Govt asked to mandate ASD's 'essential eight' cyber strategies

The federal government has been asked to require that all 180 corporate and non-corporate Commonwealth entities implement the ASD’s ‘essential eight’ cyber security strategies by June 2018.

A joint committee asked today for a mandate from the government that all non-corporate entities - agencies and regulators - meet the Australian Signals Directorate’s revamped ASD ‘essential eight’ strategies unveiled earlier this year.

The committee said it was concerned about lax adoption of the previous version of the standard, the 'top four strategies to mitigation cyber security incidents', despite the efficacy of the controls being well-recognised in and out of government.

Those concerns were heightened by an audit report earlier this year, which found Immigration and ATO did not comply with the ‘top four’ mitigation strategies.

Immigration attributed its problems to complexity caused by machinery of government changes, while the ATO said it suffered compliance problems after a major IT outage.

Both agencies have been asked to report compliance improvements to the joint committee of public accounts and audit.

While seeking the mandate, the committee said it also noted concerns that compliance with the ‘top four’ mitigation strategies was a minimum standard and "does not necessarily equate to cyber resilience, particularly having regard to the fact that cyber resilience contemplates the likelihood that systems can and will fail".

“The committee considers that entities would benefit from clear guidance on the hallmarks of cyber resilience and notes that the Department of Prime Minister and Cabinet (PM&C) agreed to work with the Australian National Audit Office (ANAO) to better define these key features,” it said.

“The committee recommends that in future audits on cyber security compliance, the ANAO outline the behaviours and practices it would expect in a cyber resilient entity, and assess against these.”