Introduction

1.1 Australian Government entities deliver a wide range of digital services to Australian businesses and the community. Australian Government entities also hold increasingly large volumes of data, some of which is highly sensitive, within information communications technology (ICT) systems and across their networks. Maintaining the security of government ICT systems, networks and data will support Australia’s social, economic and national security interests, as well as the privacy of its citizens.

1.2 The Australian Government has identified malicious cyber activity as one of the most significant threats affecting government entities, businesses and individuals.⁷ The frequency, scale, and sophistication of malicious cyber activity is reported to be increasing.⁸ Among all Australian organisations, based on the visibility of the Australian Cyber Security Centre (ACSC), government entities are regularly targeted by malicious cyber actors. In the period July 2019 to June 2020, there were 436 cyber security incidents⁹ reported to the ACSC by Australian Government entities.¹⁰ Cyber threats¹¹ are an increasing risk across Australian Government entities.¹²

Responsibilities of Australian Government entities

1.3 Under the Public Governance, Performance and Accountability Act 2013 (PGPA Act), accountable authorities of Australian Government entities must establish and maintain an appropriate system of risk oversight and management for the entity, and an appropriate system of internal control for the entity.¹³ The management of cyber security risk is the responsibility of individual entities. Entities are responsible for maintaining the security of their own ICT systems, networks and information holding.

1.4 There are three Australian Government entities with responsibilities for the policy framework and technical operational capability on cyber security:

• the Attorney-General’s Department (AGD);
• the Australian Signals Directorate (ASD); and
• the Department of Home Affairs (Home Affairs).

Attorney-General’s Department

1.5 In relation to cyber security, AGD is responsible for administering the Protective Security Policy Framework (PSPF), which provides the framework for Australian Government entities to achieve the following four protective security outcomes. Safeguarding an entity’s information from cyber threats is a PSPF requirement under the information security outcome.

• Governance — each entity manages security risks and supports a positive security culture in an appropriately mature manner ensuring: clear lines of accountability; sound planning, investigation and response, assurance and review processes; and proportionate reporting.
• Information security — each entity maintains the confidentiality, integrity and availability of all official information.
• Personnel security — each entity ensures its employees and contractors are suitable to access Australian Government resources, and meet an appropriate standard of integrity and honesty.
• Physical security — each entity provides a safe and secure physical environment for their people, information and assets.

1.6 A revised PSPF commenced on 1 October 2018 following the Independent Review of Whole-of-Government Internal Regulation (Belcher Review). The revised PSPF outlines 16 core requirements that entities must apply to achieve the four protective security outcomes.¹⁴ The revised PSPF also includes changes to improve clarity and foster a strengthened security culture across government entities to effectively engage with risk.¹⁵ The revised PSPF also has an ‘increased focus on cyber security matters’ to support the achievement of the information security outcome.¹⁶

1.7 Policies 9, 10 and 11 of the revised PSPF reflect the broader cyber security requirements for entities to achieve the information security outcome. Policy 10 of the PSPF outlines the mandatory requirements for entities to safeguard information from common and emerging cyber threats.¹⁷ Policy 9 and Policy 11 define security requirements for mitigating general security risks to ICT systems and information.¹⁸ While the security requirements under Policies 9, 10 and 11 contribute to the mitigation of cyber security incidents, the implementation of the mitigation strategies under Policy 10 has the potential to mitigate the majority of cyber security incidents. As an Australian Government policy, the PSPF applies to non-corporate Commonwealth entities subject to the PGPA Act.¹⁹ Entities are to apply the revised PSPF using a security risk management approach.

Australian Signals Directorate

1.8 In relation to cyber security, ASD developed the Top Four mitigation strategies mandated by PSPF Policy 10 and is responsible for providing better practice guidance and assistance to Australian governments, business, communities and individuals.²⁰ ASD’s role includes providing material, advice and other assistance on matters relating to the security and integrity of information that is processed, stored or communicated by electronic or similar means.²¹ The ACSC is a group within ASD that leads the Australian Government’s efforts to improve national cyber security.²²

1.9 Since February 2017, ASD has outlined a list of 37 prioritised mitigation strategies in its published guidance on Strategies to Mitigate Cyber Security Incidents, designed to help protect entities from cyber threats.²³ ASD has recommended that entities implement eight of these mitigation strategies, known as the Essential Eight, as a cyber security baseline.²⁴ According to ASD, implementation of the Essential Eight baseline as outlined in Table 1.1, will make it more difficult for adversaries to compromise entities’ systems.

Table 1.1: Essential Eight mitigation strategies recommended by ASD

Note a: The April 2020 updates to the Australian Government Information Security Manual included the renaming of ‘application whitelisting’ to ‘application control’ to reflect industry accepted terminology.

Source: Adapted from ASD’s guidance on Essential Eight Explained.

1.10 According to ASD, entities can protect their systems and information from cyber threats through applying the principles of govern, protect, detect and respond. The four principles involve identifying cyber security risks (govern), implementing security controls to reduce risks (protect), detecting cyber security incidents (detect), and responding to and recovering from cyber security incidents (respond). The Australian Government Information Security Manual defines cyber resilience as follows:

Cyber resilience is the ability to adapt to disruptions caused by cyber security incidents while maintaining continuous business operations. This includes the ability to detect, manage and recover from cyber security incidents.²⁵

1.11 The 2019–20 Federal Budget included a measure on Whole-of-Government – Cyber Uplift for Federal Government Systems and for the 2019 Federal Election (Cyber Uplift Program) to strengthen the cyber security of Australian Government networks and mitigate potential cyber threats through enhanced monitoring and response capabilities.²⁶

1.12 The Cyber Uplift Program included the conduct of Essential Eight+ Sprints by ASD, which aimed to baseline and improve the maturity of Australian Government entities’ Essential Eight mitigation strategies. ASD conducted the Essential Eight+ Sprint program between April 2019 and December 2019 in 25 Australian Government entities. ASD applied a standardised data-driven assessment methodology to all 25 Commonwealth entities to consistently assess and rate the entities’ maturity in implementing the Essential Eight mitigation strategies using the Essential Eight Maturity Model (see paragraphs 1.34 and 1.35).

Department of Home Affairs

1.13 With respect to cyber security, the role of Home Affairs is to lead the development of the Australia-wide cyber security policy. It is responsible for cyber security policy coordination and setting the strategic direction of the Australian Government’s cyber security effort. It is also responsible for coordinating the implementation of Australia’s Cyber Security Strategy 2020.²⁷

1.14 Australia’s Cyber Security Strategy 2020 was launched on 6 August 2020. According to the strategy, the Australian Government plans to invest $1.67 billion over 10 years in cyber security, including:

• protecting the critical infrastructure that Australians depend on;
• stronger defences for Australian Government networks and data;
• increased situational awareness and improved sharing of threat information;
• advice for small and medium enterprises to increase their cyber resilience;
• stronger partnerships with industry through the Joint Cyber Security Centre program; and
• improved community understanding of cyber security threats.²⁸

Whole-of-government cyber security oversight committees

1.15 There are four whole-of-government governance committees with responsibilities in overseeing PSPF and cyber security initiatives for the improvement of Australian Government entities’ cyber security posture:

• Government Security Committee;
• Cyber Security Band 3 Inter-Departmental Committee;
• Cyber Security Strategy Delivery Board; and
• Secretaries Board.

Government Security Committee

1.16 The role of the Government Security Committee is to provide oversight of the PSPF. The Government Security Committee is chaired by the Deputy Secretary of AGD, with ASD and Home Affairs as members. The Government Security Committee’s terms of reference set its responsibilities as:

• providing strategic oversight of whole-of-government protective security policy;
• promoting the consistent, efficient and effective application of security policies in Australian Government entities;
• coordinating strategic level policy and operational responses to emerging protective security threats and issues, and;
• providing advice to the Secretaries Board, Secretaries Committee on National Security, Cyber Security Band 3 Inter-Departmental Committee and the Government on significant security matters where appropriate.

1.17 The Government Security Committee oversees reporting to government by AGD on the maturity and capability of entities’ to achieve security outcomes, and issues arising from specific or aggregated risks impacting on government security outcomes.

Cyber Security Band 3 Inter-Departmental Committee

1.18 The role of the Cyber Security Band 3 Inter-Departmental Committee is to improve whole-of-government information sharing and coordination of cyber security issues across the Australian Government, as well as to improve Australia Government’s cyber security capability. The committee’s responsibilities also include providing strategic oversight and guidance on the development, implementation and evaluation of Australia’s Cyber Security Strategy 2020, and monitoring entities’ implementation of whole-of-government cyber security measures. The committee discusses the management of cyber security risks through education, workplace skills and technical considerations. Home Affairs co-chairs this committee with the Department of the Prime Minister and Cabinet. AGD and ASD are members of the committee. The committee may raise significant issues to the Secretaries Committee on National Security or the Secretaries Board where appropriate.

Cyber Security Strategy Delivery Board

1.19 The Cyber Security Strategy Delivery Board was set up following the release of Australia’s Cyber Security Strategy 2020 to drive the implementation of the strategy. Membership of the Cyber Security Strategy Delivery Board comprises Senior Executive Service Band 1 level representatives. Home Affairs chairs the Cyber Security Strategy Delivery Board, with AGD and ASD as members.

Secretaries Board

1.20 The role of the Secretaries Board includes identifying strategic priorities for and considering issues that affect the Australian Public Service. The Secretaries Board also has responsibility for developing and implementing strategies to improve the Australian Public Service. The Secretary of the Department of the Prime Minister and Cabinet chairs the Secretaries Board.²⁹

Cyber security framework

1.21 The key elements of the Australian Government cyber security framework are outlined in:

• PSPF Policy 10: Safeguarding information from cyber threats;
• PSPF Policy 5: Reporting on security (sets out the PSPF maturity self-assessment model);
• Essential Eight Maturity Model;
• Australian Government Information Security Manual;
• Strategies to Mitigate Cyber Security Incidents;
• PSPF Policy 9: Access to information; and
• PSPF Policy 11: Robust ICT systems.

