# Essential Eight (Australia)
Definition
The Essential Eight is a set of prioritized cybersecurity mitigation strategies developed by the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC). Based on ASD's experience responding to cyber incidents, the Essential Eight represents the most effective strategies organizations can implement to mitigate cybersecurity incidents caused by various threat vectors. The framework uses a maturity model (Maturity Levels 0-3) that allows organizations to progressively improve their security posture against increasingly sophisticated adversaries.
How It Works
The Essential Eight strategies are grouped into three objectives:
Prevent Attacks:
- Application Control: Only approved/trusted applications can execute. Maturity Level 3 requires application control on all workstations and servers, including blocking execution in user-writable directories.
- Patch Applications: Patch internet-facing applications within 48 hours when exploits exist. Level 3 requires patching all applications within 48 hours of release when exploits or critical vulnerabilities exist.
- Configure Microsoft Office Macro Settings: Block macros from the internet, only allow vetted macros in trusted locations. Level 3 blocks all macros except digitally signed by trusted publishers.
- User Application Hardening: Block Flash, Java, ads, and unnecessary features in web browsers. Disable PowerShell 2.0. Level 3 requires blocking all web advertisements and disabling .NET Framework 3.5.
Limit Impact of Attacks:
- Restrict Administrative Privileges: Limit admin access to those who need it. Separate privileged and unprivileged accounts. Level 3 requires privileged access workstations for administrative tasks, just-in-time administration, and blocking internet access from privileged accounts.
- Patch Operating Systems: Patch OS vulnerabilities within 48 hours when exploits exist. Replace unsupported operating systems. Level 3 requires patching within 48 hours and using the latest OS releases.
- Multi-Factor Authentication: Require MFA for all users accessing internet-facing services and for privileged actions. Level 3 requires phishing-resistant MFA (hardware keys, FIDO2) for all users and all sensitive data repositories.
Recover Data and Availability:
- Regular Backups: Perform and test regular backups of critical data, software, and configuration settings. Level 3 requires backups stored offline or disconnected, tested quarterly, and retained for at least three months.
Maturity Model:
- Level 0: Not aligned with the mitigation strategy
- Level 1: Partly aligned; provides protection against commodity, opportunistic threats
- Level 2: Mostly aligned; provides protection against adversaries with moderate capability
- Level 3: Fully aligned; provides protection against sophisticated adversaries (including nation-state actors)
Organizations should target the same maturity level across all eight strategies rather than achieving Level 3 in some and Level 0 in others. Security is only as strong as the weakest control.
Why It Matters
The Essential Eight is mandatory for Australian government entities (mandated by the Protective Security Policy Framework) and increasingly adopted by private sector organizations in Australia and the Asia-Pacific region. ASD's analysis shows that implementing all eight strategies at Maturity Level 3 would have prevented the vast majority of cyber intrusions investigated by ASD.
The framework is notable for its prescriptive specificity. Unlike principle-based frameworks that describe what to achieve, the Essential Eight specifies exactly what to do: which patches, within what timeframe, with what controls. This makes it highly actionable.
The maturity model is also practical. Rather than treating compliance as binary (pass/fail), it provides a clear progression path. Organizations can assess their current maturity, set target levels based on their threat environment, and track improvement over time.
Real-World Applications
- Australian Government: All non-corporate Commonwealth entities must implement the Essential Eight at a maturity level commensurate with their risk profile.
- Critical Infrastructure: Australian critical infrastructure operators use the Essential Eight as a foundational cybersecurity baseline under the Security of Critical Infrastructure Act 2018.
- Financial Services: APRA-regulated entities reference the Essential Eight when implementing CPS 234 cybersecurity requirements.
- Healthcare: Australian health organizations adopt the Essential Eight to protect patient data and clinical systems.
- International Adoption: Organizations in New Zealand, Singapore, and other Asia-Pacific countries increasingly adopt the Essential Eight as a practical, proven baseline.
CDA Perspective
The Essential Eight aligns with CDA's Security Posture & Hygiene (SPH) domain under the Autonomous Posture Command (APC) methodology. We consider it one of the best prescriptive security baselines available, rivaling and often surpassing more complex frameworks for practical effectiveness.
CDA's operational approach:
- M-SPH-R01 assesses current maturity across all eight strategies using ASD's assessment guidance
- M-SPH-B01 implements controls to achieve the target maturity level, prioritizing strategies with the lowest current maturity
- M-SPH-H01 configures continuous monitoring to detect maturity regression
- M-SPH-D01 conducts periodic reassessment to validate maturity level claims
CDA's recommendation: aim for uniform maturity across all eight strategies. An organization at Level 3 for seven strategies but Level 0 for administrative privileges has a critical gap that attackers will find.
Key Takeaways
- The Essential Eight comprises eight prioritized mitigation strategies developed from real incident response experience
- Three objectives: prevent attacks, limit impact, recover data
- Maturity model (Levels 0-3) provides a clear progression path against increasingly sophisticated threats
- Mandatory for Australian government entities; widely adopted in the private sector
- Prescriptive specificity makes it highly actionable compared to principle-based frameworks
- Uniform maturity across all eight strategies is essential; a single weak control undermines the others