FOI 24.25 1356 Documents Disclosure Log Part1.pdf

FOI 24/25-1356 - DISCLOSURE LOG
OFFICIAL
System State
The Microsoft Copilot trial will enable NDIA to use the existing NDIA Operating environment
to add the Microsoft Copilot 365 features.
The following diagram Figure 1- Microsoft Copilot Architecture provides a high-level
overview of the proposed Microsoft 365 service boundary
Diagram 1: Microsoft Copilot Architecture
Steps of data flow:
1. The user enters a prompt or query.
2. Microsoft Copilot preprocess the prompt through an approach called grounding.
3. Microsoft Copilot sends modified prompt to Large Language Model (LLM)
4. Microsoft Copilot receives the LLM response.
5. Microsoft Copilot access Microsoft Graph for compliance and purview.
Access Management:
Data Protection:
As per the information pack, Microsoft has confirmed that:
• Copilot for Microsoft 365 doesn’t store NDIA data outside of NDIA Azure tenancy.
• Copilot doesn’t train the LLM (the GPT AI engine of Copilot) with customer data.
• Unlike public generative AI tools, Microsoft Copilot is a paid product, designed to
meet the needs of Australian Government Security Standards.
4
OFFICIAL
Page 6 of 189

FOI 24/25-1356 - DISCLOSURE LOG
OFFICIAL
Microsoft employs a permission model that prevents unintended data leaks between users,
groups, and tenants. Microsoft Copilot 365 operates within the same access controls used
by the other MS 365 services, ensuring it only uses data accessible to authorised staff.
The Semantic index adheres to the user identity-based access boundary, ensuring that its
process only access content authorised for the current user.
Logical isolation2 of customer content within each tenant is implemented via Azure Active
Directory authorisation and role- based access control.
Microsoft Copilot uses Azure OpenAI services for processing, not OpenAI’s publicly
available services.
Encryption: Microsoft Copilot encrypts3 data at rest and in transit.
For customer data at rest, Microsoft Azure uses Bitlocker, Azure Storage Service Encryption,
Distributed Key Manager (DKM) and Microsoft 365 service encryption. Microsoft utilises 256-
bit AES encryption to encrypt data at rest.
For customer data in transit, Microsoft uses Transport Layer Security (TLS) 1.2 and Internet
Protocol Security (IPsec) between user devices and Microsoft datacentres.
Information Overview: Data used by this CoPilot will consist of NDIA data stored within the
existing Microsoft 365 tenancy. CoPilot will apply the current access control and permissions
that are in place within the existing NDIA data stores. CoPilot will not have access to PACE
and will only process participant data that is stored in SharePoint.
Security and Compliance:
As per the information pack, Microsoft has confirmed that Copilot for Microsoft 365 and the
Azure platform are both in the final stages of IRAP assessment with anticipated publication
in January 2024. Both Copilot for Microsoft 365 and Azure Open AI Service (the large
language model (LLM) host platform) are in scope for the current IRAP assessments. The
IRAP report will provide the technical assessment of the entire MS 365 products (including
Copilot) against the Australian Signals Directorate’s (ASD) Information Security Manual
(ISM).
Microsoft has mapped Australian Government Standards into their own security control set,
including the ISM at PROTECTED, the Australian Privacy Principles (APP) and the PSPF.
2 https://learn.microsoft.com/en-us/compliance/assurance/assurance-microsoft-365-isolation-controls
3 Encryption in the Microsoft Cloud | Microsoft Learn
5
OFFICIAL
Page 7 of 189

FOI 24/25-1356 - DISCLOSURE LOG
OFFICIAL
Risk Analysis
All assessment of must consider four critical aspects when determining ICT risk:
• The ASSET you are assessing.
• The THREAT environment for the NDIA and against the ASSET specifically
• The LIKELIHOOD of the THREAT being successful, and
• The CONSEQUENCE on the ASSET and the wider NDIA of a successful THREAT
outcome.
Assets
Asset
Asset Type
Asset Criticality
NDIA Participant Data
Information-PII
Critical
NDIA Reputation
Intangible
High
Table 5. Assets in relation to the product
OFFICIAL
Page 8 of 189