PSPF Policy 10: Safeguarding information from cyber threats

1.22 In April 2013, the Australian Government mandated the implementation of the Top Four of the ASD prioritised mitigation strategies by non-corporate Commonwealth entities under the PSPF. The Top Four mitigation strategies — application whitelisting, patching applications, restricting administrative privileges, patching operating systems — were part of INFOSEC-4, which was one of the mandatory requirements in the previous PSPF under the information security outcome. The previous PSPF INFOSEC-4 set out the requirements for implementing cyber and ICT system security.

1.23 As discussed in paragraph 1.6, there is increased prominence of cyber security matters in the October 2018 revised PSPF. Policy 10 in the revised PSPF replaces the cyber security requirements in the previous INFOSEC-4 policy.³⁰ Policy 10 in the revised PSPF sets out the mandatory requirement for safeguarding information against cyber threats, as shown in Box 1.³¹

Source: Adapted from PSPF Policy 10: Safeguarding information from cyber threats.

1.24 Policy 10 refers to ASD’s Strategies to Mitigate Cyber Security Incidents and explicitly mandates the Top Four mitigation strategies. The Top Four strategies are part of the ASD’s Essential Eight mitigation strategies as outlined in Table 1.1. In addition to the Top Four mitigation strategies, Policy 10 also mandates that entities consider the implementation of the other mitigation strategies from ASD’s Strategies to Mitigate Cyber Security Incidents that are relevant to their operational and risk environment.³² While not mandatory under Policy 10, AGD strongly recommends that entities implement the remaining four strategies that comprise the ASD’s Essential Eight baseline mitigation strategies.

PSPF maturity self-assessment model

1.25 Since 2013, non-corporate Commonwealth entities have been required to undertake an annual self-assessment against the mandatory requirements of the PSPF. Entities report their overall compliance with mandatory requirements to AGD. According to the consolidated PSPF compliance reports published by AGD, INFOSEC-4 had the highest rate of self-assessed non-compliance from 2014–15 to 2017–18 compared to the other mandatory requirements in the previous PSPF. In 2018–19, only 28 per cent of non-corporate Commonwealth entities reported full implementation of the mandatory requirements of PSPF Policy 10.

1.26 From 2018–19, entities are required to report on their security capability using a maturity assessment model instead of a compliance assessment model. PSPF Policy 5: Reporting on security sets out the new maturity self-assessment model for annual PSPF reporting. Under the maturity self-assessment model, entities assess and report on their level of implementation and management of the requirements under the PSPF and the maturity of their security capability. The annual PSPF assessment report is to show the extent to which an entity has:

• achieved the security outcomes for governance, information, personnel and physical security;
• implemented and managed the mandatory and supporting requirements that it must meet to achieve the four protective security outcomes;
• identified the key security risks to its people, information and assets; and
• implemented strategies and timeframes to manage identified and unmitigated risks.

1.27 AGD has developed an online PSPF reporting portal to support the implementation of the new maturity self-assessment model. The PSPF reporting portal allows entities to complete and submit their annual PSPF assessment online, access benchmarking and assessment reports from previous reporting periods.³³ The accountable authority of an entity is responsible for approving the entity’s self-assessment.

1.28 Entities are required to provide their PSPF assessment report to the relevant portfolio Minister and AGD each financial year. The due date of entities’ PSPF assessment report is 31 August each year. Due to the impacts of the COVID-19 pandemic, the submission date for the 2019–20 PSPF assessment report was initially extended to 30 September 2020. Following requests from entities, AGD further extended the submission due date to 15 October 2020.

Assessment of implementation and maturity levels under the PSPF

1.29 The maturity self-assessment model requires entities to assess their security capability and implementation of the requirements in the PSPF policies within the context of their specific risk environment and risk tolerances. To assess the maturity of the implementation of each PSPF policy, entities are to consider their effectiveness in implementing the mandatory and supporting requirements for each policy. Entities assess the effectiveness of their implementation of the PSPF requirements against four different levels — ‘Partial’, ‘Substantial’, ‘Full’ and ‘Excelled’. Descriptions for each implementation level are outlined in Table 1.2.

Table 1.2: Implementation levels of PSPF requirements

Source: Adapted from PSPF Policy 5: Reporting on security.

1.30 Based on entities’ assessment of their implementation of the requirements for each PSPF policy, the PSPF reporting portal calculates and suggests a maturity level for each policy.³⁴ There are four maturity levels under the PSPF maturity self-assessment model — ‘Ad hoc’, ‘Developing’, ‘Managing’ and ‘Embedded’. The description for each PSPF maturity level is outlined in Table 1.3.

Table 1.3: Maturity levels of the PSPF maturity self-assessment model

Source: Adapted from PSPF Policy 5: Reporting on security.

1.31 Entities can confirm the suggested maturity level, or select a higher or lower maturity level for each PSPF policy, to reflect the assessment of their individual risk environment and risk tolerances. Entities must include a rationale to support their selected maturity level for a PSPF policy. If the selected maturity level is different to the suggested maturity level, entities should provide a justification in the rationale.³⁵

1.32 The PSPF specifies that the ‘Managing’ maturity level provides the minimum required level of protection of an entity’s people, information and assets. If an entity’s self-assessed maturity level for a PSPF policy is ‘Ad hoc’ or ‘Developing’, the entity is required to provide information in its assessment regarding the proposed strategies or implementation activities to improve the entity’s maturity level to ‘Managing’. The entity is also required to provide the associated timeframe for each strategy to achieve ‘Managing’ maturity.

1.33 PSPF Policy 10 includes guidance to entities on achieving PSPF maturity level of ‘Managing’. Policy 10 states that:

To achieve a PSPF maturity rating of Managing for each of the four mandatory mitigation strategies from the Strategies to Mitigate Cyber Security Incidents, implement the maturity level three requirements as set out in the Essential Eight Maturity Model.³⁶ [Emphasis in original, the maturity levels are introduced at paragraph 1.29.]

Essential Eight Maturity Model

1.34 The Essential Eight Maturity Model was developed by ASD to provide guidance to entities on how to implement the Essential Eight mitigation strategies (see Table 1.1) in a phased approach and how to self-assess the maturity of their Essential Eight implementation. The Essential Eight Maturity Model was first published in June 2017, with five maturity levels. Changes had been made to the model since its publication. There are three maturity levels in the Essential Eight Maturity Model, as defined in Table 1.4.

Table 1.4: Maturity levels of the Essential Eight Maturity Model (as at October 2020)

Source: Adapted from the ACSC’s Essential Eight Maturity Model.

1.35 The Essential Eight Maturity Model outlines the criteria for entities to achieve a specific maturity level with respect to entities’ implementation of the Essential Eight mitigation strategies. ASD recommends that entities should aim to reach Maturity Level Three for each mitigation strategy as a baseline.

Previous audits and JCPAA inquiries

1.36 Since 2013–14, the Auditor-General has tabled a series of performance audits on Australian Government entities’ cyber security and cyber resilience. Four of the audits examined cyber security and cyber resilience of non-corporate Commonwealth entities. One audit examined Government Business Enterprises and corporate Commonwealth entities.

• Auditor-General Report No.50 2013–14 Cyber Attacks: Securing Agencies’ ICT Systems.
• Auditor-General Report No.37 2015–16 Cyber Resilience.
• Auditor-General Report No.42 2016–17 Cybersecurity Follow-up Audit.
• Auditor-General Report No.53 2017–18 Cyber Resilience.
• Auditor-General Report No.1 2019–20 Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities.

1.37 The five performance audits found that Australian Government entities’ compliance with mandatory requirements of the PSPF was generally low³⁷, and that the regulatory framework had not driven sufficient improvement in entities’ cyber security. Only six of 17 entities examined (35 per cent) were compliant with the mandatory requirements for implementing all the Top Four cyber security risk mitigation strategies. Of these 17 entities, the ANAO also found that only six — the same six entities that were compliant with the Top Four requirements — were cyber resilient.³⁸

1.38 Auditor-General Report No.53 2017–18 Cyber Resilience included a recommendation that the three entities responsible for cyber policy and operational capability (AGD, ASD and Home Affairs) work together to improve compliance with the revised PSPF framework by strengthening: the technical guidance that support entities’ PSPF self-assessment, the processes for verifying the accuracy of entities’ self-assessment, and the transparency and accountability of entities’ compliance with the framework.³⁹

1.39 Auditor-General Report No.38 2019–20 Interim Report on Key Financial Controls of Major Entities included a review of the self-assessed level of compliance with the mandatory requirements of PSPF Policy 10 for 18 non-corporate Commonwealth entities. The review was undertaken to confirm the accuracy of the entities’ reporting and identify cyber security risks that may impact the preparation of the entities’ 2019–20 financial statements. Of the 18 entities reviewed by the ANAO, only one achieved the required PSPF Policy 10 maturity level of ‘Managing’.

1.40 The Joint Committee of Public Accounts and Audit (JCPAA) published Report 467: Cybersecurity Compliance in October 2017. The report followed a JCPAA inquiry based on Auditor-General Report No.42 2016–17 Cybersecurity Follow-up Audit. The JCPAA made two recommendations for the ANAO in Report 467:

• Recommendation 4 — The Committee recommends that the Auditor-General consider conducting an audit of the effectiveness of the self-assessment and reporting regime under the Protected Security Policy Framework;
• Recommendation 6 — The Committee recommends that in future audits on cyber security compliance, the ANAO outline the behaviours and practices it would expect in a cyber resilient entity, and assess against these.⁴⁰

1.41 In February 2020, the JCPAA commenced an inquiry to consider the cyber resilience of government entities and examined two Auditor-General’s reports as part of the inquiry.⁴¹ One of these reports is Auditor-General Report No.1 2019-20 Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities.⁴² The JCPAA concluded its inquiry and published Report 485: Cyber Resilience in December 2020, after fieldwork for this audit was completed.

