The process of accrediting external IT systems and Providers to protect against cyber threats.
The Department is responsible for protecting information and data collected and stored in the administration of its programs, including when programs are delivered with the assistance of external Providers and when external IT systems interact with the Department’s IT systems. To ensure sensitive information is collected, stored and managed securely, the Department requires all contracted Providers and vendors of external IT systems interacting with the Department’s IT systems to meet and comply with certain requirements in relation to IT security.
The Department’s Right Fit For Risk (RFFR) Accreditation signifies that a Provider or external IT system has met these requirements. The Department uses its own RFFR assurance approach to assess and accredit Providers and external IT systems.
Learn about the accreditation overview process including:
- The Department’s accreditation program
- The Right Fit For Risk process
- The process and requirements to maintain accreditation
- RFFR’s approach to classifying Providers into categories
- Core expectations to maintain and enhance security posture.
- Accredited Third Party Employment and Skills (TPES) systems
- RFFR accreditation resources
Announcements
RFFR Statement of Applicability (SoA) template updated – June 2025.
Changes from the previous version are listed in the 'Info' tab of the template.
Can I use Artificial Intelligence (AI)?
We recognise the potential of Artificial Intelligence (AI) capabilities to enhance service delivery and support better outcomes for individuals and communities. The department is taking a proactive yet cautious approach to ensure AI is used safely, securely, and ethically. To ensure safe and responsible use of AI, the department has developed a suite of resources and processes for third-party organisations seeking to use AI in the delivery of contracted services.
AI use must be explicitly approved under the Third-Party AI Assessment Framework. Following approval, it will be embedded within the Right Fit for Risk (RFFR) accreditation and maintenance lifecycle.
Before using AI, your organisation must:
- Review the Third-Party AI Assessment Framework for eligibility, obligations, and the application process.
- If suitable, submit a formal application using the Third-Party AI Assessment Application Form.
- Ensure any AI used for other business purposes is isolated and inaccessible from the department’s service delivery systems and data. If isolation cannot be guaranteed, AI must not be used until approved by the department.
For further information, please visit Artificial Intelligence at DEWR