The federal government is set to mandate the Essential Eight cyber security controls for all 98 non-corporate Commonwealth entities, four years after they were first developed.
The Attorney-General’s Department revealed the step change in government cyber security policy in its response to last year’s parliamentary committee report into cyber resilience.
The committee had called for the department to update it on the “feasibility of mandating the Essential Eight across Commonwealth entities”.
The protective security policy framework (PSPF) currently requires non-corporate Commonwealth entities (NCCEs) to implement only the Top Four, while the Essential Eight are recommended.
But even as agencies continue to struggle to implement the Top Four, the mandate will now be extended to the Essential Eight, though the department has provided no timeline on when this might occur.
“The department has carefully considered [the] recommendation… and has held detailed discussions with the ACSC [Australian Cyber Security Centre] on the cyber security settings in the PSPF,” the AGD said.
“On this basis, the department will recommend an amendment to the PSPF to mandate the Essential Eight.
“This reflects the ACSC’s advice that entities should progress maturity across all eight strategies that form part of the Essential Eight, rather than focusing efforts on a smaller subset like the Top Four.
“This approach has been endorsed by the government security committee, an interdepartmental committee that provides strategic oversight of protective security policy.”
The department said it had already “commenced consolation with the 98 NCCEs about the implications of this proposal” and expects initial responses by the end of this month.