Rationale for undertaking the audit

1.42 Since 2013, the Australian Government has mandated the implementation of the Top Four mitigation strategies by non-corporate Commonwealth entities under the PSPF. The Australian Government has identified malicious cyber activity as one of the most significant threats affecting government entities, businesses and individuals. Previous ANAO audits have identified low levels of compliance with mandatory cyber security requirements under the PSPF. The JCPAA has expressed its concern about entity implementation of mandatory cyber security requirements.

1.43 This audit seeks to address a recommendation made by the JCPAA in Report 467: Cybersecurity Compliance, for the Auditor-General to consider conducting an audit of the effectiveness of the PSPF self-assessment and reporting requirements for cyber security compliance. The audit also follows up on the recommendation made in Auditor-General Report No.53 2017–18 Cyber Resilience, for the responsible cyber policy and operational entities (AGD, ASD and Home Affairs) to work together to improve entities’ compliance with mandatory cyber security requirements under the PSPF.

Audit approach

1.44 The following nine non-corporate Commonwealth entities were selected for this audit:

• Attorney-General’s Department;
• Australian Signals Directorate;
• Department of Home Affairs;
• Department of the Prime Minister and Cabinet;
• Future Fund Management Agency;
• Australian Trade and Investment Commission (Austrade);
• Department of Education, Skills and Employment;
• Department of Health; and
• IP Australia.

1.45 AGD, the ASD and Home Affairs were included in this audit due to their roles and responsibilities in relation to cyber security policy and operational capability in the Australian Government.

1.46 The remaining entities were included in this audit to provide coverage across each maturity category of ‘Managing’, ‘Developing’ and ‘Ad hoc’.⁴³ The entities selected for the ANAO’s review of cyber security risk mitigation strategies under this audit and their 2018–19 PSPF Policy 10 self-assessed maturity rating are outlined in Table 1.5.

Table 1.5: Selected entities and their 2018–19 PSPF Policy 10 self-assessed maturity rating

Note a: The Attorney-General’s Department informed its accountable authority in June 2020 that an error was identified by the ANAO during fieldwork relating to the Department’s overall rating for Policy 10: Safeguarding information from cyber threats in its 2018–19 PSPF self-assessment. Its overall maturity rating for PSPF Policy 10 was reported as ‘Managing’. This should have been reported as ‘Developing’.

Note b: The ANAO had selected the Department of Education, Skills and Employment based on the 2018–19 PSPF self-assessment of the former Department of Education. An Administrative Arrangements Order made on 5 December 2019 consolidated the former Department of Education and the former Department of Employment, Skills, Small and Family Business to create the current Department of Education, Skills and Employment (DESE) with effect from 1 February 2020.

Source: Reported 2018–19 PSPF Policy 10 maturity rating for selected entities.

Audit objective, criteria and scope

1.47 The objective of the audit was to assess the effectiveness of cyber security risk mitigation strategies implemented by selected non-corporate Commonwealth entities to meet mandatory requirements under the PSPF, and the support provided by the responsible cyber policy and operational entities.

1.48 To form a conclusion against the audit objective, the ANAO adopted the following two high-level criteria:

• Have the selected entities fully implemented the Top Four cyber security risk mitigation strategies or otherwise adopted strategies and actions to progress towards full implementation?
• Have the entities responsible for cyber policy and operational capability worked together to support accurate self-assessment and reporting by non-corporate Commonwealth entities, and to improve those entities’ implementation of cyber security requirements under the PSPF?

1.49 The audit scope included the maturity self-assessments, the strategies, plans and activities adopted by selected entities that have not fully implemented mandatory requirements, and the implementation of recommendation made to the three cyber policy and operational entities (AGD, ASD and Home Affairs) in Auditor-General Report No.53 2017–18 Cyber Resilience.

1.50 The audit did not examine whether the selected entities met the supporting requirement of PSPF Policy 10, which requires entities to avoid exposing the public to unnecessary cyber security risks when they transact with government entities online. The audit also did not examine entities’ implementation of the mandatory requirements under PSPF Policy 9 and Policy 11, which relate to appropriate access to official information and secure operation of ICT systems respectively.

1.51 Previous ANAO reports on cyber security included assessments of entities against a list of behaviours and practices developed by the ANAO that may assist entities in building a strong culture of cyber resilience.⁴⁴ The October 2018 revised PSPF requires accountable authorities to ensure that entity personnel and contractors are aware of their collective responsibility to foster a positive security culture.⁴⁵ PSPF Policy 2 outlines ten characteristics of a positive security culture, including recommendations that entities establish appropriate metrics to measure the security culture maturity. The ANAO noted that the selected entities were in the process of establishing these metrics at the time of audit fieldwork. The audit did not assess security culture given the recent updates and maturity of metrics.

1.52 In December 2020, the JCPAA published Report 485: Cyber Resilience and recommended that a dedicated section be created within the annual PSPF self-assessment questionnaire addressing the 13 behaviours and practices of a strong cyber resilience culture assessed in Auditor-General Report No.1 2019–20 Cyber Resilience of Government Business Enterprises and Corporate Commonwealth Entities.⁴⁶ The JCPAA also recommended that the ANAO consider conducting an annual limited assurance review into the cyber resilience of Commonwealth entities, which would assess entities against the 13 behaviours and practices.⁴⁷ The ANAO will consider the JCPAA’s recommendation in the development of its future audit work plan.

Audit methodology

1.53 In undertaking the audit, the ANAO:

• reviewed the selected entities’ 2018–19 and 2019–20 PSPSF self-assessments for Policy 10: Safeguarding information from cyber threats;
• reviewed PSPF Policy 5: Reporting on security;
• assessed the security controls in selected systems of entities that have self-assessed as having fully implemented any of the Top Four mitigation strategies to verify the accuracy of their 2018–19 PSPF self-assessment. The ANAO also assessed whether these entities were cyber resilient based on the ACSC’s prescribed strategies relating to detecting and responding to cyber security incidents;
• examined documentation collected from the selected entities relating to their cyber security strategies and activities, including: security risk assessments undertaken, project plans for cyber security improvement programs established, and records of minutes for any governance forums established for cyber security;
• interviewed relevant staff from the selected entities regarding their approaches in mitigating cyber security risks; and
• reviewed the guidance and processes developed by, and interviewed relevant staff from, the cyber policy entities to examine the approaches adopted to support accurate PSPF self-assessment and reporting.

1.54 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of $639,385.

1.55 Team members for this audit were Esther Barnes, Edwin Apoderado, David Willis, Jason Ralston, Carissa Chen, Kelvin Le, Lesa Craswell and Mark Rodrigues.

3.1 Auditor-General Report No.53 2017–18 Cyber Resilience identified that the implementation of the previous Protective Security Policy Framework by non-corporate Commonwealth entities was not achieving compliance with cyber security requirements. The report recommended that the three Australian Government entities with responsibilities for cyber security policy and operational capability — AGD, ASD and Home Affairs — work together to improve non-corporate Commonwealth entities’ compliance with the framework.⁶⁷ It was recommended that the following areas be strengthened:

• technical guidance to support entities’ PSPF self-assessment of their compliance with the mandatory Top Four mitigation strategies;
• processes for verifying the accuracy of entities’ PSPF self-assessment of their compliance with the mandatory cyber security requirements; and
• transparency and accountability of entities’ compliance with the mandatory cyber security requirements.

3.2 AGD agreed to work with the other two cyber policy entities to strengthen guidance and improve transparency and accountability, and agreed in principle to the development of a verification program for the PSPF self-assessments. ASD agreed to the recommendation, noting that it is neither a regulatory body nor a compliance reporting agency. Home Affairs agreed to the recommendation stating that it would continue to work with AGD and ASD to strengthen the cyber security standard of Australian Government networks in its cyber security policy and coordination role.

3.3 This chapter follows up on the recommendation made in the 2017–18 Auditor-General Report by examining whether AGD, ASD and Home Affairs have worked together to strengthen the three recommended areas to help improve non-corporate Commonwealth entities’ implementation of the mandatory cyber security requirements under the revised PSPF.

Is there adequate technical guidance to support entities to accurately self-assess against the Essential Eight mitigation strategies and their underlying controls in the Australian Government Information Security Manual?

3.4 Auditor-General Report No.53 2017–18 Cyber Resilience identified that there was a lack of guidance under the previous compliance-based PSPF assessment model for entities to self-assess and report against their compliance with the Top Four cyber security risk mitigation strategies:

• The non-corporate Commonwealth entities examined in that audit did not have access to comprehensive guidance or supporting tools in conducting their PSPF self-assessments. There was no common control assessment methodology or a grading scheme to help entities to accurately assess the effectiveness of the security controls implemented for the Top Four mitigation strategies. The rating of either compliant or non-compliant under the previous PSPF was limited, and may not accurately reflect the adequacy of an entity’s implementation of the Top Four mitigation strategies or the operating effectiveness of the associated security controls.
• In assessing the implementation of the Essential Eight mitigation strategies, there was inconsistent alignment between the criteria used for attaining baseline maturity level under the previous Essential Eight Maturity Model and the criteria for achieving the minimum requirements under the previous Australian Government Information Security Manual (ISM). The previous Essential Eight Maturity Model did not provide a way for entities to accurately self-assess their Top Four compliance.

3.5 The report recommended that the three cyber policy and operational entities work together to provide adequate technical guidance to support entities to accurately self-assess against the Top Four mitigation strategies and the underlying security controls within the Australian Government Information Security Manual (Recommendation 2(a)). All three entities agreed to the recommendation.

3.6 AGD reported to its audit and risk management committee in December 2020 that it had completed its implementation of Recommendation 2(a) of the 2017–18 audit through the 1 October 2018 PSPF reforms that more clearly articulate the Policy 10 requirements and how they link to the underlying controls contained in the Australian Government Information Security Manual.⁶⁸ ASD reported to its audit and risk committee that it has implemented Recommendation 2(a) of the 2017–18 Auditor-General Report audit with respect to the provision of supporting technical guidance to entities.

