Right Fit for Risk (RFFR) is an Australian Government framework developed to ensure that suppliers handling government data meet appropriate security requirements. It provides a baseline level of assurance that organisations are capable of protecting sensitive information when delivering goods or services to government agencies.
RFFR is closely tied to the Essential Eight cyber security strategies, requiring businesses to demonstrate that they meet minimum technical and procedural standards. In fact, the Essential Eight can be seen as the practical control set used to operationalise RFFR’s objectives. In other words, RFFR is the high-level policy requirement, while the Essential Eight provides the technical controls that suppliers must adopt.
A full list of the Essential Eight controls and their maturity levels can be accessed directly from the Australian Cyber Security Centre (ACSC) website. The ACSC publishes detailed guidance on each control, including:
Application control
Patch applications
Configure Microsoft Office macro settings
User application hardening
Restrict administrative privileges
Patch operating systems
Multi-factor authentication (MFA)
Regular backups
These eight controls form the foundation of RFFR compliance and are updated periodically by the ACSC to reflect changes in the threat landscape.
The Australian Government developed RFFR to address a critical problem: supply chain risk. Even if agencies implement strong security internally, vulnerabilities often exist in third parties that handle sensitive data or provide IT services. RFFR was created to:
Strengthen trust between government agencies and suppliers.
Establish a clear, enforceable baseline for suppliers.
Reduce the likelihood of breaches originating from third-party providers.
Align supplier obligations with existing frameworks like the Essential Eight.
Businesses should take RFFR seriously if they:
RFFR is generally a pass/fail requirement. Unlike frameworks such as SMB1001 or ISO 27001, it does not have multiple certification levels. Instead, suppliers must demonstrate that they meet the required controls, often through documentation, self-assessment, or evidence submission. Some contracts may require additional verification or independent assurance.
ISO 27001 is structured around three key pillars:
Governance & Policy – Clear management responsibility and documented information security policies.
Risk Management – Identifying, assessing, and mitigating information security risks.
Controls & Continuous Improvement – Implementation of 114 controls across areas such as access control, incident response, business continuity, and system acquisition.
Certification requires third-party audits, demonstrating that the organisation’s ISMS is functioning effectively.
| Feature | RFFR | Essential Eight |
| Purpose | Baseline for government supplier | Australian cyber defence baseline |
| Scope | 114 security controls | 8 technical controls |
| Levels | Pass or Fail | 4 maturity levels (0-3) |
| Certification | Assurance requirement, not a framework | Yes (Bronze to Diamond) |
| Target Audience | Government contractors | Any Australian business |
| Audit/Recognition | Assurance requirement | External Assessment (Emerging IT) |
RFFR is the minimum threshold for suppliers; Essential Eight is the broader maturity pathway.
| Feature | RFFR | SMB1001 |
| Purpose | Baseline for government supplier | Full Cyber Security maturity roadmap for SMBs |
| Scope | 114 security controls | Technical, governance, training, policy, risk management |
| Complexity | Pass or Fail | 5 certification tiers |
| Certification | Assurance requirement, not a framework | Yes (Bronze to Diamond) |
| Target Audience | Government contractors | Small-to-medium businesses |
| Audit/Recognition | Assurance requirement | Self-attestation and external audit (Platinum & Diamond) |
RFFR sets a baseline, SMB1001 provides a pathway.
| Feature | RFFR | ISO27001 |
| Purpose | Baseline for government supplier | Global ISMS standard |
| Scope | 114 security controls | Governance, policies, risk, and technical controls |
| Levels | Pass or Fail | High (documentation-heavy, global scope) |
| Certification | Assurance requirement, not a framework | Yes, via third-party audits |
| Target Audience | Government contractors | Global enterprises, SaaS, and regulated industries |
| Audit/Recognition | Assurance requirement | External audit |
RFFR ensures minimum compliance for Australian government supply chains; ISO 27001 demonstrates global assurance.
Conduct a Gap Assessment – Review current practices against the controls.
Remediate Weaknesses – Implement patching, MFA, access controls, and backup policies.
Strengthen Governance – Establish policies, assign roles, and ensure accountability.
Document Compliance – Keep evidence of controls and procedures for government assurance.
Plan for Growth – Use RFFR as a stepping stone to SMB1001 or ISO 27001 for broader credibility.
Too often, businesses see RFFR as a box-ticking exercise. But in reality, it represents a shift in government expectations that has broader implications for the entire SMB ecosystem:
Competitive Differentiator – Companies that achieve RFFR alignment early can stand out in procurement processes.
Pathway to Growth – RFFR readiness often overlaps with Essential Eight and SMB1001 requirements, positioning SMBs for higher certifications later.
Raising the Baseline – By pushing all suppliers to meet a standard, the government is effectively lifting the cyber security maturity of the broader economy.
Insurance & Investor Confidence – Meeting RFFR strengthens trust with insurers, investors, and partners beyond government.
The future of procurement is clear: cyber security maturity will become as important as price and service quality in winning contracts.
We support SMBs and suppliers by:
Mapping existing practices to RFFR requirements.
Implementing the Essential Eight technical controls.
Strengthening governance, access control, and monitoring.
Preparing documentation to demonstrate RFFR assurance.
Providing pathways to higher maturity frameworks like SMB1001 and ISO 27001.
By working with us, businesses don’t just achieve RFFR compliance—they build a foundation for long-term cyber resilience and competitive advantage.
Is RFFR mandatory for all government contracts?
Yes, for suppliers handling sensitive data or IT systems. Requirements may vary by agency and contract type.
How does RFFR relate to Essential Eight?
RFFR uses the Essential Eight as the baseline set of technical controls. Essential Eight is the “how” behind RFFR’s policy requirements.
Do small businesses need to comply?
Yes, if they supply to the government or subcontract to a government supplier. Even small IT vendors must demonstrate alignment.
How much does RFFR compliance cost?
Costs vary depending on existing maturity. For many SMBs, the investment is primarily in implementing Essential Eight controls.
Can RFFR controls be reused for ISO 27001 or SMB1001?
Yes, RFFR is a strong foundation. Many controls overlap with higher-level frameworks, making future certifications easier.
The Right Fit for Risk (RFFR) framework is more than a compliance hurdle—it’s a strategic opportunity for SMBs. By aligning with RFFR, businesses can access government contracts, enhance their security posture, and establish credibility with clients and partners.
For SMBs with ambitions to grow, RFFR should be seen as the first step in a cyber security maturity journey one that can lead to higher certifications like SMB1001 and ISO 27001, and position your organisation as a trusted, secure partner.