Home Affairs has mandated that the entire public service carry out an audit of all internet-facing systems and devices to flush out security threats.
The directive was issued under the Protective Security Policy Framework, the same framework which was used to ban TikTok on government devices last year.
Cyber security experts say the new directives would have the same broad application across the public service, with changes likely to be in the way older devices are used and current work from home arrangements.
Palo Alto Networks' Sarah Sloan said this was where malicious actors could get into secure systems.
"Anyone with a credit card could set up an AWS instance, a Microsoft instance or some kind of cloud instance that they may not have informed the security teams that it exists, and because they don't know it exists, no one's patching, maintaining or keeping that up to date," she said.
The three directives specifically mandate Australian government entities to share cyber threats with the Australian Signals Directorate, conduct a technology asset stock take on all internet-facing devices and identify indicators of foreign ownership, control or influence risk in the procurement and maintenance of technology assets.
Ms Sloan said some of this would not be new, with Home Affairs acknowledging that many entities already report cyber threats to ASD, but that other directives would be a "step change" for the public sector.
"This is the first time the Australian government has talked about the importance of having continuous monitoring of those internet-facing assets," she said.
"If you're standing still on cyber, you're going backwards."
The directives were made public the day prior to ASD releasing a detailed report into a Chinese state-backed cyber group APT40 breaching the security of multiple Australian entities.
The report outlined that older devices and work from home set ups allowed the hackers entry into corporate cyber systems.
Ms Sloan said the report made clear that cyber systems needed to be constantly updated to remain secure.
"We continue to see a range of actors targeting Australian networks, government and critical infrastructure across cybercrime and nation states," she said.
"The scale and sophistication of cyber threats targeting Australia are only increasing so there's definitely a need for Australia to take an iterative approach to how we manage and combat those cyber threats and I think these directives fall into that group."