3.7 To follow up on the recommendation made in the 2017–18 report, the ANAO examined the guidance provided by AGD, ASD and Home Affairs under the revised PSPF maturity assessment model to determine whether the guidance adequately supports entities’ self-assessment of their implementation of the PSPF Policy 10 requirements and determination of their PSPF Policy 10 maturity level. The ANAO’s examination encompassed a review of guidance provided in PSPF information sessions and reporting forums, and guidance on the PSPF implementation levels, PSPF maturity models and Essential Eight Maturity Model.

Supporting guidance provided by AGD and ASD

3.8 As noted at paragraphs 1.26 to 1.27, a major change in the 2018 reforms to the PSPF was a shift from a compliance-based to a maturity-based reporting approach. The 2018 PSPF reforms also updated the policy on cyber security to more clearly set out the requirements for safeguarding information from cyber threats. Policy 10 in the revised PSPF articulates the cyber security requirements under the framework and provides guidance on how entities can safeguard information from cyber threats.

PSPF information sessions, reporting forums and supporting activities

3.9 Following the finalisation of the 2018 PSPF reforms, AGD held five information sessions in various Australian capital cities with non-corporate Commonwealth entities to assist entities to understand the new PSPF maturity self-assessment model.⁶⁹ The information sessions provided entities with the opportunity to seek specific guidance on self-assessing their security maturity and completing their annual PSPF assessment report using the new PSPF reporting portal.

3.10 Other activities conducted by AGD to promote awareness of the new PSPF maturity self-assessment model include: convening the Chief Security Officer forums; developing a new PSPF website and PSPF factsheets; and responding to entities’ queries on implementation and self-assessment via the PSPF hotline and website form. ASD also presented at the information sessions and forums on issues relating to cyber security and the implementation of the Essential Eight mitigation strategies.

3.11 AGD intends to conduct PSPF assessment reporting forums biannually. The earlier forum is to prepare entities for the PSPF reporting period while the latter forum provides entities with a snapshot of areas requiring heightened attention. The 2019–20 PSPF assessment reporting forum was held on 18 June 2020. ASD also presented at the forum to provide a briefing on cyber security and areas for future focus.

Implementation levels of PSPF Policy 10 requirements

AGD guidance

3.12 In undertaking their annual assessment on PSPF Policy 10, entities are required to assess the effectiveness of their implementation of the cyber security risk mitigation strategies. Entities assess the effectiveness of their implementation of the mitigation strategies against four grading levels — ‘Partial, ‘Substantial’, ‘Full’ and ‘Excelled’ — as outlined in Table 1.2. The descriptions of the four implementation levels are provided in PSPF Policy 5: Reporting on security⁷⁰ and within the Policy 10 assessment module in the PSPF reporting portal.

3.13 The four grading levels under the maturity assessment model represent an improvement from the binary compliant or non-compliant rating under the previous compliance assessment model. Under the compliance assessment model, entities reported their overall compliance with the previous INFOSEC-4 requirements instead of their compliance with the individual Top Four mitigation strategies. The revised implementation levels enable entities to better reflect the effectiveness of their implementation of the various cyber security risk mitigation strategies.

3.14 As part of the 2018 PSPF reforms, an online PSPF reporting portal was developed to provide an improved mechanism for entities to report on the maturity of their security capability. The portal guides entities through a series of questions and prompts for additional information where relevant. For the 2019–20 reporting period, Policy 10 of the PSPF assessment requires entities to respond to a set of 11 questions. Appendix 3 lists the set of questions for Policy 10.

• The first four questions relate to the extent of the entity’s implementation of the mandatory Top Four mitigation strategies.
• Another four questions relate to the extent of the entity’s implementation of the four non-mandatory strategies of the Essential Eight mitigation strategies.
• One of the questions addresses the supporting requirement of PSPF Policy 10 regarding whether the entity has measures in place to protect the public from cyber security risk when they transact online with the government. Entities have the choice to select the ‘Not Applicable’ option if this question does not apply to them.
• The final two questions relate to the implementation of the remaining 29 of the 37 ASD prioritised mitigation strategies. Entities are required to assess the extent of their consideration of the implementation of these remaining mitigation strategies and detail the strategies the entity has implemented.

3.15 Within the reporting portal, all 11 questions for Policy 10 have ‘tooltips’ (guidance) to help entities in their self-assessment. The tooltip guidance for each question refers entities to relevant sections of PSPF Policy 10 and the ASD’s publication on Strategies to Mitigate Cyber Security Incidents.

ASD guidance

3.16 PSPF Policy 10 includes guidance to support entities in implementing cyber security risk mitigation strategies prescribed by ASD. The guidance within Policy 10 cross-references to the following ASD cyber security publications:

• Strategies to Mitigate Cyber Security Incidents — provides guidance on the 37 prioritised strategies developed to mitigate cyber security incidents including suggested implementation order for the mitigation strategies;
• Essential Eight Maturity Model — provides guidance on how to implement the Essential Eight mitigation strategies in a phased approach and how to self-assess the maturity level of the implementation;
• Australian Government Information Security Manual — outlines a cyber security framework that entities can apply, using their risk management framework, to protect their systems and information from cyber threats;
• Essential Eight to ISM Mapping — outlines the minimum security controls within the ISM that entities must implement to meet the intent of the Essential Eight mitigation strategies;
• Implementing Application Control — provides guidance on what application control is and how to implement application control;
• Assessing Security Vulnerabilities and Applying Patches — provides guidance on assessing security vulnerabilities to determine the risk to entities if patches are not applied in a timely manner;
• Restricting Administrative Privileges — provides guidance on how to effectively restrict administrative privileges; and
• Strategies to Mitigate Cyber Security Incidents – Mitigation Details — a guidance document that complements the Strategies to Mitigate Cyber Security Incidents publication. This guidance provides an overview of the threats of various cyber security incidents and outlines implementation guidance for the mitigation strategies.

3.17 In addition to the above guidance, the ASD’s Australian Cyber Security Centre (ACSC) website contains additional cyber security advice and publications. The ACSC also provides advice to entities via the Cyber Security Hotline and the ACSC Partnership Program.⁷¹

3.18 The tooltip guidance in AGD’s PSPF reporting portal specifically states that entities are to ensure that they are meeting ‘Maturity Level Three’ requirements of the Essential Eight Maturity Model in order to self-assess as having fully implemented the requirements for each of the Top Four mitigation strategies.

PSPF maturity assessment model and the Essential Eight Maturity Model

Maturity levels of PSPF Policy 10

3.19 PSPF Policy 10 also includes guidance on how to achieve PSPF maturity with implementation of the ASD’s mitigation strategies. Under the PSPF maturity self-assessment model, entities assess their security capability against four levels of maturity. Each PSPF policy has maturity level indicators that are tailored to the specific policy. The descriptions and indicators for each maturity level of PSPF Policy 10 are outlined in Table 3.1.

Table 3.1: PSPF maturity levels – Policy 10: Safeguarding information from cyber threats

Note a: The maturity level indicators for PSPF Policy 10 were updated for the 2019–20 reporting period to include the November 2019 changes made to the mandatory requirement for entities to consider all of the mitigation strategies in ASD’s Strategies to Mitigate Cyber Security Incidents.

Source: Adapted from Table 2: PSPF Maturity Self-Assessment Model – Information Security within Annex A of Policy 5: Reporting on security.

3.20 The maturity level descriptions and maturity level indicators show alignment between the four maturity levels and the four implementation levels under the PSPF with ‘Managing’ maturity corresponding with ‘Full’ implementation.

3.21 The PSPF specifies that the ‘Managing’ maturity level provides the minimum required level of protection of an entity’s people, information and assets. PSPF Policy 10 states that to achieve the ‘Managing’ maturity level for the implementation of each of the Top Four mitigation strategies, entities are to implement the ‘Maturity Level Three’ requirements of the Essential Eight Maturity Model. This further indicates that the PSPF maturity level of ‘Managing’ is equivalent to ‘Maturity Level Three’ in the Essential Eight Maturity Model.

3.22 The PSPF reporting portal calculates and suggests a maturity level for Policy 10 based on entities’ responses on the level of their implementation of the mandatory Top Four mitigation strategies and consideration of the remaining mitigation strategies in ASD’s Strategies to Mitigate Cyber Security Incidents.⁷² Guidance in the portal specifies that entities’ responses to the questions on their implementation of the four non-mandatory Essential Eight strategies are not included in the maturity level calculation for Policy 10. Of the six selected entities in Chapter 2 that had self-assessed a PSPF maturity level of ‘Ad hoc’ or ‘Developing’, all but one had detailed proposed strategies that were beyond the Top Four for improving its Policy 10 maturity level. This was despite the exclusion of the non-mandatory Essential Eight mitigation strategies from Policy 10 maturity calculation.

3.23 The section for Policy 10 on the ‘Strategies and timeframes to improve your maturity level’ does not specify whether entities should provide details on proposed strategies for the Top Four only. The section could be interpreted as requiring entities to provide details on all the Essential Eight mitigation strategies they have in place for improving their PSPF Policy 10 maturity. This is incongruent with the calculation of the PSPF Policy 10 maturity level in the portal whereby the entities’ implementation of the four non-mandatory Essential Eight strategies does not contribute to the entity’s Policy 10 maturity.

Maturity levels of the ASD’s Essential Eight Maturity Model

3.24 As discussed in paragraph 3.21, the PSPF refers to ‘Maturity Level Three’ of the ASD’s Essential Eight Maturity Model in advising entities on how to achieve the baseline ‘Managing’ maturity level for PSPF Policy 10. As at October 2020, there are three maturity levels in the Essential Eight Maturity Model — ‘Maturity Level One’, ‘Maturity Level Two’ and ‘Maturity Level Three’ — as outlined in Table 1.4.

3.25 The Essential Eight Maturity Model outlines the minimum criteria that entities have to meet in their implementation of the Essential Eight mitigation strategies for reaching the three maturity levels. ASD recommends that entities should aim to reach Maturity Level Three for each mitigation strategy as a baseline.

