Australian agencies no longer have to apply “extreme risk” patches to applications and operating systems used by high-risk and regular users on different cyles in order to qualify for a middle level of maturity under the government’s “Essential Eight” model.
The change is one of several made by the Australian Cyber Security Centre (ACSC) to the Essential Eight maturity model, which was re-published overnight.
The public-facing portion of the model is now noticeably slimmer; whereas it previously had five levels of maturity, it now has three.
The former “maturity level zero” – essentially indicating what underdone security looked like – has vanished entirely.
There is also no longer published guidance for what was known as “maturity level four”, a higher-risk category.
Agencies falling into this category are now advised to “contact the ACSC for additional advice”.
Patch timing
One major change is around patching regimes – which account for two of the so-called ‘Top 4’ mitigations that are mandatory for agencies to meet.
Previously, to attain level two maturity, agencies had to adopt a two-lane approach to applying “extreme risk” patches,…
