Federal government agencies are continuing to struggle to implement the ‘Essential Eight’ cyber security controls, with only two of 19 agencies recently examined by the national auditor making the required grade.
That's the finding of the 2021-22 interim financial controls audit of major entities [pdf], which reviewed the 2020-21 ‘Policy 10’ self-assessments of select agencies, with a focus on core financial and HR systems.
The revelation does not bode well for the next reporting cycle, given the government’s recent decision to mandate the Essential Eight for all non-corporate Commonwealth entities.
The Essential Eight – long considered the baseline for cyber resilience within government, but only endorsed as a compulsory requirement last year – will replace the Top Four controls from July 2022.
The audit, released on Thursday, shows that while maturity levels are slowly improving, particularly with application control, most agencies are still failing to hit maturity levels required by Policy 10.
“Although some reported improvements were observed, the the Australian National Audit Office found the reported maturity levels for most entities were still significantly below the Policy 10 requirement,” the audit said.
“Of the 19 entities assessed, two had self-assessed as achieving a managing maturity level. These entities were able to demonstrate evidence to support their self-assessments as required.”
Policy 10, part of the protective security policy framework (PSPF), required agencies to implemented the Top Four controls and consider the remaining four voluntary controls to achieve a managing maturity rating in 2021-22.
From July 2022, non-corporate Commonwealth entities will be expected to implement Essential Eight maturity level two mitigations to achieve a managing maturity rating under Policy 10.
The audit added that the managing figure “has not changed since the 2020-21 assessment”, with the number of entities reporting an ad-hoc or developing maturity level also “not significantly changed”.
It also noted that while finance and HR system were the focus, “most entities conducted their self-assessment at a system or environment level and did not specifically assess the controls required to minimise cyber risks to [those] applications”.
Three of the reviewed agencies reported “improvements in Essential Eight maturity levels across several [controls]”, the audit said, but that two others reported a lower maturity since last year.
Patching still falls short
‘Patching applications’ continues to be the most stubborn of the controls for agencies, with only five of the 19 assessed by the ANAO reporting compliance, followed by ‘user application hardening.
“Although most entities had plans to improve ‘patching applications’ and ‘user application hardening’ controls by July 2020, as at June 2021 entities were still not achieving a managing maturity level,” the audit said.
“The number of applications in entities’ systems and identifying all applicable hardening controls for specific applications continues to be the key issue with implementing this mitigation strategy.
“Some entities have also stated that the ‘patching applications’ requirements are not achievable and have chosen to implement other mitigation strategies to address the related cyber threats.”
‘Restricting macros’ was also “reported to be difficult as users continue to rely heavily on macros to perform business activities”.
“Entities continue to differ in their maturity of addressing the associated risks, with some entities reporting difficulties with monitoring the use of macros in their environments,” the audit said.
“The reported improvements in this year’s assessment have been attributed to some entities completing their cyber security implementations of Macro controls.”
For ‘multi-factor authentication’, most agencies have “focused on achieving the developing maturity level and are relying on other migitaigtion strategies to address the associated risks”.
Following a spate of sub-par audit results over many years, the ANAO was also critical of whether agencies were capable of improving their compliance with the Essential Eight further.
“Entities’ inability to meet previous requirements indicates a weakness in implementing and maintaining strong cyber security controls over time,” the audit said.
“Previous ANAO audits of entity compliance with PSPF cyber security requirements have not found a significant improvement over time.
“The work undertaken as part of this review indicates that this pattern continues, with limited improvements.”
The ANAO noted that a parliamentary inquiry last year had recommended the need for greater accountability of the cyber security requirements, including over the self-assessment process.
“While entities’ compliance with PSPF cyber security requirements remains low, there continues to be the risk of compromise to information,” it said.