The federal government is set to mandate the Essential Eight cyber security controls for all 98 non-corporate Commonwealth entities, four years after they were first developed by the Australian Signals Directorate.
The Attorney-General’s Department revealed the planned step change in government cyber security policy in its response to last year’s parliamentary committee report into cyber resilience.
The committee had called for the department to update it on the “feasibility of mandating the Essential Eight across Commonwealth entities”, as well as introduce annual audits into the cyber resilience of agencies.
The protective security policy framework (PSPF) currently requires non-corporate Commonwealth entities (NCCEs) to implement only the Top Four, while the Essential Eight are recommended.
But even as agencies continue to struggle to implement the Top Four, the mandate will now be extended to the Essential Eight, though the department has provided no timeline on when this might occur.
“The department has carefully considered [the] recommendation… and has held detailed discussions with the ACSC [Australian Cyber Security Centre] on the cyber security settings in the PSPF,” the AGD [pdf] said.
“On this basis, the department will recommend an amendment to the PSPF to mandate the Essential Eight.
“This reflects the ACSC’s advice that entities should progress maturity across all eight strategies that form part of the Essential Eight, rather than focusing efforts on a smaller subset like the Top Four.
“This approach has been endorsed by the government security committee, an interdepartmental committee that provides strategic oversight of protective security policy.”
The department said it had already “commenced consultation with the 98 NCCEs about the implications of this proposal” and expects initial responses by the end of this month.
Following a series of incorrect assessments against the PSPF, the department is also “exploring options, including moderation, to further support entities” to improve self-assessment accuracy.
The possibility of more rigorous cyber security accountability mechanisms were first flagged last year, namely "agencies cross-assessing each other or central arrangements for going in and assessing or moderating agencies’ assessment results".
The department will similarly review the existing maturity model for the Essential Eight – which was introduced to replace the former 'compliance model' in October 2018 – to “ensure it is fit for purpose”.
“To progress this work, the department has sought feedback from entities on the current model, including on any existing processes that entities have in place to ensure the accuracy of their self-assessments,” it said.
“Entities have also been asked to detail any further supports that would assist them to accurately self-assess the maturity of their security capability and risk culture.
“This feedback will complement the comparative analysis that the department has completed on the approach across different jurisdictions to improve the accuracy of assessments against security policy frameworks.
“The department expects to settle on a preferred approach to this work in the second half of 2021.”
Shadow cyber security assistant minister Tim Watts welcomed the "much delayed" plans to mandate the controls, noting it was "far from reassuring when less than 3/10 Commonwealth entities self-assess that they are compliant with even the ASD Top Four".