FOI 24/25-1356 - DISCLOSURE LOG
OFFICIAL
Threat Actors
Threat
Level of Threat
Malicious Insider
Medium
Trusted Insider
Medium
Table 6. Threat actors in relation to the product
Risk from Design
R1: Unauthorised Data Access:
Associated to NDIA R5:
With elevated or misconfigured permissions, NDIA users may access a wide array of
sensitive participant information. Misuse of the user access through Microsoft Copilot might
lead to the unauthorised retrieval or viewing of confidential data beyond their intended
scope, potentially violating confidentiality of information.
R2: Improper use of Output
Associated to NDIA R5 &R2
Generative tools can produce output that is inaccurate or biased. Before sharing the
information, NDIA users must validate the output fairly and accurately reflects the data.
Misuse or mishandling of Microsoft Copilot may result in unintentional sharing of NDIA
participant information. Inaccurate outputs or accidental sharing of data generated through
Microsoft Copilot might lead to the access of confidential details to unauthorised parties.
R3: Instability in Environment:
Associated to NDIA R6
The integration of Microsoft Copilot might introduce instability within the NDIA environment,
potentially causing disruptions or inconsistencies in the system’s functionality.
Australian Government Security Framework (AGSF)
Implications
The following are the relevant impacted areas from the Australian Government Information
Security Manual with the implementation of the reporting functionality:
Guidelines
ISM Controls
Access to Systems
ISM- 1648: Privileged access to systems and
applications is disabled after 45 days of inactivity.
ISM- 0407: A secure record is maintained for the life
of each system covering the following for each user.
ISM-1865: Personnel agree to abide by usage
policies associated with a system and its resources
before being granted access to the system and its
resources.
ISM – 0435: Personnel receive any necessary
briefings before being granted access to a system
and its resources.
OFFICIAL
Page 9 of 189

FOI 24/25-1356 - DISCLOSURE LOG
OFFICIAL

Data Transfers
ISM- 0661: Users transferring data to and from
systems are held accountable for data transfers they
perform.
OFFICIAL
Page 10 of 189

FOI 24/25-1356 - DISCLOSURE LOG
OFFICIAL
Inherent Risk Rating
Proposed
Associated
Likelihood
Consequences
Rating
Risk
Treatment
Threats
R1
T1, T2, T3
TE1, TE2,
3
A
LOW
R2
T1, T2, T3
TE4, TE5,
2
B
LOW
R3
T4
TE7, TE8
1
C
MEDIUM
Table 7. Inherent risk rating
Overall Risk Rating
Likelihood 3 - POSSIBLE
Consequence C - MODERATE
Rating MEDIUM
Identified Treatments
Treatment
Associated
Proposed Treatment
Implement Date
ID No.
NDIA Risks
T1
Process to manage
R1, R2
End of January 2024
information exposure
incidents.
CoPilot will make use of data
that users have existing
permissions to. This will have
the potential to highlight issues
where excessive permissions
may exists. A process is to be
developed that will provide
users of the trial an avenue to
report any incorrect or
excessive permissions to data
that are highlighted by CoPilot
T2
Restriction on any direct
R1, R2
End of January 2024
import of participant data
For the duration of the trial a
restriction is placed upon any of
processing or importing of large
volumes of participant data
T3
CoPilot User Awareness
R1, R2
End of January
Training
All users participating in the trail
are to undertake awareness
training specifically on issues
relating to the usage of CoPilot
functions within a business
context
T4
Incident Disengagement Plan
R3
End of January
A plan is to be developed to
provide a process where
disengagement of CoPilot can
be undertaken in the event that
security or performance issues
is introduced into the NDIA
environment
Table 8. Identified Treatments
OFFICIAL
Page 11 of 189