3.26 The Essential Eight Maturity Model was first published in June 2017 with five maturity levels, defined as follows:

• Maturity Level Zero — Not aligned with the intent of the mitigation strategy;
• Maturity Level One — Partly aligned with the intent of the mitigation strategy;
• Maturity Level Two — Mostly aligned with the intent of the mitigation strategy;
• Maturity Level Three — Fully aligned with the intent of the mitigation strategy; and
• Maturity Level Four — For higher risk environments.

3.27 ASD removed ‘Maturity Level Zero’ and ‘Maturity Level Four’ from the model in February 2019. ASD informed the ANAO that the removal of the two maturity levels was to simplify and improve the focus of the maturity assessment model.⁷³ ASD removed ‘Maturity Level Four’ on the basis that it did not follow the escalating pattern of maturity assessment reflected in the other maturity levels. ‘Maturity Level Four’ was also removed so that the maturity model has a greater emphasis on achieving alignment with the intent of the Essential Eight mitigation strategies.

3.28 As discussed in paragraph 3.4, Auditor-General Report No.53 2017–18 Cyber Resilience identified misalignment between the previous Essential Eight Maturity Model and the ISM. In November 2018, ASD addressed the inconsistent alignment through a rewrite of the ISM with the inclusion of new security controls and an update of the language in the Essential Eight Maturity Model. ASD also developed a guidance document on Essential Eight to ISM Mapping, which was initially released in January 2019 with subsequent updates made to reflect relevant changes in the ISM.⁷⁴

3.29 The Essential Eight to ISM Mapping guidance document outlines the minimum security controls within the ISM that entities must implement to achieve Maturity Level Three for meeting the intent of the Essential Eight mitigation strategies. It clarifies the criteria for meeting the baseline requirements of the Essential Eight Maturity Model when implementing the Essential Eight mitigation strategies. It also aligns the criteria with the minimum requirements in the ISM.

Alignment between the PSPF maturity assessment model and Essential Eight Maturity Model

3.30 The PSPF Policy 10 guidance (May 2020 version) clearly sets out that entities are to implement the requirements for ‘Maturity Level Three’ of the Essential Eight Maturity Model for them to self-assess as having fully implemented a mitigation strategy and achieved a corresponding PSPF maturity level of ‘Managing’. However, the guidance does not clearly outline the alignment for the remaining maturity levels of the PSPF maturity assessment model and the Essential Eight Maturity Model. The availability of guidance that more clearly articulates the correlation of the two models will better support entities in assessing the implementation requirements of the mitigation strategies across the different maturity levels.

3.31 The ANAO identified that AGD and ASD have different interpretations of the maturity level mapping between the PSPF maturity assessment model and the Essential Eight Maturity Model. In responding to a question asked in the 2019–20 PSPF assessment reporting forum held in June 2020 in relation to the mapping between the two models, AGD indicated that Maturity Levels One, Two and Three generally correspond to ‘Ad hoc’, ‘Developing’ and ‘Managing’ maturity levels or ‘Partial’, ‘Substantial’ and ‘Full’ implementation levels respectively. In the ANAO’s discussion with ASD during the audit, ASD informed that its understanding of the PSPF maturity levels is:

The maturity levels of ‘ad hoc’ and ‘developing’ are an indication of the degree of implementation of Maturity Level 3 requirements — not whether an entity is either Maturity Level 1 or Maturity Level 2…

3.32 The ANAO’s review of the maturity level descriptions and indicators identified that there is an inherent alignment between the two models despite it not being clearly set out in the guidance. The ANAO also identified that there is an apparent misalignment between the PSPF maturity assessment model and the Essential Eight Maturity Model, which is the different grading levels within the two models. While there are four maturity levels under the PSPF maturity assessment model, the current ASD’s Essential Eight Maturity Model only has three maturity levels. There is no equivalent Essential Eight maturity level for the highest PSPF maturity level of ‘Embedded’. ANAO analysis of the alignment between the PSPF maturity assessment model and the Essential Eight Maturity Model is depicted in Figure 3.1.

Figure 3.1: AGD mapping of the PSPF maturity assessment model to the Essential Eight Maturity Model

Source: ANAO analysis of the guidance for PSPF Policy 10 and the Essential Eight Maturity Model.

3.33 PSPF Policy 10 guidance does not elaborate on what an ‘Excelled’ level of implementation entails for entities to achieve an ‘Embedded’ PSPF maturity level. There is no guidance on the Essential Eight Maturity Model criteria entities have to meet to reach ‘Embedded’ maturity. This misalignment between the two maturity models and the lack of technical guidance reduces clarity for entities on how an ‘Embedded’ maturity level could be achieved.⁷⁵

3.34 As discussed in paragraphs 1.35 and 3.25, ASD recommends that entities should aim to reach ‘Maturity Level Three’ for each of the eight mitigation strategies as a baseline. The existence of a maturity level as a baseline implies that there is a higher maturity level that should be attained. However, ‘Maturity Level Three’ is also the highest maturity level under the current Essential Eight Maturity Model.

3.35 Regular meetings between ASD and AGD on cyber security reporting included discussions on the misalignment of the maturity models. As at December 2020, ASD and AGD had not resolved the misalignment between the PSPF maturity assessment model and the Essential Eight Maturity Model.

3.36 Following the completion of the Essential Eight+ Sprint Program, ASD commenced a review of the current Essential Eight Maturity Model to ensure that it remains ‘contemporary, contestable and actionable’. In October 2020, ASD shared a consultation draft of the revised Essential Eight Maturity Model with Information Technology Security Advisers, Chief Information Officers and Chief Information Security Officers from federal, state and territory governments, as well as key industry partners from various sectors, to seek feedback on its proposed update to the Essential Eight Maturity Model. As at early December 2020, the proposed update to the Essential Eight Maturity Model was yet to be finalised.

Other issues relating to the guidance

3.39 As discussed in paragraph 3.22, an entity’s PSPF maturity level for Policy 10 is calculated by the reporting portal based on the responses provided to some of the questions for Policy 10. The guidance in the portal specifies that the responses to four of the 11 questions for Policy 10, which relate to the implementation level of the four non-mandatory Essential Eight mitigation strategies, are not included in the maturity calculation for Policy 10.

3.40 While the reporting portal states what is excluded from the Policy 10 maturity calculation, the methodology for the maturity calculation has not been adequately explained in other PSPF guidance.⁷⁶ There is merit in clarifying the guidance on the scope of the maturity calculation for PSPF Policy 10 to enable entities to more accurately consider the system-suggested maturity level and determine the entity’s Policy 10 maturity level.

3.41 Following the November 2019 amendment made to the PSPF Policy 10 mandatory requirements (see Box 1 and paragraph 1.24), Policy 10 of the 2019–20 PSPF assessment has included questions on entities’ consideration of the relevant strategies from the remaining ASD’s prioritised mitigation strategies that the entity needed to implement (see Appendix 3, Questions 10.10 and 10.11). The tooltip guidance for Question 10.10 states that entities are required to advise which of the remaining 29 mitigation strategies they have implemented.

3.42 AGD informed the ANAO that the intention of this question is for entities to assess the mandatory requirement in relation to the level — ‘Partial’, ‘Substantial’, ‘Full’ or ‘Excelled’ — to which the entity has considered each of the remaining strategies. The purpose of this mandatory requirement is for entities to make an assessment based on the entity’s risk environment and business operations to determine if it needs to implement any of the remaining ASD’s mitigation strategies. Entities are then required to detail which of the remaining 29 strategies they have implemented in a free-text box in Question 10.11.

3.43 Question 10.10 requires entities to assess the level of their consideration of the implementation of the mitigation strategies. This is in contrast to the other Policy 10 questions that require entities to assess the level of their implementation of the mitigation strategies. Assessment of an entity’s level of consideration involves subjective judgment. There is a lack of guidance on how entities are to assess and grade Question 10.10, which could lead to misinterpretations of the question. Further, it is unclear how the level to which entities have considered the implementation of cyber security risk mitigation strategies would contribute to their actual cyber security maturity level.⁷⁷

3.44 During the course of this audit, the ANAO sought the views of the selected entities under this audit regarding the supporting guidance available for their PSPF Policy 10 self-assessment. Appendix 4 outlines some of the views expressed by the selected entities.

3.47 Home Affairs informed the ANAO that it does not play a role in developing guidance to assist entities in cyber security self-assessments and reporting under the PSPF. In its cyber security policy coordination role, Home Affairs was involved in the development of the revised PSPF Policy 10. Home Affairs provided strategic advice to AGD and ASD to ensure that the PSPF and ISM are consistent with national cyber security policy and are mutually supportive of improved cyber security standards across the Australian Government.

Have the cyber policy and operational entities developed processes to verify the accuracy of entities’ self-assessed reporting?

3.48 In light of the continued low level of compliance with the Top Four mitigation strategies, Auditor-General Report No.53 2017–18 Cyber Resilience recommended that the three cyber policy and operational entities work together to develop a program under the revised PSPF to verify the accuracy of entities’ self-assessment of their compliance with the mandatory mitigation strategies (Recommendation 2(b)). ASD and Home Affairs both agreed to the ANAO’s recommendation. In agreeing to the recommendation, ASD noted that it is neither a regulatory body nor a compliance reporting agency for cyber security.

3.49 AGD agreed in principle to the recommendation in the 2017–18 report regarding the verification program. AGD stated that while the revised PSPF would assist with verification by requiring supporting evidence from entities to provide greater assurance on the accuracy of their self-assessment, the development of a verification program is a matter for ASD.

3.50 AGD reported to its audit and risk management committee in December 2020 that it had completed its implementation of Recommendation 2(b) of the 2017–18 Auditor-General Report by introducing reforms to the PSPF and the revised PSPF maturity self-assessment model. ASD reported to its audit and risk committee that it has implemented Recommendation 2(b) from Auditor-General Report No.53 2017–18 Cyber Resilience through the conduct of the ACSC Cyber Security Survey and the Cyber Uplift Program.

