The federal government will move to mandate the Essential Eight cybersecurity controls in public sector entities, after it was revealed that many agencies have not even implemented the basic four risk mitigation strategies.
In response to a 2020 parliamentary committee report on cyber resilience, the Attorney-General’s Department confirmed that it will be moving to require all public sector entities to employ the Essential Eight, a set of basic, baseline cybersecurity risk mitigation strategies developed by the Australian Signals Directorate.
The Essential Eight includes application white-listing, patching applications, restricting admin privileges, patching operating systems and multi-factor authentication.
Public sector agencies and departments are currently only required to have the Top Four cyber strategies in place, and audits have continually shown that most haven’t even done this.
But the department did not provide a timeline for when the Essential Eight will be mandated, with the move requiring legislative changes.
“The department has carefully considered the recommendation, and has held detailed discussions with the Australian Cyber Security Centre on the cybersecurity settings in the Public Sector Policy Framework (PSPF),” the Attorney-General’s Department said.
“On this basis the department will recommend an amendment to the PSPF to mandate the Essential Eight. This reflects the ACSC’s advice that entities should progress maturity across all eight strategies that form part of the Essential Eight, rather than focusing efforts on a smaller subset like the Top Four.
“This approach has been endorsed by the government security committee, an interdepartmental committee that provides strategy oversight of the protective security policy.”
The department is currently consulting with the public sector entities about these changes, and expects responses by the end of the month.
It comes after the federal government rejected making the Essential Eight mandatory in 2019 following a similar committee recommendation, saying this was because its entities’ cybersecurity wasn’t mature enough.
This week’s announcement came in the same week that the Australian National Audit Office (ANAO) found agencies’ cybersecurity controls to be “significantly below” current requirements with the Top Four and Essential Eight.
The audit office found that only one of the 18 departments and agencies investigated had implemented the Essential Eight, despite several more claiming to have done so.
The other agencies audited had “ad hoc” or “developing” levels of cybersecurity controls.
The ANAO looked at whether any of these entities were at the “managing” maturity level of cyber controls, meaning they have implemented the Top Four and are considering implementing the Essential Eight.
It found that while three of the agencies investigated have “significantly improved”, “most entities were still significantly below” current requirements.
And while five agencies had self-assessed themselves as being at a “managing maturity level”, only one of these actually had “appropriate evidence to support the self-assessment”.
“In each of the other cases, entities were not able to demonstrate evidence to support their self-assessments as required by the PSPF, or ANAO testing did not support the assessment that the mandatory Policy 10 requirements were fully implemented,” the ANAO said in the report.
These requirements have been in place for public sector entities since 2013.
“Entities’ inability to meet these requirements indicates a weakness in implementing and maintaining strong cybersecurity controls over time,” the ANAO said.