The Australian government has flagged its intention to mandate the Essential Eight mitigation strategies, despite many entities not fully wrapping their heads around the Top Four.
Since 2013, non-corporate Commonwealth entities (NCCEs) have been required to undertake an annual self-assessment against the Top Four strategies, which are mandated by the Attorney-General's Department (AGD) Protective Security Policy Framework (PSPF). Entities report their overall compliance with mandatory requirements to AGD.
The Joint Committee of Public Accounts and Audit (JCPAA) last year reviewed a pair of reports from the Australian National Audit Office (ANAO). A report on this probe from the JCPAA in December asked AGD whether it was feasible to mandate the Essential Eight, a call the committee made in October 2017, as well as report back on why any entities have yet to implement the Top Four mandated in April 2013.
See also: ASD Essential Eight cybersecurity controls not essential: Canberra
In its response [PDF] to the JCPAA, AGD said it remains committed to maintaining robust protective security standards to ensure the PSPF supports entities to manage their risks.
"The department has carefully considered … and has held detailed discussions with the [Australian Cyber Security Centre] on the cybersecurity settings in the PSPF," AGD wrote.
"On this basis, the department will recommend an amendment to the PSPF to mandate the Essential Eight.
"This reflects the ACSC's advice that entities should progress maturity across all eight strategies … rather than focusing efforts on a smaller subset like the Top Four, as this provides a greater level of protection."
AGD said such an approach has been endorsed by the Government Security Committee, which is an interdepartmental committee that provides strategic oversight of protective security policy.
Although keen to make the Essential Eight essential, AGD said doing so would have an impact on the entities required to implement them.
"As a result, the department has commenced consultation with the 98 NCCEs about the implications of this proposal," it added. "The department expects responses from NCCEs by the end of June 2021."
It is also preparing draft amendments to the PSPF and said it is currently considering timeframes for implementation.
Another one of the JCPAA's recommendations was that AGD update the committee on its benchmarking process for Commonwealth entities' reported compliance with cybersecurity requirements.
See also: Labor wants to name and shame poor Commonwealth entity cyber posture
ANAO in March published findings of an investigation into the effectiveness of cybersecurity risk mitigation strategies implemented by seven government entities, and declared none have fully implemented all the mandatory benchmarks and that self-reporting was weak.
AGD told the JCPAA it is "exploring options, including moderation, to further support entities to improve the accuracy of their self-assessments".
"In addition, the department is also reviewing the existing maturity model to ensure it is fit for purpose," it said.