The Essential Eight for Commonwealth entities is not optional. Since 1 July 2022 the Protective Security Policy Framework has required every non corporate Commonwealth entity to reach Maturity Level Two across all eight strategies. Maturity Level Three is a risk based judgement, not a default. It is a point in time baseline, measured by assessment, not a certificate you hold.
Are Commonwealth entities required to meet the Essential Eight?
Yes, and the bar is specific. Since 1 July 2022 the Protective Security Policy Framework has required every non corporate Commonwealth entity to implement all eight strategies to at least Maturity Level Two. Not Maturity Level One. Not a reasonable attempt. The requirement sits in the PSPF as a core obligation alongside the rest of an entity’s protective security duties, and it is reported on each year.
The word that trips people is non corporate. The mandate binds non corporate Commonwealth entities, the departments and agencies that sit directly under the Public Governance, Performance and Accountability Act. Corporate Commonwealth entities are encouraged to meet the same bar but are not bound by the PSPF in the same way. If you are a department or a non corporate agency, Maturity Level Two is the floor you are measured against.
What does Maturity Level Two actually require?
Maturity Level Two means mostly aligned, set against a more capable adversary than the level below. ASD frames Maturity Level One around commodity tradecraft that is widely available. Maturity Level Two assumes adversaries willing to invest more time in a target, who go after credentials and try to bypass weaker multi factor authentication. The control expectations across all eight strategies tighten accordingly.
The point most entities miss is how the level is calculated. Your maturity is the lowest level reached across all eight strategies, so a single lagging strategy sets the whole result. Strong application control does not lift a backup regime sitting at Maturity Level One. ASD advises reaching the same level across all eight before considering a higher one. The eight strategies are patch applications, patch operating systems, multi factor authentication, restrict administrative privileges, application control, restrict Microsoft Office macros, user application hardening and regular backups.
| Maturity level | Adversary it addresses | Commonwealth expectation |
|---|---|---|
| ML0 | One or more strategies fall short of Maturity Level One | Below the baseline |
| ML1 | Adversaries using widely available, commodity tradecraft | Below the Commonwealth baseline |
| ML2 | Adversaries willing to invest more time, targeting credentials and bypassing weaker MFA | The mandated baseline for non corporate Commonwealth entities since 1 July 2022 |
| ML3 | Adaptive adversaries, less reliant on public tools, focused on a specific target | Considered where the threat environment warrants |
Does the mandate reach beyond non corporate entities?
Not directly, but its gravity pulls wider. The PSPF binds non corporate Commonwealth entities. State and territory governments and private organisations sit outside it. In practice the Essential Eight has become the common reference anyway, written into contracts, grants and tender conditions, so a supplier selling to government is often asked to demonstrate a maturity level it is not legally bound to hold.
Corporate Commonwealth entities and government business enterprises are encouraged to adopt the same baseline, and many do. If you supply the Commonwealth, treat Maturity Level Two as the expectation whether or not the PSPF names you, because the entity buying from you will.
How is Maturity Level Two measured and reported?
By assessment, at a point in time, against the Essential Eight Maturity Model. There is no certificate and no pass mark. An assessor tests each strategy and reports the maturity level reached, following ASD’s Essential Eight assessment process guide, and the result drifts as systems change. It is a snapshot, not a standing credential. Non corporate entities report their posture through the PSPF each year.
The aggregate picture is sobering. ASD’s Commonwealth Cyber Security Posture in 2025 shows many entities still short of Maturity Level Two across all eight strategies, years after the deadline. The gap is rarely a single missing tool. It is usually the compounding effect of the weakest strategy setting the level, and of maturity slipping between assessments as environments change.
Is Maturity Level Two enough, or do you need Maturity Level Three?
Maturity Level Two is the floor, not the ceiling. The PSPF asks non corporate entities to consider whether their threat environment warrants Maturity Level Three, which is built for adaptive adversaries who are less reliant on public tools and focused on a specific target. For an entity holding sensitive information or running high value services, Maturity Level Two may not be the right resting point. The controls mapped to Maturity Level Three in the ISM remain applicable to government systems even where they are not mandated, and their implementation can be risk managed.
And the Essential Eight is a baseline in any case. It mitigates the most common intrusion techniques on internet connected Windows networks. It does not cover governance, personnel, physical security or incident response, which the ISM holds in hundreds of additional controls. Reaching Maturity Level Two is the start of the obligation, not the discharge of it.
Frequently asked questions
Non corporate Commonwealth entities, under the Protective Security Policy Framework, since 1 July 2022. Corporate Commonwealth entities are encouraged to meet the same baseline but are not bound by the PSPF in the same way.
No. There is no certificate and no pass mark. Maturity is a point in time measure against the Essential Eight Maturity Model, taken by assessment, and it drifts as systems change.
It reports the shortfall through its annual PSPF posture reporting and works to close the gap. A result of Maturity Level Zero or One records where strategies fall short. It is a finding to act on, not a penalty in itself.
Not by default. Maturity Level Two is the mandated baseline. Maturity Level Three is considered where the threat environment warrants it, and the related ISM controls can be risk managed rather than treated as a fixed requirement.
Written by Gaurav Vikash, an ASD endorsed IRAP assessor and senior cyber security leader with 18 years of experience across Australia, the UK and Asia, including CISO and senior security leadership roles. He holds CISSP, CISA, CISM and CRISC and is an ISO 27001 and ISO 42001 Lead Implementer, and speaks regularly at industry conferences.
Sources:
- Protective Security Policy Framework, Policy amendment: Information security, effective 1 July 2022
- ASD, Essential Eight Maturity Model, November 2023
- ASD, Essential Eight explained, current June 2026
- ASD, The Commonwealth Cyber Security Posture in 2025, 2025
Last updated: 21 June, 2026