{"case":{"case_id":"demo-managed-network-supplier-risk","title":"Managed Network Services Supplier Procurement Risk Assessment","context":"An Australian critical infrastructure operator is assessing a managed network services supplier for operational network monitoring, managed configuration support, incident response, and service continuity across communications infrastructure supporting critical operations. The supplier operates through an Australian contracting entity, but foreign parent company exposure, offshore privileged support access, unresolved jurisdictional compulsion exposure, and operational dependency remain in scope.","status":"open","source_type":"vendor_assessment","classification":"OFFICIAL:Sensitive","owner":"demo","created_at":"2026-04-28T18:20:02.516317+00:00","updated_at":"2026-04-28T18:20:02.516317+00:00","subject_entity":"Managed Network Services Supplier (Anonymised)","subject_jurisdiction":"Australia","procurement_context":"Managed network monitoring, incident support, and configuration services for operational communications infrastructure in a critical infrastructure environment","is_demo":true},"intake":{"intake_id":"5778e467-40c1-41fc-a2d2-cb2384194c64","case_id":"demo-managed-network-supplier-risk","submitted_at":"2026-04-28T18:20:02.516850+00:00","submitted_by":"demo","completeness_score":100,"answers":[{"question_id":"OWN-01","question_text":"What is the ultimate beneficial ownership structure of the vendor entity, including all parent companies, holding entities, and beneficial owners with greater than 5% equity interest?","answer":"The Australian operating entity depends on a foreign parent company for technology licensing, capital support, and strategic platform governance. Offshore ownership exposure remains material.","confidence":92,"evidence_refs":["corporate structure pack","beneficial ownership register","board rights schedule"],"verified":true},{"question_id":"OWN-02","question_text":"Are any owners, directors, or beneficial owners subject to foreign government control, direction, or influence?","answer":"Parent-appointed directors and reserved approval rights allow the foreign parent to influence strategic, technical, and financing decisions affecting the Australian operating entity.","confidence":88,"evidence_refs":["shareholders deed","director appointment rights","investment governance memo"],"verified":true},{"question_id":"CTRL-01","question_text":"Who has operational control over the technology, systems, or services being procured, including the ability to modify, disable, or access data?","answer":"Supplier-managed tooling can modify configurations, triage incidents, and access operational network telemetry. Standing offshore privileged access exists for specialist support functions.","confidence":91,"evidence_refs":["service architecture annex","privileged access matrix","NOC operating model"],"verified":true},{"question_id":"CTRL-02","question_text":"Where is the technology developed, maintained, and updated? Which jurisdictions have physical or legal access to the source code, infrastructure, or update pipeline?","answer":"Core orchestration tooling, patch approval preparation, and maintenance workflows remain offshore. A supporting offshore vendor relationship and external software dependency remain material to service continuity.","confidence":86,"evidence_refs":["software maintenance workflow","dependency register","supplier response 4.3"],"verified":true},{"question_id":"CTRL-03","question_text":"Is any offshore support path available for specialist intervention, and under what operational controls?","answer":"Persistent offshore privileged access remains enabled for follow-the-sun incident response. Access is fully logged and restricted to a defined support enclave, but it is not contingent on event-based approval or break-glass activation.","confidence":90,"evidence_refs":["support runbook","access review","remote administration process"],"verified":true},{"question_id":"INF-01","question_text":"Is the vendor subject to any foreign laws, regulations, or government directions that could require disclosure of data, cooperation with foreign authorities, or modification of services?","answer":"Possible jurisdictional compulsion exposure remains unresolved in the foreign parent jurisdiction. The operator has not yet accepted the supplier's legal exposure treatment position.","confidence":81,"evidence_refs":["external legal review","jurisdiction memorandum","supplier legal response"],"verified":true},{"question_id":"INF-02","question_text":"Does the vendor have existing relationships with foreign government agencies, military organisations, or state-affiliated research institutions?","answer":"The foreign parent maintains strategic government and regulated-sector relationships in its home market, increasing sensitivity around foreign influence and legal responsiveness.","confidence":73,"evidence_refs":["parent company disclosures","market engagement summary"],"verified":false},{"question_id":"EXP-01","question_text":"What Australian government data, systems, or infrastructure will the vendor have access to or process under this procurement?","answer":"The service would operate inside an