3.51 To follow up on the recommendation, the ANAO examined in this audit the processes developed by AGD, ASD and Home Affairs to gain assurance on the accuracy of entities’ PSPF self-assessments and reporting.

AGD assurance activities

3.52 During the course of this audit, AGD reiterated its response to the 2017–18 Auditor-General Report that it does not have the technical capability to verify the accuracy of entities’ Essential Eight assessment and considered the development of any such verification program to be a matter for ASD. AGD informed the ANAO that it also does not undertake any technical verification for entities’ assessments of other PSPF policies. AGD informed the ANAO that it will engage with entities to provide advice on policy implementation and facilitate access to subject matter experts. AGD noted that it does not have a regulatory role in relation to the PSPF⁷⁸; its function is to ensure that the PSPF policy is appropriate and entities are supported to implement the policy and self-assess their maturity level to meet reporting obligations under the framework.

Reviews and analysis of PSPF assessment reports

3.53 While AGD does not verify the accuracy of entities’ PSPF self-assessments, AGD reviews and analyses the PSPF assessment reports submitted by entities. AGD does not have a framework that it uses to guide the analysis.

3.54 AGD informed the ANAO that it reviews entities’ responses in the submitted reports to ensure that they have captured all required information before it accepts the reports as final. AGD then considers the responses provided in each PSPF assessment module to ensure that the rationale provided justifies the maturity level selected by the entities. Where an entity has selected an ‘Ad hoc’ or a ‘Developing’ maturity level, AGD will review the information provided in the ‘Strategies’ and ‘Timeframes’ text boxes to ensure that there is sufficient information for AGD to understand how the entity will improve its maturity level for the applicable PSPF policy.

3.55 Where further information and evidence is required, AGD informed the ANAO that it has an internal procedure to return the assessment report to the entity with comments for the entity to address before it resubmits the report. In 2018–19, AGD made 78 requests for entities to re-submit their self-assessments with additional information.⁷⁹ In 2019–20, AGD made 45 requests for additional information.⁸⁰

3.56 AGD analyses the results from all the PSPF assessment reports and the qualitative data within to determine the overall protective security posture of the Australian Government and the broader implications. AGD found that irrespective of entities’ risk environments and maturity levels, entities in 2018–19 were most concerned about the risk of a cyber-attack. Of the 2018–19 PSPF assessment reports for Policy 10 AGD identified that for those entities with maturity levels of ‘Ad hoc’ and ‘Developing’, the following were the key challenges faced by the entities with respect to their implementation of the required level of maturity:

• limited allocation of funding or staff to achieve the implementation of the Top Four mitigation strategies;
• low capability;
• reliance on outsourced service providers for information communications technology (ICT) and cyber security services, whereby entities had limited influence or control over the implementation of the mitigation strategies;
• lack of prioritisation to implement the Top Four, whereby entities often targeted mitigation strategies that were easier to implement;
• lack of comprehensive understanding of the implementation requirements of the Top Four mitigation strategies;
• lack of understanding of how the implementation level of the mitigation strategies relates to the entity’s risk environment;
• reliance on legacy and unsupported systems; and
• the significant investment required to achieve full implementation of the Top Four mitigation strategies.

3.57 As at February 2021, AGD’s analysis of entities’ PSPF self-assessments for 2019–20 was ongoing.

Sharing of PSPF and ACSC survey results

3.58 AGD shares the cyber security related PSPF self-assessment results with ASD. The 2018–19 PSPF Policy 10 self-assessment results were shared with ASD and contributed to the inaugural report to the Parliament in April 2020 on Australian Government entities’ cyber security posture (see paragraph 3.89). This report on Government entities’ cyber security posture was also informed by the 2019 ACSC Cyber Security Survey conducted by the ACSC.⁸¹

3.59 In August 2020, ASD shared all the raw data from its 2019 ACSC Cyber Security Survey with AGD.⁸² The sharing of the survey data was for the purpose of enabling AGD and ASD to compare the PSPF assessment results with the ACSC survey findings. ASD informed the ANAO that it had used the information in the 2017–18 PSPF assessment results provided by AGD to inform its December 2018 correspondence to those entities that had reported non-compliance to offer cyber security assistance. ASD had also used the PSPF assessment results shared by AGD to inform the selection of entities for its Essential Eight+ Sprint Program (see paragraph 1.12).

3.60 Comparison of the survey results can potentially assist AGD in obtaining assurance on the accuracy of the self-assessments. AGD has not used the data to inform assurance activities on the self-assessed maturity ratings.

Assistance for entities with PSPF Policy 10 maturity rating of ‘Ad hoc’

3.61 AGD and ASD have met regularly since August 2019 to discuss the PSPF self-assessment and ACSC cyber security surveys. The key purpose of these meetings is to identify ways to streamline the PSPF and ACSC surveys to reduce duplication.⁸³ Minutes from the meetings indicate that AGD and ASD discuss the results of the PSPF assessment and ACSC Cyber Security Survey, but do not record any actions taken following the meetings.

3.62 In the May 2020 meeting, AGD raised the possibility of ASD being involved in follow-up activities from the PSPF assessment report. The coordinated approach involved AGD offering assistance to entities that have self-assessed as having an ‘Ad hoc’ maturity for PSPF Policy 10 to provide them with advice and support in implementing the PSPF policy. AGD requested ASD be involved in offering technical cyber security assistance to those entities to improve their cyber security posture. ASD agreed to provide assistance to those entities with an ‘Ad hoc’ maturity rating.

3.63 A plan has not been developed for the coordinated approach to offer AGD’s policy assistance and ASD’s technical support on cyber security. While this approach could potentially assist entities in improving their implementation of cyber security requirements, the assistance may not be appropriately targeted at those entities that inaccurately overstate their maturity level.

Moderation of self-assessments

3.64 At the time of this audit, AGD informed the ANAO that it was considering appropriate processes that could provide assurance on the quality of entities’ self-assessments. The assurance activities considered include peer reviews and a validation model that would provide entities with a list of the typical underlying evidence that would need to be in place to support the self-assessments made.⁸⁴

3.65 In the Government Security Committee⁸⁵ meeting held on 20 May 2020, the committee noted that there was low maturity assessed for cyber security under Policy 10. It was also noted that there was variation across entities in relation to the information provided, including the level of detail on individual risk environments in the 2018–19 PSPF reporting. As a result, it was agreed that AGD will further explore options to strengthen the PSPF maturity self-assessment model, including consideration of the New Zealand self-assessment moderation model.⁸⁶ AGD was to return to a future Government Security Committee meeting to discuss proposed improvements to the PSPF self-assessments and appropriate assurance activities for the self-reported data. AGD informed the ANAO in November 2020 that it was still considering a moderation model for the annual PSPF self-assessment data. AGD has not returned to the Government Security Committee to discuss the moderation of self-assessments. AGD also informed the ANAO that work will be progressed following analysis and comparison of data from the 2019–20 PSPF self-assessment report and the 2020 ACSC Cyber Security Survey.

ASD assurance activities

3.69 ASD informed the ANAO that while it has the responsibility and expertise to undertake technical assessments of entities’ cyber security capability, it is not responsible for verifying the accuracy of entities’ PSPF Policy 10 self-assessments. As part of its delivery of the Cyber Uplift Program (see paragraph 1.11), ASD has developed the Cyber Toolbox and Host-Based Sensor initiatives to assist entities in improving their cyber security posture. The Cyber Toolbox and Host-Based Sensors are software tools developed to support entities in performing more accurate self-assessments of their Essential Eight implementation. These tools provide technical reporting through automated sensors and other technical means, which ASD believes may assist in verifying the accuracy of entities’ self-assessments in the long term.

Cyber Toolbox

3.70 The Cyber Toolbox, is a collection of software tools and processes, to help Government entities understand their Essential Eight maturity to enable them to perform more objective self-assessments to improve their cyber security posture going forward. The Cyber Toolbox is aimed at initially helping Government entities in self-assessing their current cyber security posture and subsequently providing tailored advice to entities to make iterative improvements.

3.71 In April 2020, ASD released the first two tools — the Essential Eight Maturity Verification Tool and the Application Control Verification Tool — to six pilot entities (as at September 2020) for testing. ASD informed the ANAO that the pilot entities were able to continue using the tools after the pilot. The Essential Eight Maturity Verification Tool and the Application Control Verification Tool are outlined in Table 3.2.

Table 3.2: Initial assessment tools from the Cyber Toolbox

Source: ANAO representation of information provided by ASD.

3.72 After the pilot was been completed, ASD released the E8MVT and ACVT for the use of Government entities. ASD also informed the ANAO that more tools are being developed as part of the Cyber Toolbox; however, they are not yet ready for release.

Host-Based Sensor program

3.73 The Cyber Uplift Program included the piloting of a Host-Based Sensor initiative with two Australian Government entities, deploying end-point sensors across the two entities. The Host-Based Sensor pilot program monitored the entities’ networks for signs of cyber intrusion. ASD completed the pilot in December 2019 and has rolled out the Host-Based Sensor program to other Government entities. As at September 2020, six Government entities were participating in the Host-Based Sensor program. At the same time, there were another 44 entities at different stages of engagement with ASD to participate in the Host-Based Sensor program.

3.74 The Host-Based Sensor program involves ASD deploying host-based monitoring software (known as sensors) to the network devices (known as hosts) of participating Government entities to detect intrusion and investigate, respond to and generate intelligence on cyber threats. The sensors are defensive software tools developed by ASD for deployment on servers, workstations and laptops. The sensors provide the participating entities and ASD with data to identify malicious cyber activities, generate threat indicators and contribute to the development of appropriate mitigation strategies. Following the deployment of the host-based sensors, the participating entity is to receive a Threat Surface Report that provides information about the hosts and vulnerabilities within the network to help reduce the cyber threat surface.

