":4,"explanation":1,"exposed":1,"extent":1,"financial":1,"financially":1,"foci":3,"for":2,"foreign":8,"form":2,"forms":1,"framework":1,"from":3,"full":2,"function":1,"funded":1,"funding":1,"g":2,"goods":4,"government":4,"granted":1,"handling":1,"hardware":1,"have":2,"hcf":4,"hosting":2,"how":3,"identify":2,"ies":1,"if":11,"in":6,"including":2,"incomplete":1,"incorporation":3,"individual":1,"industry":1,"influence":2,"information":10,"integration":1,"involved":1,"is":7,"issued":1,"it":1,"its":1,"jurisdiction":2,"jurisdictional":1,"key":2,"law":1,"laws":1,"legal":3,"level":1,"location":1,"majority":1,"manage":1,"may":2,"member":1,"membership":2,"monitoring":1,"must":2,"name":4,"nature":2,"necessary":1,"networks":3,"no":7,"not":1,"note":1,"obligation":1,"obligations":2,"obtain":1,"occur":2,"of":12,"office":1,"offshore":1,"on":1,"only":2,"or":45,"organisation":6,"organisational":1,"other":1,"otherwise":1,"over":1,"owner":1,"ownership":6,"parameters":1,"parties":1,"peps":2,"personnel":3,"persons":1,"phone":1,"place":3,"politically":1,"position":2,"potential":2,"preferential":1,"privileges":1,"process":1,"processing":1,"products":1,"program":2,"proposed":3,"protect":1,"provide":8,"provided":3,"provider":1,"providers":1,"provides":1,"public":1,"purpose":2,"question":1,"questions":2,"regulation":1,"related":1,"relationship":1,"relationships":1,"relevant":1,"remain":1,"remote":1,"require":2,"required":1,"responses":1,"restricted":1,"resubmission":1,"role":1,"s":3,"safeguards":3,"security":2,"segregation":1,"senior":1,"service":1,"services":5,"showing":1,"site":1,"so":1,"software":1,"sovereign":1,"special":2,"specific":1,"specify":2,"state":3,"status":3,"stored":1,"structure":3,"subcontractors":2,"subject":1,"such":1,"supplier":1,"suppliers":1,"support":5,"system":1,"systems":5,"table":1,"taxation":1,"term":1,"that":3,"the":14,"these":2,"they":1,"this":5,"those":1,"ties":1,"to":14,"transformed":1,"transmitted":1,"type":1,"ubo":2,"ubos":4,"ultimate":2,"unavailable":2,"under":3,"understand":1,"use":1,"what":3,"where":2,"whether":2,"which":1,"why":1,"will":7,"with":4,"within":1,"work":1,"yes":14,"you":4,"your":7}}]}