Australian critical infrastructure environment handling OFFICIAL:Sensitive operational communications, network telemetry, and privileged incident workflows.","confidence":93,"evidence_refs":["scope schedule","security classification note","operational topology pack"],"verified":true},{"question_id":"EXP-02","question_text":"What are the consequences if the vendor is directed by a foreign government to modify, disable, or expose the systems being procured?","answer":"Operational dependency risk is material. Loss of service, misuse of privileged access, or parent-directed interference could affect availability, change control, and trusted response operations.","confidence":89,"evidence_refs":["consequence analysis","operational dependency assessment","resilience note"],"verified":true},{"question_id":"JUR-01","question_text":"Which foreign legal, regulatory, or contractual obligations could compel access, disclosure, or operational direction affecting the assessed system?","answer":"The contracted entity is Australian, but the parent control chain and supporting offshore vendor relationship create unresolved foreign jurisdiction exposure across the managed service path.","confidence":84,"evidence_refs":["corporate structure map","jurisdiction treatment note"],"verified":true},{"question_id":"DEP-01","question_text":"What critical supplier, infrastructure, or service dependencies could propagate disruption if this supplier or service path fails, degrades, or is restricted?","answer":"Operational dependency remains concentrated in supplier-managed tooling, offshore specialist support, and a foreign-maintained software component required for service continuity.","confidence":87,"evidence_refs":["dependency register","continuity plan","service design pack"],"verified":true}]},"assessment":{"assessment_id":"08342871-14f5-4240-8f73-9770465d144d","case_id":"demo-managed-network-supplier-risk","jurisdiction_findings":"The contracted entity is Australian, but foreign parent governance and the supporting offshore vendor relationship create unresolved jurisdictional exposure across the managed service path.","ownership_findings":"Foreign parent exposure remains material through licensing, financing, governance rights, and parent-appointed decision influence affecting the Australian operating entity.","control_findings":"Standing offshore privileged access exists for specialist support. Access is fully logged and restricted to a defined support enclave, but remains persistently enabled, and supplier-managed tooling retains operational influence over configuration, telemetry, and incident response workflows.","influence_findings":"Parent-appointed governance, foreign market relationships, and unresolved jurisdictional exposure create a credible pathway for foreign influence over strategic and technical decisions.","exposure_findings":"The supplier presents a high-risk managed services posture because foreign parent exposure, standing offshore privileged access, OFFICIAL:Sensitive operational exposure, and concentrated service dependency remain unresolved within the proposed operating model.","risk_drivers":["Foreign parent governance and platform dependence","Standing offshore privileged access","Operational dependency on supplier-managed tooling and offshore support","OFFICIAL:Sensitive exposure inside a critical infrastructure environment","Unresolved jurisdictional exposure in the parent control chain"],"overall_risk_level":"high","overall_risk_score":71,"reason_code_version":"v1","reason_group_order":["hard_overrides","primary_risk","contextual_risk","mitigations","outcome"],"driver_priority_order":["hard_overrides","primary_risk","contextual_risk","mitigations"],"reason_codes":["OVERRIDE_STANDING_OFFSHORE_PRIVILEGED_ACCESS","RISK_STANDING_OFFSHORE_PRIVILEGED_ACCESS","EXPOSURE_GOVERNMENT_ENVIRONMENT","DEPENDENCY_INDIRECT_FOREIGN","MITIGATION_DOMESTIC_JURISDICTION","MITIGATION_BOUNDED_OFFSHORE_SUPPORT","BAND_HIGH"],"reason_code_groups":{"hard_overrides":["OVERRIDE_STANDING_OFFSHORE_PRIVILEGED_ACCESS"],"primary_risk":["RISK_STANDING_OFFSHORE_PRIVILEGED_ACCESS"],"contextual_risk":["EXPOSURE_GOVERNMENT_ENVIRONMENT","DEPENDENCY_INDIRECT_FOREIGN"],"mitigations":["MITIGATION_DOMESTIC_JURISDICTION","MITIGATION_BOUNDED_OFFSHORE_SUPPORT"],"outcome":["BAND_HIGH"]},"primary_decision_drivers":["OVERRIDE_STANDING_OFFSHORE_PRIVILEGED_ACCESS"],"confidence":84,"confidence_basis":"Corroborated by corporate structure records, privileged-access design, service dependency mapping, and jurisdictional legal review.","assessed_at":"2026-04-28T18:20:02.524098+00:00","detail_findings":[{"domain":"ownership","finding":"Foreign parent exposure remains material through licensing, governance rights, and capital dependence.","evidence":"beneficial ownership register","risk_contribution":"high","source_quality":3},{"domain":"control","finding":"Standing offshore privileged access exists for specialist support functions.","evidence":"privileged access matrix","risk_contribution":"high","source_quality":3},{"domain":"influence","finding":"Parent-appointed governance allows the foreign parent to influence strategic and technical decisions.","evidence":"shareholders