Three Providers Complete IRAP Assessments for Rules as Code Delivery
Government panel supplier Salsa Digital has completed an IRAP assessment of its Rules as Code service against Australian Government Information Security Manual controls for OFFICIAL: Sensitive information. The company announced the assessment on 6 July 2026 and said an accredited Infosec Registered Assessors Program assessor conducted it. Assemblic, the Rules as Code application platform, and QuantCDN, the underlying hosting platform, have completed separate assessments against controls for the same information classification.
Australian Signals Directorate guidance states that IRAP assessors do not accredit, certify, endorse, or register systems. Separate cloud assessment and authorisation guidance says consumers use assessment reports to determine whether services meet their security requirements and risk tolerances. Agencies therefore remain responsible for reviewing the applicable scope, findings, control effectiveness, and residual risk before authorising a particular implementation.
Phillipa Martin, Rules as Code practice lead at Salsa Digital, provided further details in written responses to The DropTimes. She said Salsa Digital’s assessment covered its Rules as Code practice from project management through development practices. The scope also included its service desk for Rules as Code support, its DevOps capability for Drupal hosting, and its central security governance functions.
Martin said shared corporate control systems, including identity and access management, source-code management, and continuous integration and deployment pipelines, were also examined. Supporting functions such as finance, marketing, human resources, and general administration formed part of the scope. These details expand the public description of the assessment but do not disclose individual control findings.
Salsa Digital describes the service as a layered model with responsibilities divided among three providers. QuantCDN supplies managed cloud infrastructure, networking, platform operations, and foundational security controls. Assemblic operates above that foundation as the application platform for OpenFisca coding and hosting, with its own application security, tenancy, operational, and service-specific controls.
Salsa Digital provides the delivery and operational services surrounding those platforms, including project delivery, software development, application operations, incident management, support, DevOps, and government-focused security governance. The company said the separately assessed components are intended to operate as a connected delivery chain spanning solution development, hosting, operations, incident response, and ongoing support.
For government agencies, this means they’re not simply procuring a secure application or hosting platform; they’re engaging an independently assessed ecosystem of organisations, platforms and operational services that have been designed to work together to deliver Rules as Code securely in government environments.
That description represents Salsa Digital’s interpretation of how the separately assessed components work together. The public announcement and written responses do not include the assessment reports, control matrices, findings, or residual-risk statements. They also do not establish identical assessment scopes or a single assessment boundary across Salsa Digital, Assemblic, and QuantCDN.
For agencies using Drupal, Salsa Digital said Salsa Hosting runs on QuantCDN’s assessed cloud platform and applies the same information-security governance framework, operational processes, DevOps practices, and security governance used for its Rules as Code delivery. In the described arrangement, QuantCDN provides the cloud foundation, Assemblic supplies the Rules as Code platform, and Salsa Digital manages Drupal hosting, application operations, support, and government-specific delivery. Agencies can host a Drupal frontend alongside the Rules as Code capability within that operating model, while remaining responsible for deciding whether the evidence and allocation of responsibilities suit their intended deployment.
Rules as Code converts legislation, regulation, and public policy into machine-readable logic that software can evaluate. Agencies can use the approach for eligibility checks, compliance decisions, benefit calculations, and other decisions based on formal rules. Encoding the rules can support more consistent calculations, reduce repeated manual interpretation, and allow services to respond more quickly when legislation or policy changes.
Rules as Code can also support policy modelling before a change reaches a live public service. Teams can encode proposed tax, benefit, or eligibility rules and test their possible effects before implementation. Policy specialists, developers, service designers, and subject experts can then examine the same testable logic rather than relying only on repeated manual interpretation of policy documents.
OpenFisca is an open-source framework for modelling taxes, benefits, and other rule-based systems. Assemblic provides an environment for developing and operating OpenFisca-based Rules as Code projects, including source-code management, deployment pipelines, secure hosting, web application firewall services, content-delivery infrastructure, and edge-computing functions. Salsa Digital says this allows project teams to concentrate on encoding and testing policy rules instead of assembling and maintaining each platform component separately.
Salsa Digital says its assessed Rules as Code service and Assemblic are available to Australian government agencies through Category 3 DXP of the Drupal Services Panel. Agencies can request the Rules as Code pricebook from the panel or use another procurement mechanism available to them. Panel access provides a purchasing route but does not determine security suitability or authorisation for a specific deployment. Further details are available in Salsa Digital’s public announcement.
Image Attribution Disclaimer: At The Drop Times (TDT), we are committed to properly crediting photographers whose images appear in our content. Many of the images we use come from event organizers, interviewees, or publicly shared galleries under CC BY-SA licenses. However, some images may come from personal collections where metadata is lost, making proper attribution challenging.
Our purpose in using these images is to highlight Drupal, its events, and its contributors—not for commercial gain. If you recognize an image on our platform that is uncredited or incorrectly attributed, we encourage you to reach out to us at #thedroptimes channel on Drupal Slack.
We value the work of visual storytellers and appreciate your help in ensuring fair attribution. Thank you for supporting open-source collaboration!


