An audit has found most Commonwealth agencies are failing to hit required cyber maturity levels. 

Federal government agencies are struggling to implement the ‘Essential Eight’ cyber security controls, with just two out of 19 agencies recently examined by the national auditor making the required grade.

The Essential Eight are the baseline controls for cyber resilience within government, and were mandated for all 98 non-corporate Commonwealth entities last year, four years after they were first developed by the Australian Signals Directorate.

The Essential Eight scheme includes four defined maturity levels - Maturity Level Zero through to Maturity Level Three. With the exception of Maturity Level Zero, these levels are based on mitigating increasing levels of adversary tradecraft (i.e. tools, tactics, techniques and procedures) and targeting. 

These are linked to Policy 10, which is part of the protective security policy framework (PSPF). Policy 10 requires agencies to implement the Top Four controls (a predecessor to the Essential Eight) and consider the remaining four voluntary controls to achieve a managing maturity rating.

A review by the Australian National Audit Office (ANAO) has found that while maturity levels are slowly improving, particularly with application control, most agencies are still failing to hit required Policy 10 maturity levels. 

“Although some reported improvements were observed, the Australian National Audit Office found the reported maturity levels for most entities were still significantly below the Policy 10 requirement,” the audit says.

“Of the 19 entities assessed, two had self-assessed as achieving a managing maturity level. These entities were able to demonstrate evidence to support their self-assessments as required.”

From July this year, non-corporate Commonwealth entities will be expected to implement Essential Eight Maturity Level Two mitigations to achieve a managing maturity rating under Policy 10.

The ANAO report says that the number of entities reporting an ad-hoc or developing maturity level has “not significantly changed” since its last assessment in 2020-2021. 

The audit office has questioned whether agencies are capable of improving their compliance with the Essential Eight further.

“Entities’ inability to meet previous requirements indicates a weakness in implementing and maintaining strong cyber security controls over time,” the audit said.

“Previous ANAO audits of entity compliance with PSPF cyber security requirements have not found a significant improvement over time.

“The work undertaken as part of this review indicates that this pattern continues, with limited improvements.”

The full report is accessible in PDF form.