Almost 75 percent of federal government entities were struggling to fully-implement the Essential Eight cyber security controls at the start of the pandemic, casting fresh doubts on whether they will be able to meet the now mandatory requirements.
The findings are revealed in the government’s latest protective security policy framework (PSPF) assessment report of the 97 non-corporate Commonwealth entities quietly released by the Attorney-General’s department earlier this week.
The report, which covers the 2020-21 financial year, compiles the results of annual self-assessments conducted by the entities in security governance, information security, personal security, and physical security.
For each of the four categories, agencies are required to rank their maturity as ‘ad hoc’, ‘developing’, ‘managing’ or ‘embedded’, with managing considered to be “complete and effective implementation”.
While the report shows an improvement in the government’s overall cyber security posture compared with 2019-20, fewer agencies achieved a managing level of maturing for PSPF policy 10 in 2020-21.
“The number of entities reporting ‘developing or higher maturity for PSPF policy 10 … increased to 92 per cent, compared with 89 percent in 2019-20,” the report said.
“The improvement is largely attributed to further implementation of ACSC’s strategies to mitigate cyber security incidents.”
“Despite this improvement, only 26 per cent of entities reported ‘managing’ maturity for PSPF policy 10, compared with 34 per cent in 2019-20.”
At the time of the reporting period, policy 10 required that agencies implement the Top Four cyber security controls and consider the remaining four Essential Eight controls to achieve a ‘managing’ maturity rating.
Agencies have struggled to implement the Top Four controls since they became mandatory in 2013, with a series of audits uncovering serious cyber resilience issues in that time.
The government has since mandated the Essential Eight, with agencies expected to implement the Essential Eight maturity level two mitigations from July 2022 to achieve a ‘managing’ maturity rating.
The assessment report said the change “appears to be as a result of entities recalibrating their maturity level following … updates to the Essential Eight and the effect of COVID-19”.
Some 96 per cent of agencies reported a developing or higher maturity for the wider information security outcome, though only 16 per cent of these reached a ‘managing’ level of maturity.
“The information security outcome had mixed results,” the report said. “The number of entities reporting ‘managing’ maturity for the information security decreased in 2020-21, but despite this, [the] information security outcome had the most significant increase in the number of entities reporting ‘developing’ or higher maturity for 2020-21.”
The report added that “the information security outcome remains a challenge for NCEs to achieve full implementation of relevant requirements”.
Only 8 per cent of entities reported an ad hoc maturity for information security, down from 11 per cent in 2019-20.
The handful of agencies reporting an ‘ad hoc’ maturity for Policy 10 have been referred to the Australian Cyber Security Centre by the Attorney-General’s Department for a cyber security uplift.
In a bid to best target the problem areas, the AGD’s has shared the otherwise sensitive reporting data to inform the uplift program.
Agencies that report an ad hoc maturity – also described as “partial or basic implementation of the PSPF – are not considered to have well understood their responsibilities.
Do you know more? Contact James Riley via Email.