Maritime security in Australia is the system of mandatory security plans, identity checks and graduated security levels that applies to ports, port facilities, regulated ships and offshore facilities under the Maritime Transport and Offshore Facilities Security Act 2003. It is administered by the Department of Home Affairs through the Cyber and Infrastructure Security Centre and aligns with the international ISPS Code. This page sets out who must comply, what the regime requires, and how it is changing under the 2025 transport security reforms.
Who must comply with the MTOFSA?
Maritime security in Australia operates under the Maritime Transport and Offshore Facilities Security Act 2003 and the Maritime Transport and Offshore Facilities Security Regulations 2003. The regime is administered by the Department of Home Affairs, supported by the Cyber and Infrastructure Security Centre.
The Act applies to maritime industry participants, a group that includes port operators, port facility operators, ship operators for regulated Australian ships, and offshore facility operators. Participants in scope must hold and comply with an approved security plan, and the framework is designed to align with the International Ship and Port Facility Security (ISPS) Code.
What do maritime security plans and security zones require?
A maritime, ship or offshore facility security plan is the central compliance document. It sets out the security measures, roles and procedures a participant will maintain, and it must be approved and kept current as operations and risks change.
Maritime security zones are defined areas on and around ports, ships and offshore facilities where access is controlled. They allow operators to separate sensitive areas from public areas, and to apply screening, escorting and monitoring where the risk warrants it.
What are the MSIC and MARSEC security levels?
The Maritime Security Identification Card (MSIC) is a nationally consistent card confirming that the holder has met the minimum background checking requirements to work unescorted in a maritime security zone. The background check is conducted through AusCheck and includes a criminal history check by the Australian Federal Police and a security assessment by the Australian Security Intelligence Organisation. An MSIC is not an access control card, and it does not by itself grant entry to any facility.
MARSEC security levels (1, 2 and 3) set the baseline security posture across the maritime sector. As the level rises, participants apply additional measures set out in their security plans. The levels correspond to the security levels used under the ISPS Code, so Australian arrangements line up with international shipping.
How is maritime security regulation changing?
The Transport Security Amendment (Security of Australia’s Transport Sector) Act 2025 amended the MTOFSA to introduce a risk-based, all-hazards approach that aligns more closely with the model used under the Security of Critical Infrastructure Act. The Department of Home Affairs is developing amendments to the Regulations to give effect to the changes.
For operators, the shift is from a prescriptive, access-focused regime toward an outcomes-focused one that addresses a broader set of hazards. Sound security risk management is the practical way to prepare, because it identifies which controls matter most under the new model.
How does Agilient support maritime operators?
Agilient is an independent, vendor neutral security and risk consultancy. For maritime clients, engagements usually begin with a security risk assessment that establishes the threat and risk picture for a port, facility or fleet and points to the controls that matter most under the MTOFSA.
From there, Agilient supports maritime and facility security plan development, protective security advice, and security audits that test compliance and readiness. The underlying method is set out on the security risk management pillar. Because the firm is not tied to any product or installer, advice reflects what the risk and the framework require.
Plan your MTOFSA compliance with confidence
Speak with Agilient about your maritime security obligations, from security plans and zones to the MSIC and the 2025 reforms. The usual first step is a security risk assessment mapped to the MTOFSA.
Frequently asked questions
What is the MTOFSA?
Who needs a maritime security plan?
What is an MSIC and who needs one?
What are MARSEC security levels?
How is maritime security regulation changing?
- Department of Home Affairs, Cyber and Infrastructure Security Centre, Maritime security, cisc.gov.au
- Federal Register of Legislation, Maritime Transport and Offshore Facilities Security Act 2003 and Regulations 2003, legislation.gov.au
- AusCheck, Maritime Security Identification Card, auscheck.gov.au
- Federal Register of Legislation, Transport Security Amendment (Security of Australia’s Transport Sector) Act 2025, legislation.gov.au
- International Maritime Organization, International Ship and Port Facility Security (ISPS) Code, imo.org