Only one of the 18 largest departments and agencies across government recently examined by the national auditor has fully implemented the ‘Essential Eight’ cyber security controls.
The remaining 17 agencies reported either ‘ad-hoc’ or ‘developing’ levels of maturity with the controls – the lowest possible score under the metric – or incorrectly self-assessed as having a ‘managing’ maturity level.
The Essential Eight is a series of baseline cyber security mitigation strategies and a maturity model recommended by the federal government. It encompasses four ‘top’ controls, which are mandatory for non-corporate Commonwealth entities.
The findings are contained in the 2020 interim financial controls audit of major entities, which reviewed the implementation of Essential Eight with a focus on core financial and HR systems.
The audit [pdf] – which was released just prior to revelations the government will mandate the Essential Eight – looked at the 2019-20 ‘Policy 10’ self-assessments of 18 agencies, including the Department of Defence, Services Australia and the Australian Taxation Office.
Policy 10 – part of the protective security policy framework (PSPF) – requires entities to achieve a maturity level of ‘managing’, which the Australian National Audit Office (ANAO) said is equivalent to Essential Eight maturity level three.
An agency is considered to have achieved the ‘managing’ maturity when it has implemented all of the ‘top four’ cyber security controls and has considered the remaining four voluntary controls.
While three agencies were found to have “significantly improved” their maturity since the 2019-20 report, the ANAO said “most entities were still significantly below the ‘policy 10’ requirements”.
The ANAO found that while five of the 18 entities had “self-assessed as achieving a managing maturity level”, only one “had appropriate evidence to support the self-assessment”.
In the other cases, entities were either unable to “demonstrate evidence to support their self-assessment” or the evidence supplied did not “support the assessment”.
The audit also found that some of the 13 agencies that self-assessed as having an ‘ad-hoc’ or ‘developing’ maturity level had actually met the ‘policy 10’ requirements.
“The ANAO considered some entities to have met the ‘policy 10’ requirements. However, entities had reported as not fully implementing the mitigation strategy,” the report said.
“The entities attributed the differences in the assessments to the interpretation of the scope and intent of the requirements.
“This is consistent with previous ANAO performance audit findings and indicates that measures taken to address this are not yet fully effective.”
The ANAO urged the government to strengthen arrangements for verifying self-assessments as recently as March, when it found that some of the country’s most powerful departments were still flailing.
The results of the audit are almost identical to last year, when only one agency was also found to have achieved a ‘managing’ maturity level.
“The ANAO found that the number of assessed entities that reported an ad-hoc or developing maturity level had not changed since last year’s assessment,” the report said.
“The PSPF cyber security requirements have been in place since 2013.
“Entities’ inability to meet these requirements indicates a weakness in implementing and maintaining strong cyber security controls over time.
“Previous audits of cyber security by the ANAO to assess the entities’ implementation of PSPF cyber security requirements have not found an improvement in the level of compliance with the controls over time.
“The work undertaken as part of this review indicates that this pattern continues, with limited improvements.”
The ANAO said the lowest level of compliance continues to be with the mandatory patching applications control, followed by the non-mandatory multi-factor authentication and user application hardening controls.
“Although most entities had plans to improve patching applications and user application hardening controls by July 2020, entities are still not achieving a managing maturity level,” the report said.
“The number of applications in entities’ systems and identifying all applicable hardening controls for specific applications continues to be the key issue with implementing this mitigation strategy.
“Some entities have also stated that the patching applications requirements are not achievable and have chosen to implement other mitigation strategies to address the related cyber threats.”