deed","risk_contribution":"high","source_quality":3},{"domain":"exposure","finding":"Operational dependency remains concentrated in supplier-managed tooling and offshore support inside an OFFICIAL:Sensitive environment.","evidence":"operational dependency assessment","risk_contribution":"high","source_quality":3}]},"directive":{"directive_id":"9e050d47-0079-47d8-a25a-e4dc9e0a2d5a","case_id":"demo-managed-network-supplier-risk","decision":"escalate","reason_code_version":"v1","reason_group_order":["hard_overrides","primary_risk","contextual_risk","mitigations","outcome"],"driver_priority_order":["hard_overrides","primary_risk","contextual_risk","mitigations"],"reason_codes":["OVERRIDE_STANDING_OFFSHORE_PRIVILEGED_ACCESS","RISK_STANDING_OFFSHORE_PRIVILEGED_ACCESS","EXPOSURE_GOVERNMENT_ENVIRONMENT","DEPENDENCY_INDIRECT_FOREIGN","MITIGATION_DOMESTIC_JURISDICTION","MITIGATION_BOUNDED_OFFSHORE_SUPPORT","BAND_HIGH","DECISION_ESCALATE"],"reason_code_groups":{"hard_overrides":["OVERRIDE_STANDING_OFFSHORE_PRIVILEGED_ACCESS"],"primary_risk":["RISK_STANDING_OFFSHORE_PRIVILEGED_ACCESS"],"contextual_risk":["EXPOSURE_GOVERNMENT_ENVIRONMENT","DEPENDENCY_INDIRECT_FOREIGN"],"mitigations":["MITIGATION_DOMESTIC_JURISDICTION","MITIGATION_BOUNDED_OFFSHORE_SUPPORT"],"outcome":["BAND_HIGH","DECISION_ESCALATE"]},"primary_decision_drivers":["OVERRIDE_STANDING_OFFSHORE_PRIVILEGED_ACCESS"],"justification":"Decision basis: High-risk posture (score: 71/100). Risk posture exceeds the conditional approval envelope due to foreign parent governance and platform dependence, standing offshore privileged access, and operational dependency on supplier-managed tooling and offshore support. Escalation is required before award, deployment, or scope progression.","conditions":["No contract execution before designated authority accepts the foreign ownership, offshore access, and jurisdictional exposure treatment position.","Before award, the supplier must present a control design that removes standing offshore privileged access from production operations.","Before contract execution, all privileged administration, change approval, and service restoration pathways must be re-based under Australian dual-control governance.","Before service commencement, the operator must approve a dependency containment plan covering supplier-managed tooling, remote support, and parent-controlled maintenance workflows.","Monitoring cadence is quarterly for the first 12 months, then six-monthly if no material adverse change occurs."],"restrictions":["No live offshore privileged administration on operational management planes.","No supplier-led change implementation in production without Australian dual-control approval and session capture.","No scope expansion into higher-classified or more safety-critical environments until reassessment is complete."],"required_mitigations":["Restructure the support model so offshore intervention is exceptional, time-bounded, and operator-approved.","Implement Australian-controlled bastion access, session recording, and immutable audit logging across all privileged actions.","Insert contractual disclosure obligations for ownership, control, subcontractor, and jurisdictional exposure changes within 5 business days.","Maintain an operator-approved fallback continuity plan for supplier service withdrawal, parent interference, or legal disruption affecting the managed service path."],"issued_at":"2026-04-28T18:20:02.524164+00:00","confidence":79,"escalation_required":true,"escalation_authority":"Attorney-General's Department","review_trigger":"Any ownership/control change, change in offshore access design, new legal exposure, or material change in service dependency requires reassessment before continued use."},"enforcement":{"enforcement_id":"b2ba821a-bf27-47a8-aa72-c9bca7631737","case_id":"demo-managed-network-supplier-risk","contract_controls":["Embed designated-authority approval as a condition precedent to contract execution.","Require supplier disclosure of ownership, board, subcontractor, and jurisdictional exposure changes within 5 business days.","Reserve audit rights over privileged access records, support workflows, and dependency assurance evidence."],"technical_controls":["Remove standing offshore privileged access from production management planes.","Apply Australian-controlled bastion access, dual approval, and session recording for any exceptional support intervention.","Retain immutable logging for privileged actions, maintenance sessions, and change activity across the managed service path."],"deployment_constraints":["Do not connect the managed service to broader operational environments until authority review is complete.","Do not expand supplier scope, remote support rights, or parent-administered tooling without reassessment."],"handling_requirements":["Circulate the case record only to operator, procurement, security, and legal personnel with operational need to know.","Maintain the full evidence pack, dependency analysis, and control design response for audit and contract governance."],"effective_at":"2026-04-28T18:20:02.524190+00:00","enforcement_owner":"demo"},"monitoring":{"monitoring_id":"54454697-503a-424d-8a50-704a1e05c1ae","case_id":"demo-managed-network-supplier-risk","review_due_at":"2026-07-27T18:20:02.524203+00:00","trigger_conditions":["Quarterly