The federal government has rejected a recommendation to make the Australian Signals Directorate’s “baseline” Essential Eight cyber mitigation strategies mandatory.
Earlier this month the government quietly tabled its response to an 18-month old Joint Committee of Public Accounts and Audit report on cyber resilience.
Among other recommendations, the bipartisan committee suggested that the ASD Essential Eight cyber security strategies be made mandatory for all departments and agencies.
“The Committee views the implementation of the Essential Eight by all government entities as a matter of best practice and critical to enhancing the Commonwealth’s cyber posture as a whole,” the report said.
The Essential Eight is meant to be a baseline checklist of basic steps agencies can take to shore up their cyber resilience and make it “much harder for adversaries to compromise systems”.
“Implementing the Essential Eight proactively can be more cost-effective in terms of time, money and effort than having to respond to a large-scale cybersecurity incident,” the Australian Cyber Security Centre said.
The Essential Eight includes application white-listing, patching applications, restricting admin privileges, patching operating systems and multi-factor authentication.
Currently, only the top four of these strategies are mandatory for government departments and agencies, and many have been shown to be regularly failing to implement them.
But in its response to the joint committee report, tabled on 4 April, the government merely “noted” the recommendation, and said it won’t make the Essential Eight mandatory because its entities’ cybersecurity isn’t mature enough, even though the purpose of the Essential Eight is to help make their cybersecurity more mature.
“The government is committed to ensuring all Commonwealth entities raise their level of cybersecurity and understand the risks they face,” the government said.
“The Essential Eight represents ASD’s best advice on the measures an entity can take to mitigate the threat of a cyber incident and manage their risks.”
“However, the government will consider mandating the Essential Eight when cybersecurity maturity has increased across entities. The cybersecurity maturity and implementation of the Essential Eight strategies within entities is currently both a compliance and risk management issue for each accountable authority, due to the unique risk environments and operations of each entity.”
Instead, government will continue to require compliance with the top four of the Essential Eight requirements, “strongly recommending” the implementation of the other four, and requiring entities to report on the implementation of these steps.