The federal government is set to mandate the Essential Eight cyber security controls for all 98 non-corporate Commonwealth entities, four years after they were first developed.
The Attorney-General’s Department revealed the step change in government cyber security policy in its response to last year’s parliamentary committee report into cyber resilience.
The committee had called for the department to update it on the “feasibility of mandating the Essential Eight across Commonwealth entities”.
The protective security policy framework (PSPF) currently requires non-corporate Commonwealth entities (NCCEs) to implement only the Top Four, while the Essential Eight are recommended.
But even as agencies continue to struggle to implement the Top Four, the mandate will now be extended to the Essential Eight, though the department has provided no timeline on when this might occur.
“The department has carefully considered [the] recommendation… and has held detailed discussions with the ACSC [Australian Cyber Security Centre] on the cyber security settings in the PSPF,” the AGD said.
“On this basis, the department will recommend an amendment to the PSPF to mandate the Essential Eight.
“This reflects the ACSC’s advice that entities should progress maturity across all eight strategies that form part of the Essential Eight, rather than focusing efforts on a smaller subset like the Top Four.
“This approach has been endorsed by the government security committee, an interdepartmental committee that provides strategic oversight of protective security policy.”
The department said it had already “commenced consolation with the 98 NCCEs about the implications of this proposal” and expects initial responses by the end of this month.
Following a series of incorrect assessments against the PSPF, the department is also “exploring options, including moderation, to further support entities” to improve self-assessment accuracy.
It will similarly review the existing maturity model for the Essential Eight to “ensure it is fit for purpose”.
“To progress this work, the department has sought feedback from entities on the current model, including on any existing processes that entities have in place to ensure the accuracy of their self-assessments,” it said.
“Entities have also been asked to detail any further supports that would assist them to accurately self-assess the maturity of their security capability and risk culture.
“This feedback will complement the comparative analysis that the department has completed on the approach across different jurisdictions to improve the accuracy of assessments against security policy frameworks.
“The department expects to settle on a preferred approach to this work in the second half of 2021.”
More to come