Disclaimer: This section is for information only. Please contact the Regulatory Unit at ticsa@ncsc.govt.nz for specific questions about preparing your notification.
Receipt of proposal
We will acknowledge receipt of your proposal within three working days.
We aim to complete the assessment within 20 working days if all the information necessary was provided in your notification. If we have questions or need more information, we will stop the clock while we wait for your response.
Note that you must not start work on the change until we have completed the assessment.
Review and outcomes of a proposal
When reviewing proposals, we consider the factors outlined in section 50(1) of the Telecommunications (Interception Capability and Security) Act 2013.
After our assessment, there are two possible outcomes.
- If we consider the proposal will not raise a network security risk that is more than minimal, you will be advised in writing and may proceed with the proposal.
- If we consider the proposal will raise a network security risk that is more than minimal, we will notify you in writing. You must not implement the proposal.
What to do if a proposal raises a network security risk(s)
Depending on the level of classification and whether you have security cleared representatives, we will provide as much information as we can to you about the network security risk to help you understand our decision.
If you have been advised that a proposal will raise a network security risk(s), you have two options:
- respond to the NCSC as soon as practicable with a plan to prevent or sufficiently mitigate the network security risk, or
- withdraw the notification.
To sufficiently mitigate means to reduce the risk to an acceptable level and does not necessarily require that it be reduced to a minimal level, although that may be the only acceptable level regarding some risks.
Submitting a risk mitigation plan
If you choose to submit a risk mitigation plan, the Director-General of the Government Communications Security Bureau (GCSB) will assess whether your plan prevents or sufficiently mitigates the risk, and we will notify you of the outcome in writing.
Proposals should be sent to ticsa@ncsc.govt.nz.
If your plan prevents or mitigates the network security risk(s)
If the Director-General is satisfied that your plan prevents or sufficiently mitigates the network security risk(s) identified in the proposal, we will advise you of this and you can implement the proposal if the mitigation measures are also implemented (section 53 of TICSA).
If your plan does not prevent or mitigate the network security risk(s)
If the Director-General is not satisfied that the mitigation plan will prevent or sufficiently mitigate the network security risk, they may decide not to accept your proposal, or part of it.
If the network security risk is significant
If the Director-General identifies a significant network security risk and they are not satisfied with the mitigation proposal, they must decide whether to refer the matter to the Minister responsible for the GCSB. Before the Director can do so, the Commissioner of Intelligence Warrants will carry out a review to confirm that this risk exists or may arise.
A copy of that decision will be provided to both you and the Director-General.
The Minister responsible for the GCSB may make a direction requiring you to take steps to prevent or sufficiently mitigate the network security risk.
If the Director-General decides not to refer the matter to the Minister, you will be notified in writing of this and can proceed to implement your proposal.
At any stage in the process, you may withdraw your proposal.
Related information
Download the TICSA Notification of Proposal template [DOCX, 107 KB]