Skip to main content

Log in with RealMe

To access the Procurement online service, you need a RealMe login. If you've used a RealMe login somewhere else, you can use it here too. If you don't already have a username and password, just select "Log in" and choose to create one.

What's RealMe?

To log in to this service you need a RealMe login.

This service uses RealMe login to secure and protect your personal information.

RealMe login is a service from the New Zealand government that includes a single login, letting you use one username and password to access a wide range of services online.

Find out more at www.realme.govt.nz.

Rule 26:
Managing national security risks

Primary requirement

  1. Agencies must manage national security risks in their procurement.

Application

  1. Agencies must conduct a risk assessment using the tool below to identify national security risks when planning their procurement.
  2. Agencies must consider excluding a supplier from participation if they pose a threat to national security or the confidentiality of sensitive government information (Rule 28.2.i).

More information

Managing national security risks in Collaborative contracts

If all or part of a risk assessment has been completed by the lead agency of a Collaborative contract (All-of-Government, Common Capability and syndicated), purchasing agencies can rely on this. An agency should complete any part of the risk assessment that the lead agency has not completed.

Risk assessment tool for managing national security risks in procurement

This risk assessment tool supports agencies to identify and manage national security risks in procurement.

It will help you to identify where a material risk to national security might be and what you should do to mitigate or manage it.

If you answer 'Yes' to any question, proceed through the guidance linked at the bottom of the page. You can document your application of this guidance in any way that best suits your agency.

  • 1
    Will the contract give the supplier access to, or control of:

    Sensitive premises, for example,

    • facilities used to hold, or access classified information
    • control rooms
    • laboratories or other research facilities
    • areas where individuals are working on matters related to New Zealand’s domestic, foreign, security, or defence policy

    Bulk or sensitive data holdings, for example,

    • information on a large number of New Zealanders
    • information classified as "restricted" or above
    • information on a group of sensitive category individuals
    • research or other kinds of valuable intellectual property
    • government priorities where the information could be exploited to the detriment of New Zealand or New Zealanders
    • sensitive networks, for example, government or university IT networks

    Critical services, for example,

    • services provided by lifeline utilities (essential infrastructure services such as water, transport, energy etc)
    • government services such as tax collection, welfare provision or health and emergency services  

    Proximate access (line of sight over, or into) to sensitive Government sites, such as defence installations or facilities used to hold or access classified information.

    If the answer is ‘no’, this contract is unlikely to raise material national security risks, regardless of the supplier.

    If the answer is ‘yes’ to any of these, move on to question 2.

  • 2
    Is it NOT possible to adequately avoid or mitigate the security risks associated with this control or access?

    For example:

    • You cannot put physical or digital barriers in place that limit access to the sensitive material, premises, or networks?
    • You cannot limit the individuals that have access to the sensitive material to named and known individuals, or require a Police or other security check before giving access?

    If the answer is ‘no’, this contract is unlikely to raise material national security risks – irrespective of the supplier.

    If the answer is ‘yes’, you should consider the response to question 3.

  • 3(a)
    Is the supplier (A) potentially going to act in a way that is contrary to New Zealand’s national security interests?

    Consider, is A owned or controlled by a foreign state? Meaning, does a foreign state (including through sovereign wealth funds) have:

    • More than 25% of any class of A’s securities?
    • The power to control the composition of more than 25% of A’s governing body (for example, Board)?
    • The right to exercise or control the exercise of more than 25% of the voting power at a meeting of A?
    • The legal right to direct A to undertake activities consistent with the relevant foreign state’s strategic security objectives?

    If the answer is ‘yes’, this increases the risk of this supplier.

    Potential mitigations

    If national ownership is through a wealth (or other type of investment) fund, does the relevant foreign state exercise control over the entity? Or are there appropriate limitations to ensure that no foreign state or government can influence individual investment decisions, or the management of individual investments, other than on commercial terms?

    If there are limitations on control and influence, this reduces the risk of this supplier.

    If there are connections to a foreign state, is this state likely to pose a national security risk to New Zealand?

  • 3(b)
    Are the suppliers in the supplier’s supply chain (B) likely to act in a way contrary to New Zealand’s national security interests?

    Consider:

    • Does B have access to or control over A’s physical or digital assets?
    • If so, can this be used to gain access to or control over your assets?
    • If so, is B owned or controlled or influenced by a foreign state (determined with reference to the matters discussed in question 3(a))?

    Potential mitigations

    Can B’s access to you be limited contractually? For example, requirements for A to use an alternative supplier as a condition of the contract, or for B to not have access to information on the services provided to the procurer?

    If the answer to question 3(a) and 3(b) is ‘no’, this contract is unlikely to raise material national security risks.

    If, the answer is ‘yes’ and there are not appropriate mitigations in place or available, this supplier could pose a risk to New Zealand’s national security.

    Read the guidance.
Top