3.75 The technical reporting provided through the deployment of automated sensors has the potential to support participating entities in undertaking more accurate self-assessments of their implementation of the Essential Eight mitigation strategies. ASD intends to further develop the Threat Surface Report to measure more technical controls of the Essential Eight mitigation strategies as well as provide guidance to counter trending adversary tradecraft.

ACSC Cyber Security Survey

3.76 Since 2010, ASD conducts an annual cyber security survey of Australian Government entities to assess their cyber security posture. The survey was non-mandatory before 2018–19 and had a low completion rate.⁸⁷ The Joint Committee of Public Accounts and Audit (JCPAA) recommended in Report 467: Cybersecurity Compliance that the completion of the annual ASD survey be made mandatory for all Public Governance, Performance and Accountability Act 2013 entities by June 2018.

3.77 The ASD’s ACSC Cyber Security Survey for Commonwealth Entities (ACSC Cyber Security Survey) was made mandatory for non-corporate Commonwealth entities with the commencement of the revised PSPF in October 2018.⁸⁸ The mandatory requirement in PSPF Policy 5: Reporting on Security requires entities to report on cyber security matters to ASD each year.

3.78 Unlike the PSPF survey, the ACSC Cyber Security Survey is not a self-assessment of an entity. The ACSC survey is the key method for the ACSC to measure the cyber security maturity of Australian Government entities. Based on the responses provided by entities in the survey, ASD assigns a maturity rating using the Essential Eight Maturity Model. The ACSC survey is designed to inform a picture of the cyber threat landscape, and helps ASD to identify high-risk entities to better target its advice and assistance to help entities respond to cyber threats.

3.79 ASD informed the ANAO that the assignment of Essential Eight maturity ratings based on assessments it undertook, whether via the cyber security survey or the Essential Eight+ Sprint program, will provide a level of independent assurance that an appropriate maturity rating is given to an entity.

3.80 The ACSC Cyber Security Survey focuses on technical questions regarding the implementation of the Essential Eight mitigation strategies to enable ASD to determine the cyber security maturity of the entity. In contrast, the AGD’s PSPF Policy 10 assessment questions are more high level policy questions designed to ascertain the entity’s PSPF maturity against the PSPF maturity model. The ACSC Cyber Security Survey also include questions on cyber threats, cyber security incidents, and the entity’s cyber security culture.

3.81 The 2020 ACSC Cyber Security Survey was released on 1 October 2020.⁸⁹ ASD informed the ANAO that it plans to send entities individual reports detailing the entity’s results in late 2020. ASD intends to include, in the individual report, a written explanation of its assessment of the entity’s maturity against the Essential Eight Maturity Model. ASD also intends to share key findings from the aggregated survey results in a summary report with all Government entities in March 2021.⁹⁰

3.82 The results of the 2019 ACSC Cyber Security Survey and the Cyber Uplift Program contributed to the findings in The Commonwealth Cyber Security Posture in 2019 report to the Parliament. ASD informed the ANAO that other data sources are to be used for the 2020 report to Parliament, including data from programs similar to the Cyber Uplift Program.

3.85 In response to Recommendation 2 from Auditor-General Report No.53 2017–18 Cyber Resilience, Home Affairs agreed to work with AGD and ASD to develop a fit-for-purpose mechanism to verify entities’ self-assessments on their compliance with cyber security requirements. Home Affairs informed the ANAO that it has worked with AGD and ASD through the provision of strategic cyber security advice in support of their efforts to increase accountability regarding entities’ self-assessments under the PSPF.

Have the cyber policy and operational entities established processes to improve the transparency and accountability of entities’ implementation of mandatory cyber security requirements?

3.86 Prior to the 2017–18 reporting period, PSPF compliance reports submitted to AGD were not made public. Auditor-General Report No.53 2017–18 Cyber Resilience found that there was a lack of mechanisms to provide transparency and accountability for entities’ compliance with cyber security requirements. The report recommended (Recommendation 2(c)) that the three cyber policy entities work together to improve compliance with the cyber security framework by increasing the transparency and accountability of entities’ compliance with cyber security requirements. All three entities agreed to the ANAO’s recommendation.

3.87 AGD reported to its audit and risk management committee in December 2020 that it had completed its implementation of Recommendation 2(c) of the 2017–18 Auditor-General Report by publicly releasing the 2017–18 whole-of-government PSPF Compliance Report and working to finalise the 2018–19 whole-of-government PSPF Assessment report. ASD reported to its audit and risk committee that it had implemented Recommendation 2(c) through the provision of the annual report on Australian Government entities cyber security posture to Parliament.

3.88 To follow up on this recommendation, the ANAO examined whether AGD, ASD and Home Affairs have:

• improved external reporting and transparency of non-corporate Commonwealth entities cyber security posture; and
• established mechanisms for the Parliament and relevant Australian Government cyber security governance committees to hold entities accountable for their cyber security posture.

Public reporting and transparency

Whole-of-government PSPF assessment reports

3.89 Following the tabling of the 2017–18 Auditor-General Report, AGD publicly released the 2016–17 and 2017–18 consolidated PSPF compliance reports on the PSPF website. These PSPF compliance reports contain aggregated findings on non-corporate Commonwealth entities’ compliance with mandatory PSPF requirements.

3.90 The 2018–19 consolidated PSPF maturity assessment report was published on the PSPF website on 15 January 2021. The 2018–19 consolidated PSPF maturity assessment report is the first report to be released under the revised PSPF maturity self-assessment model. Similar to past consolidated PSPF compliance reports, the 2018–19 report contains aggregated findings and does not disclose the security maturity level of individual entities.

Report on cyber security posture of Australian Government entities

3.91 In April 2020, ASD tabled the inaugural The Commonwealth Cyber Security Posture in 2019 report in the Parliament and published the report on its website.⁹¹ This report outlines the overall maturity of Australian Government entities’ implementation of the Essential Eight mitigation strategies and the status of their cyber security posture. The findings in the report were based on information obtained from the 2019 ACSC Cyber Security Survey and the results from AGD’s 2018–19 PSPF Policy 10 assessment reports. The findings were also informed by the results of the Cyber Uplift Program, cyber security incident reporting and investigations undertaken by ASD.⁹²

3.92 The 2019 report on Australian Government entities’ cyber security posture contains anonymised and aggregated data. The report does not identify individual entities and the maturity level of their Essential Eight implementation. ASD informed the ANAO that it has no intention to disaggregate the data to identify the cyber security posture of individual entities in future reports.

Security concerns with publicly reporting individual entities’ cyber security posture

3.93 ASD and AGD informed the ANAO that security concerns were the reason for not publicly reporting specific entities’ cyber security posture. ASD and AGD both indicated that the identification of individual entities’ cyber security maturity level in public reporting provides detailed information on a ‘heat map of vulnerabilities’ in Australian Government networks. This may increase the risk of targeted attacks by malicious actors.

3.94 ASD has information to indicate that malicious actors seek to compromise networks based on known security vulnerabilities. ASD has also seen evidence of malicious actors manoeuvring between connected networks to target attacks on the weakest network.

3.95 In the 2020–21 Budget Estimates in October–November 2020, questions were put to non-corporate Commonwealth entities that include: their compliance with the mandatory requirements of PSPF Policy 10 and their implementation of the Essential Eight mitigation strategies. In November 2020, an email was sent by AGD to all non-corporate Commonwealth entities’ Chief Security Officers and generic security mailboxes providing entities with a suggested approach in line with ACSC guidance. The email provided the following suggested response to questions regarding the PSPF and Essential Eight implementation:

Publicly reporting on individual agency’s compliance with the Essential 8/Top 4 or specific cyber mitigations in response to these questions on notice would provide a snapshot in time of the entire Federal Government’s cyber security maturity and as a result, may provide a heat map for vulnerabilities that malicious actors may exploit and thus increase an agency’s risk of cyber incidents.

Accountability mechanisms for entities’ cyber security posture

3.96 The existing reporting mechanisms under the PSPF require entities to provide their PSPF assessment report to their portfolio Minister. AGD considers that the existing accountability mechanisms, including the publishing of the whole-of-government PSPF assessment report, provide the appropriate balance between transparency and the risk of exposing entities to malicious actors through the sharing of entities’ cyber security posture publicly. AGD informed the ANAO that entities are held accountable to their Minister as they are required to report to their Minister annually on their self-assessment. There is no framework to support Ministers to determine the appropriateness of entities’ self-assessment reports.

3.97 While AGD reviewed the information provided by entities in their PSPF Policy 10 assessment (see paragraphs 3.53 to 3.55), the review was for ensuring completeness and adequacy of the information provided. The review was not for the purpose of validating whether entities had undertaken the cyber security measures or planned strategies detailed in their previous self-assessment, or confirming if entities have improved their maturity within the advised timeframe.⁹³ AGD does not use the data from entities’ Policy 10 self-assessments to hold entities accountable for their cyber security postures.

3.98 By responding to the ACSC Cyber Security Survey, entities are provided with an assessment of their Essential Eight maturity by ASD (as discussed in paragraph 3.78). The survey is intended to enable ASD to understand the cyber security posture of entities to help inform the advice, assistance and technical guidance provided to entities. The survey results also inform ASD’s annual report on Australian Government entities’ cyber security posture to Parliament. With the lack of transparency on individual entities’ cyber security maturity level, there has been no improvement in accountability.

Accountability to the Parliament

3.99 To increase the accountability of non-corporate Commonwealth entities to the Parliament on their cyber security compliance, the JCPAA recommended in Report 467: Cybersecurity Compliance that AGD and the ASD report annually to the Parliament on entities’ cyber security posture.⁹⁴ Consistent with the JCPAA’s findings, the ANAO also identified in Auditor-General Report No.53 2017–18 Cyber Resilience that there was a need to increase the accountability of entities’ compliance with mandatory cyber security requirements.⁹⁵

3.100 Despite the increased public reporting since the 2017 JCPAA inquiry and 2017–18 Auditor-General Report, the status of individual entities’ cyber security posture is not transparent. The aggregated public reporting from ASD and AGD does not provide details on individual entities’ implementation of mandatory PSPF Policy 10 requirements or effectiveness of their implementation of the Essential Eight mitigation strategies. Consequently, the Parliament does not have the necessary information to hold individual entities to account for their cyber security posture.