FOI 24/25-1356 - DISCLOSURE LOG
OFFICIAL
Residual Risk Rating
Likelihood 2 - UNLIKELY
Consequence B - MINOR
Rating LOW
Recommendation/s
☒ ATO
☐ ATO with Conditions
Length of ATO with Conditions:
☐ NOT RECOMMENDED
Justification of Recommendation
Based upon the identified risks and on the understanding that the CoPilot system has successfully
undergone an IRAP assessment with no adverse findings, the level of risk to the NDIA is assessed as
LOW.
It is recommended granting an Authority to Operate (ATO) for the period of the trial outlined above.
OFFICIAL
Page 12 of 189

FOI 24/25-1356 - DISCLOSURE LOG
OFFICIAL
OFFICIAL
Page 13 of 189

FOI 24/25-1356 - DISCLOSURE LOG
OFFICIAL
CYBER USE ONLY
System Owner Notified:
☐ YES
☐
NO
Detail:
ATO Register Updated: ☐ YES
☐
NO
Detail:
Cyber Risk Register Updated:
☐ YES
☐
NO
Detail:
OFFICIAL
Page 14 of 189

FOI 24/25-1356 - DISCLOSURE LOG
OFFICIAL
Risk Assessment Guidance & Matrices
Threat Sources
No.
Threat Source
Description
TS1
Malicious
NDIA end users or privileged users that seek to exploit vulnerabilities in
Insider
NDIA’s information systems and networks.
TS2
External
Individuals, groups and organisations or nation states that seek to exploit
Attacker
vulnerabilities in NDIA’s information systems and networks.
TS3
Trusted Insider  NDIA’s end users or privileged users, erroneous actions taken by whom
in the course of their everyday responsibilities exposes vulnerabilities in
NDIA’s information systems and networks.
TS4
Structural
Failures of equipment or software due to aging, poor design, resource
depletion or other circumstances which exceed operating parameters.
TS5
Environmental  Natural disasters and failure of critical infrastructure on which NDIA’s
information systems and networks depend but which are outside of
controls of NDIA’s management.
Table 3. Threat sources
Threat Events
No.
Threat Event
Threat Source
TE1
Malicious Insider deliberately allows or facilitates unauthorised access to  TS1 and TS2
information by unauthorised entities.
TE2
Trusted Insider accidentally allows or facilitates unauthorised access to  TS3
information by unauthorised entities.
TE3
External Attacker conducts targeted or untargeted activities to discover,  TS2
reveal, exfiltrate or capture information that has not been publicly
released.
TE4
Malicious Insider deliberately misuses their access or allows or facilitates TS1 and TS2
unauthorised access to data, facilities or systems by unauthorised
entities, resulting in their corruption or reliability coming into question.
TE5
Trusted Insider accidentally allows or facilitates unauthorised access to  TS3
systems, processes or information by unauthorised entities, resulting in
their corruption or reliability coming into question.
TE6
External attacker conducts targeted or untargeted activities to influence  TS2
processing through injecting data, malicious code or configuration
information or creating deception or deleting data.
TE7
Malicious Insider deliberately misuses their access or allows or facilitates TS1 and TS2
unauthorised access to data, facilities or systems by unauthorised
entities, to disrupt, damage or destroy.
TE8
Trusted Insider accidently allows or facilitates systems, processes or
TS3
information to be disrupted, damaged or destroyed.

TE9
External Attacker conducts targeted or untargeted activities to disrupt
TS2
processing through denial of service injecting data, malicious code or
configuration information or deleting data.
Table 4. Threat events
Threat Level
The threat level for ICT is published on the GRC Confluence Page. This is reflected in the
Enterprise Risk Assessment and the Protective Security Risk Review. The Threat Level will
be reviewed Quarterly in line with Risk Reporting.
When calculating the Likelihood, it is essential to understand and incorporate the threat and
threat level for planning purposes.
OFFICIAL
Page 15 of 189

