The Australian Cyber Security Centre (ACSC) has revised its Essential Eight Maturity Model and, importantly, it looks likely that all of the Essential Eight will become mandatory for non-corporate Commonwealth entities (NCCEs).
As a reminder, the Essential Eight set out a range of baseline requirements for entities of different maturity levels, relating to:
- application control
- application patching
- MS Office macro settings
- user application hardening
- restriction of administrative privileges
- operating system patching
- multi-factor authentication
To date, only four of the eight (application control, application patching, restriction of admin privileges and OS patching) have been mandated by the Protective Security Policy Framework (PSPF). However, it's been reported that the Attorney-General's department is preparing draft amendments to the PSPF to make all 8 mandatory, and is currently considering timeframes for implementation. This could have knock on implications for service providers who wish to provide IT support, implementation and other services to NCCEs, as their customers will be looking to meet the Essential Eight's requirements.
A point to note however: the Essential Eight are aimed at Microsoft Windows-based internet-connected networks and are not primarily designed for cloud services, enterprise mobility, or other operating systems. The ACSC suggests that alternative cyber risk mitigation strategies may be more appropriate to mitigate threats to these environments.
For a discussion on the changes, see this article.
The Essential Eight Maturity Model, first published in June 2017 and updated regularly, supports the implementation of the Essential Eight. It is based on the ACSC’s experience in producing cyber threat intelligence, responding to cyber security incidents, conducting penetration testing and assisting organisations to implement the Essential Eight.