Upholding of accountability by cyber security governance committees

3.101 As noted in paragraph 1.15, the four whole-of-government governance committees with responsibilities in overseeing PSPF and cyber security initiatives for the improvement of Australian Government entities’ cyber security posture are the:

• Government Security Committee;
• Cyber Security Band 3 Inter-Departmental Committee;
• Cyber Security Strategy Delivery Board; and
• Secretaries Board.

Government Security Committee

3.102 As part of the 2018 PSPF reforms, the Government Security Committee agreed that a maturity assessment model for entities’ annual PSPF self-assessment was the most effective and efficient manner to provide assurance to the Government on protective security arrangements of entities.

3.103 Matters discussed at the meetings include the development of the PSPF reporting portal, extension of the submission date for entities’ PSPF assessment reports, potential ways to minimise duplication between the PSPF assessment and the ACSC Cyber Security Survey, and implementation of the PSPF maturity assessment model. A standing agenda for the Government Security Committee meetings is updates from ASD on the cyber environment and cyber security issues that may affect PSPF requirements.

3.104 AGD provided aggregated reporting on the 2018–19 whole-of-government PSPF maturity assessment to the Government Security Committee at its May 2020 meeting. The committee noted the low maturity assessed for cyber security under Policy 10. The committee was informed that implementation of the Top Four mitigation strategies was an area with low maturity and ongoing vulnerabilities for Australian Government entities, with application control and patching applications being the key mitigation strategies of concern.

3.105 The ANAO’s review of meeting minutes also found that no advice was provided by the Government Security Committee to other cyber security governance committees, the Secretaries Board or the government regarding the actions required by individual entities to mitigate cyber security issues identified in the PSPF self-assessments. AGD informed the ANAO that there was no significant cyber security issue from the 2018–19 PSPF assessment report that required attention from the Secretaries Board.⁹⁶

3.106 To fulfil its role in reporting to government on PSPF maturity and entities’ security capability, AGD informed the ANAO in September 2020 that it is considering plans for the Attorney-General to write to all portfolio ministers and provide them with the consolidated 2018–19 PSPF assessment report once it has been considered and approved. AGD released the 2018–19 consolidated PSPF maturity assessment report on the PSPF website on 15 January 2021. The provision of a consolidated PSPF assessment report to portfolio ministers does not facilitate an increase in accountability for entities to improve their cyber security posture.

Cyber Security Band 3 Inter-Departmental Committee

3.107 The Cyber Security Band 3 Inter-Departmental Committee has considered the Cyber Uplift Program, Essential Eight+ Sprints⁹⁷, the Host-Based Sensor program, Australia’s Cyber Security Strategy 2020, and the hardening of Government’s IT systems. In the 27 February 2020 meeting, the committee discussed the 2019 cyber security posture report and outcomes of the ACSC’s Cyber Uplift Program. The committee noted the difficulty faced by smaller agencies in implementing effective cyber security risk mitigation strategies due to their lack of capabilities. The committee agreed that Home Affairs and PM&C were to jointly develop a paper to the Secretaries Board on how to address the risks identified in the cyber security posture report and the Cyber Uplift Program.

3.108 The paper on the issues regarding Australian Government cyber security posture was discussed at the 10 June 2020 meeting of the Secretaries Board. The issues identified include a lack of coordination for the uplift of Government’s cyber security, lack of realisation of economies-of-scale, budget process inhibition on entities’ ICT investment, limitation in the PSPF, and an accumulation of vulnerable legacy systems. The paper discussed the centralisation of Government IT capability through consolidation of Government systems as a measure to mitigate the issues. The Secretaries Board noted the risks and vulnerabilities identified in Government networks and systems. A Hardening Government IT Board was initially established to oversee activities under the initiative to centralise Australian Government entities’ IT infrastructure. The Hardening Government IT Board was subsumed by the Secretaries Digital Committee established in August 2020 (see paragraph 3.124).

3.109 Following the Prime Minister’s announcement in June 2020 regarding the malicious cyber activity against Australian networks, ASD provided an update at the July 2020 Cyber Security Band 3 Inter-Departmental Committee meeting on the decision to publicly announce the cyber incident and the subsequent positive results achieved based on ASD’s statistics.⁹⁸ The committee co-chair highlighted the importance of entities’ defences for deterring and responding to cyber security incidents, and whole-of-government cooperation on such issues.

Cyber Security Strategy Delivery Board

3.110 The Cyber Security Strategy Delivery Board, chaired by Home Affairs, was established in August 2020 to drive the implementation of Australia’s Cyber Security Strategy 2020. To date, the Cyber Security Strategy Delivery Board has met in September and November 2020 respectively. Items discussed in the initial two meetings include implementation progress update against the key initiatives of Australia’s Cyber Security Strategy 2020, the implementation plan and engagement with relevant stakeholders.

Secretaries Board

3.111 In the period July 2018 to August 2020, the Secretaries Board received regular PSPF updates, and considered the Government cyber security posture and measures to improve cyber security. As noted in paragraph 3.108, the Secretaries Board was presented with a paper in June 2020 on issues in relation to the cyber security posture of Australian Government entities and potential measures to resolve the issues.

3.112 In May 2017, PM&C and ASD engaged Australian cyber security firm Hivint Pty Ltd (Hivint) to conduct a scan of the internet-based profile of Australian Government entities to identify cyber security risks across public facing Government systems from October 2017 to January 2018. Hivint’s assessment identified a range of poor cyber hygiene practices in Australian Government entities, with many entities not being compliant with security policies and not consistently implementing effective cyber security practices. Following the delivery of the assessment results to entities in November 2018, department secretaries were required to provide advice to ASD on their management of identified cyber risks in their portfolio. In March 2019, ASD presented a report on ‘Cyber Security Vulnerabilities – Portfolio Secretaries advice on managing Hivint findings’ to the Secretaries Board. The Secretaries Board noted the report presented.

3.113 The report presented to the Secretaries Board in March 2019 consolidated the advice provided by the portfolio secretaries and provided high level common themes observed from the risk management plans of the portfolio.⁹⁹ The portfolio plans indicated that improvements were to occur over a period of three to six months, primarily through configuration management, active contract management and staff training. ASD has subsequently developed an in-house capability — Cyber Hygiene Improvement Programs— to identify and measure changes in cyber hygiene across Australian Government entities.¹⁰⁰

3.114 The Secretaries Board did not adopt a similar approach for entities that had self-assessed a low maturity for cyber security and Top Four implementation under PSPF Policy 10. There was no obligation for individual entities with low maturity for PSPF Policy 10 to take actions to mitigate cyber security risks and report back on any such actions taken. Non-corporate Commonwealth entities have not been held to account for not meeting mandatory cyber security requirements under PSPF Policy 10.

Establishment of ‘cyber hubs’

3.119 As discussed in paragraph 1.13, Home Affairs is responsible for coordinating the implementation of Australia’s Cyber Security Strategy 2020. A key initiative within the Cyber Security Strategy 2020 for Australian Government entities is the hardening of Government’s ICT systems against cyber threats. The Digital Transformation Agency (DTA) is responsible for leading the Hardening Government IT Program, which focusses on centralising government networks through secure hubs, with support by Home Affairs, AGD and ASD in their respective roles as cyber policy and operational entities.

3.120 The centralisation of Government networks seeks to reduce opportunities for malicious actors to target agencies that have less secure ICT systems and drive greater efficiencies in the Australian Government’s cyber security investment. It was intended that the ‘cyber hubs’ will improve the ability of Government entities to identify, protect, detect, respond and recover from malicious intrusions. According to Home Affairs, the ‘cyber hubs’ are to help ensure baseline cyber security standards are met by improving entities’ implementation of the mandatory Top Four mitigation strategies.

3.121 The indicative implementation roadmap for the ‘cyber hubs’ includes the consolidation of secure Internet gateways and services into ‘cyber hubs’ to create a strengthened perimeter for Australian Government networks. Existing business systems are then planned to be transferred to ‘cyber hub’ providers, and the development of a Government Cloud in later phases of the initiative to allow agencies to transition obsolete or at-risk services to modern, secure operating environments.

3.122 In September 2020, the DTA completed a six-week discovery activity to inform the design of the ‘cyber hubs’ model. Home Affairs, Services Australia and the Department of Defence have been identified as pilot ‘cyber hub’ providers to test the monitoring, detection and reporting capabilities on client entities’ networks. The pilot hubs are expected to be established by 30 June 2021.

3.123 The ‘cyber hub’ providers would be responsible for securing, assessing and certifying their own infrastructure in line with the ISM and for mandatory reporting of protective security capability under the PSPF. ASD plans to create a ‘cyber visibility centre’ to provide strategic whole-of-government cyber security advice to the ‘cyber hub’ providers.

3.124 A Secretaries Digital Committee has been established to oversee the activities under the initiative to harden Government ICT systems. The Secretaries Digital Committee is a sub-committee of the Secretaries Board and is chaired by the Secretary of the Department of Social Services, with secretariat support provided by the DTA. The committee’s role is to provide strategic leadership to promote an enterprise approach to the planning, coordination and delivery of trusted and secure digital and ICT capabilities across Australian Government entities. The committee held its first meeting in September 2020.

3.125 Under the Hardening Government IT Program, AGD is responsible for working with DTA and other stakeholders to ensure the ‘cyber hubs’ are in alignment with the PSPF. AGD plans to update the PSPF by the end of June 2021 in consideration of:

• the lines of accountability under the proposed ‘cyber hub’ model;
• opportunities to support more effective management of cyber security risks across government; and
• potential improvements to arrangements for addressing shared and enterprise risks.

3.126 The ANAO’s discussions with Home Affairs, AGD and ASD identified that the establishment of the ‘cyber hubs’ is at an early stage with further details on the operation of the hub model yet to be developed.