ACSC reinstates level zero maturity rating in Essential Eight

The Australian Cyber Security Centre has reinstated the ‘maturity level zero’ rating in the Essential Eight cyber security controls, as the federal government prepares to make the model mandatory.

The change is one of several made by the ACSC in its latest update of the Essential Eight, which was re-published this week following a thorough review in consultation with government and industry.

The Essential Eight is a series of baseline cyber security mitigation strategies and a maturity model currently recommended by the federal government to help prevent cyber intrusions.

The level zero maturity rating is now the lowest maturity level under the Essential Eight maturity model after 'maturity level one'.

“This maturity level signifies that there are weaknesses in an organisation’s overall cyber security posture,” the Essential Eight now reads. [pdf] 

“When exploited, these weaknesses could facilitate the compromise of the confidentiality of their data, or the integrity or availability of their systems and data.”

A spokesperson from the ACSC told iTnews that maturiy level zero was “reintroduced to... provide a broader range of maturity level ratings for assessors to consider when evaluating Essential Eight implementations”.

“Without a maturity level to represent this state (zero), data points are often lost,” the ACSC said.

As reported last month, the government is preparing to mandate the Essential Eight for all 98 non-corporate Commonwealth entities (NCCEs) after it was recommended by the Attorney-General's Department.

The recommendation – which has been endorsed by the government security committee – follows years of subpar compliance with the mandatory top four cyber security controls, as highlighted by numerous audits.

Another global change to the Essential Eight is that the maturity model now asks that entities achieve a maturity level across all eight controls before moving to achieve a higher level.

The document states that “mitigation strategies that constitute the Essential Eight have been designed to complement each other, and to provide coverage of various cyber threats”

“Organisations should plan their implementation to achieve the same maturity level across all eight mitigation strategies before moving onto higher maturity levels,” it states.

ACSC similarly no longer spells out that entities “should aim to reach maturity level three for each mitigation strategy”.

New patching, authentication expectations

Under the refreshed maturity level one, entities are now required to apply patches or mitigations for vulnerabilities in internet-facing services within two weeks of release, or 48 hours if an exploit exists.

Prior to the update, entities that patched or mitigated application or operating system vulnerabilities within two weeks were considered to have achieve maturity level two.

Maturity level one also now asks that Internet Explorer 11 not process content from the internet and that multi-factor authentication is used for an entity’s internet-facing services.  

This requirement also applies to third-party internet-facing services that process, store or communicate sensitive data.

Organisations are also expected to enable MFA by default on internet-facing services used by non-organisational users.