FOI 24/25-1356 - DISCLOSURE LOG
OFFICIAL
-
unavailable or  Possible political  impact on
$500,000
degraded for
referral
the
whichever
4 – 8 hours
Corporate
is less
Loss of
Plan or ICT
confidence by
Strategy
CEO/ELT
D
Major
41 – 60%
=> 1000 but
Critical
Significant
Will disrupt
TCO or
<=10,000
services
Media Attention
the
$500,001
Participants/NDIA  unavailable or
Corporate
to $1M or
Users impacted
degraded for
Potential Loss of  Plan or ICT
whichever
1 business
Confidence by
Strategy
is less
day
Minister
Potential Loss of
Confidence by
participants
Potential Loss of
Public
confidence
Loss of
Confidence by
the Board
E
Extreme
=>61%
>10,000
Critical
Significant
May require
TCO
Participants
services
Media Attention
adjustment
or >$1M
impacted/NDIA
unavailable or
of the ICT
whichever  Users impacted
degraded
Loss of
Strategy or
is less
for > 1
Confidence by
could require
business day  Minister
advice to the
Minister on
Loss of
the
Confidence by
Corporate
participants
Plan
Loss of Public
confidence
Table 7. Consequences ratings
Risk Heat Map
Likelihood
Consequence
1
2
3
4
5
E
E/1
E/2
E/3
E/4
E/5
D
D/1
D/2
D/3
D/4
D/5
C
C/1
C/2
C/3
C/4
C/5
B
B/1
B/2
B/3
B/4
B/5
A
A/1
A/2
A/3
A/4
A/5
Risk Level
LOW
MEDIUM
HIGH
CRITICAL
Table 8. Risk heat map
OFFICIAL
Page 17 of 189

FOI 24/25-1356 - DISCLOSURE LOG
OFFICIAL
OFFICIAL
Page 18 of 189

OFFICIAL
FOI 24/25-1356 - DISCLOSURE LOG
the primary production tenancy of participating agencies which has been available
for deployment since January 2024.
What were the Minimum requirements for trial participation?
The terms and minimum commitment for trial participation are an Agency commitment of:
• 300 Copilot for Microsoft 365 licences from agencies with 2,000 Microsoft 365
Qualified Users or more; or
• The greater of 15% of users or 10 Copilot for Microsoft 365 licences for agencies
with fewer than 2,000 Microsoft 365 Qualified Users
• Commitment for the term of trial.
The overall benefit from Copilot for Microsoft 365 will be impacted by how heavily invested
agencies are in their usage of Microsoft 365.
Agencies may opt to extend the term of their Copilot for Microsoft 365 licences after the
trial for a further 12 months. The DTA will be contacting agencies with more information
about extending their commitments as part of the annual licence reconciliation process.
Key steps and timeline
OFFICIAL
Page 24 of 189

OFFICIAL
FOI 24/25-1356 - DISCLOSURE LOG
Training and Support
• The DTA and Microsoft will be working with participating agencies to support them,
through onboarding and readiness workshops, and additional training.
• Readiness workshops and training will be at no extra cost to agencies.
• An information pack containing FAQs addressing whole-of-government guardrails,
possible use cases, evaluation approach and other information about the trial will be
provided to trial participants early in the trial process.
Useful information
The following resources have been developed to assist implementing AI in the APS
Interim guidance on government use of public generative AI tools | aga (digital.gov.au)
Australia’s AI Ethics Principles | Australia’s Artificial Intelligence Ethics Framework -
Department of Industry, Science and Resources
How might artificial intelligence affect the trustworthiness of public service delivery -
PM&C (pmc.gov.au)
Product information
Copilot for Microsoft 365
Microsoft Copilot Copyright Commitment Security Information
Data, Privacy, and Security for Copilot for Microsoft 365
Microsoft Purview data security and compliance protections for Microsoft Copilot
Support and Feedback on the trial
The NDIA project team responsible for conducting the trial can be contacted via:
s47E(d) - certain operations of agencies
OFFICIAL
Page 25 of 189