control attestation and review for the first 12 months","Any change in beneficial ownership or parent control rights","Any restoration or expansion of offshore privileged access","Any change to supplier-managed tooling, external software dependency, or service continuity architecture","Any new foreign legal or regulatory action affecting the parent or supporting offshore vendor"],"last_reviewed_at":null,"change_events":[],"created_at":"2026-04-28T18:20:02.524222+00:00"},"procurement_brief":{"title":"Managed Network Services Supplier Procurement Risk Assessment","subject":"Managed Network Services Supplier (Anonymised)","summary":"High-risk supplier. Escalation required due to foreign parent governance and platform dependence, standing offshore privileged access, and operational dependency on supplier-managed tooling and offshore support.","assessment_outcome":"What is being assessed: Managed Network Services Supplier (Anonymised) for Managed network monitoring, incident support, and configuration services for operational communications infrastructure in a critical infrastructure environment\nWhy it matters: the service would operate in an OFFICIAL:Sensitive critical infrastructure environment with access to operational communications, telemetry, and privileged response workflows.\nRisk level: High\nRisk score: 71/100\nConfidence: 84\nDecision: Escalate\nContract execution position: do not execute until the pre-contract conditions, mandatory mitigations, and authority requirements recorded in this brief are satisfied.","key_risks":["Foreign parent governance and platform dependence","Standing offshore privileged access","Operational dependency on supplier-managed tooling and offshore support","OFFICIAL:Sensitive exposure inside a critical infrastructure environment","Unresolved jurisdictional exposure in the parent control chain"],"decision":"Escalate","required_controls":["No contract execution before designated authority accepts the foreign ownership, offshore access, and jurisdictional exposure treatment position.","Before award, the supplier must present a control design that removes standing offshore privileged access from production operations.","Before contract execution, all privileged administration, change approval, and service restoration pathways must be re-based under Australian dual-control governance.","Before service commencement, the operator must approve a dependency containment plan covering supplier-managed tooling, remote support, and parent-controlled maintenance workflows.","Monitoring cadence is quarterly for the first 12 months, then six-monthly if no material adverse change occurs.","No live offshore privileged administration on operational management planes.","No supplier-led change implementation in production without Australian dual-control approval and session capture.","No scope expansion into higher-classified or more safety-critical environments until reassessment is complete."],"mandatory_mitigations":["Restructure the support model so offshore intervention is exceptional, time-bounded, and operator-approved.","Implement Australian-controlled bastion access, session recording, and immutable audit logging across all privileged actions.","Insert contractual disclosure obligations for ownership, control, subcontractor, and jurisdictional exposure changes within 5 business days.","Maintain an operator-approved fallback continuity plan for supplier service withdrawal, parent interference, or legal disruption affecting the managed service path."],"enforcement_requirements":["Embed designated-authority approval as a condition precedent to contract execution.","Require supplier disclosure of ownership, board, subcontractor, and jurisdictional exposure changes within 5 business days.","Reserve audit rights over privileged access records, support workflows, and dependency assurance evidence.","Remove standing offshore privileged access from production management planes.","Apply Australian-controlled bastion access, dual approval, and session recording for any exceptional support intervention.","Retain immutable logging for privileged actions, maintenance sessions, and change activity across the managed service path.","Do not connect the managed service to broader operational environments until authority review is complete.","Do not expand supplier scope, remote support rights, or parent-administered tooling without reassessment.","Circulate the case record only to operator, procurement, security, and legal personnel with operational need to know.","Maintain the full evidence pack, dependency analysis, and control design response for audit and contract governance."],"monitoring":["Review due: 27 July 2026.","Quarterly control attestation and review for the first 12 months","Any change in beneficial ownership or parent control rights","Any restoration or expansion of offshore privileged access","Any change to supplier-managed tooling, external software dependency, or service continuity architecture","Any new foreign legal or regulatory action affecting the parent or supporting offshore vendor"],"escalation_authority":"Attorney-General's Department"}}