On November 27, 2023, the Australian Signals Directorate and the Australian Cyber Security Centre published a substantial update to the Essential Eight Maturity Model, raising the baseline across all three maturity levels and introducing sharper requirements for application control, patch timelines, and software inventory. The Essential Eight sits inside the Protective Security Policy Framework (PSPF) and is mandatory for non-corporate Commonwealth entities under PSPF Policy 10. It is also a de facto requirement for APRA-regulated financial entities under CPS 234, for Commonwealth grant recipients, and for companies supplying the Defence Industry Security Program. April 14, 2024 marks the start of the transitional period where the new model is used for assessments against Maturity Level 2 and above, and the older E8 baselines are retired.
What Is the Essential Eight and How Is It Enforced?
The Essential Eight is a set of eight mitigation strategies published by ASD/ACSC to limit the impact of targeted cyber intrusions: application control, patch applications, configure MS Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. For Commonwealth entities, PSPF Policy 10 requires implementation to at least Maturity Level 2 by June 2025 as set by the 2022 updates to the PSPF. APRA CPS 234 references the Essential Eight as an appropriate baseline for information security controls, and the Office of the Australian Information Commissioner has cited the E8 in several enforcement actions under the Privacy Act 1988.
What Changed in the November 2023 Update?
The 2023 revision rewrote the maturity descriptions and raised the bar on patch timelines and application control. At Maturity Level 2, applications interacting with the internet must be patched within 48 hours when a vulnerability is assessed as exploited, up from two weeks in the prior model. Application control must be implemented on all workstations and internet-facing servers at ML2, and Microsoft's block-list of vulnerable drivers is now explicitly referenced. The update also introduced an "Essential Eight Assessment Process Guide" in September 2022 which the 2023 update extends, prescribing how assessors collect evidence from endpoints and servers rather than accepting self-attestation.
How Do the Patch-Application and Patch-OS Strategies Apply to Open-Source Software?
Patch Applications at ML2 requires a vulnerability scanner with an up-to-date vulnerability database, a scan at least every two weeks for applications not on the internet, and every 48 hours for internet-facing applications and drivers. The ACSC has repeatedly clarified that open-source components embedded in an application are in scope — a Java library, an npm package, or a Python wheel shipped inside your product counts as part of "the application." The patch clock starts when the vendor releases a fix, not when the CVE publishes. At ML3 the scanning cadence tightens to every 24 hours for internet-facing applications and drivers. A reliable SBOM is the only practical way to evidence this against thousands of transitive dependencies.
What Does Application Control Mean in Practice for Developers?
Application Control at ML2 requires implementation on all workstations and internet-facing servers using one of the approved technologies (AppLocker, Windows Defender Application Control, or equivalent). The 2023 update added a specific rule-set expectation that executables, software libraries, scripts, installers, compiled HTML, HTML applications, control panel applets, and drivers are all controlled. For software vendors, this changes deployment shape: binaries must be signed, library paths must be predictable, and any runtime-downloaded scripts (typical in some build systems) need rework. ACSC's ISM control ISM-1490 provides the technical baseline.
What Are the Penalties and Oversight Mechanisms?
Essential Eight non-compliance inside the Commonwealth is addressed through the PSPF reporting cycle with non-compliance findings reported to the Attorney-General's Department and, for significant issues, to the Secretaries Board. APRA can use CPS 234 breaches to trigger formal enforceable undertakings; a 2022 action against a mutual bank required a four-year remediation program. Outside the public sector, the Privacy Act 1988 penalties were lifted by the 2022 Amendment Act to AUD 50 million, three times the benefit obtained, or 30% of adjusted turnover — whichever is greater — for serious or repeated interference with privacy. The Australian Information Commissioner has applied the Essential Eight as a reference baseline in determinations including OAIC v Medibank Private.
How Does This Intersect With IRAP and the Hosting Certification Framework?
Information Security Registered Assessors Program (IRAP) assessors evaluate systems against the Australian Government Information Security Manual, which cross-references the Essential Eight. Systems handling PROTECTED data must be IRAP-assessed and, in many cases, hosted on a Hosting Certification Framework Certified Strategic or Assured provider. Software vendors supplying into that supply chain must evidence their E8 posture as part of the IRAP bundle and show how their upstream dependencies are kept within the prescribed patch windows.
How Safeguard Helps
Safeguard's SBOM-driven inventory gives each Essential Eight control the evidence the assessor expects, from patch-cadence dashboards against the 48-hour and 14-day timelines to a library-level view that exposes drivers, installers, and scripts subject to application control. Griffin AI reachability analysis separates the vulnerabilities that need an emergency patch from those that are latent, which keeps development velocity up without breaking the ML2 clocks. TPRM workflows document vendor patch attestations for third-party commercial software used in regulated environments, and policy gates block builds that introduce unsigned binaries or out-of-window dependencies. Compliance mapping across the Essential Eight, ISM, and ISO 27001:2022 turns the IRAP evidence pack into a one-click export.