The Operational Security Framework (OSF) applies to software products or digital services that read, store, modify or route any
taxation, accounting, payroll, business registry or superannuation data that connects directly or indirectly to the ATO.
It may also apply to the following:
- DSPs or users of software who customise key components of a commercial product
- Non-commercial / in-house products or services
- Products or services producing a .CSV file
API Risk Rating
The OSF is divided into five categories based on the service a DSP is providing and the risk of the APIs that they are accessing. The
risk rating of the ATO's APIs can be found
The OSF requirements apply differently depending on which categories your products or services fall under, which APIs they access and the number of unique client records. Please refer to pages 12 - 14 of the OSF requirements document for more information.