DPMC, Attorney General’s office cyber self-assessments face scrutiny in latest audit

Cyber assessment ANAO

A new report by Australia’s chief auditor has found more than two out of three Federal Government surveyed agencies have failed to fully implement cybersecurity recommendations proposed by the ASD back in 2013, with the Prime Minister’s office and the Attorney General’s Department (AGD) also found to have inaccurately assessed their own security compliance.

The Australian National Audit Office’s (ANAO) report, Cyber Security Strategies of Non-Corporate Commonwealth Entities, released last week, found that a number of Commonwealth entities had overstated their compliance and, moreover, had failed to accurately self-assess their implementation of key threat mitigation strategies recommended under the Protective Security Policy Framework (PSPF).

The findings no doubt raise questions around the value of self-assessment.

Non-Government entities have been required to deliver cybersecurity self-assessments, based against the provisions of the PSPF, annually since 2013. Agencies self-rank their cybersecurity maturity as either ‘Ad Hoc’, ‘Developing’, ‘Managing’, or ‘Embedded’.

‘Ad Hoc’ maturity levels indicate only “partial or basic implementation and management of PSPF mandatory and supporting requirements”, according to the report.

At the other end, ‘Embedded’ maturity levels means the entity has shown “comprehensive and effective implementation of PSPF requirements and is “excelling at the implementation of better-practice guidance”.

When responding to guidance around PSPF self-assessments, the report found that entities had expressed a need for greater clarity in defining cyber maturity levels, as well as to develop a “common understanding of how entities should arrive at their maturity rating”.

Not one of the seven selected entities was found to have fully implemented all the Australian Signals Directorate’s (ASD) Top Four mandatory mitigation strategies, despite having been released by the threat intelligence agency more than seven ago.

This also comes in an environment of increasing cyber risk for Australian Government entities, with the “frequency, scale and sophistication” of malicious cyber activity increasing. More than 430 cybersecurity incidents were recorded by Australian government entities in 2019-2020.

The audit included the Attorney-General’s Department (AGD), the Australian Signals Directorate (ASD), the Department of Home Affairs, the Department of the Prime Minister and Cabinet (PM&C), the Future Fund Management Agency (Future Fund), Austrade, the Department of Education, Skills and Employment (DESE), the Department of Health (Health), and IP Australia.

Of these entities, both PM&C and AGD were found to have inaccurately self-assessed their implementation of one of the Top Four mitigation strategies, with both appearing to have overstated their cyber-readiness.

The PM&C, for instance, did not accurately implement the ASD’s strategy for restricting administrative privileges, which could allow unauthorised users to make major changes to operating systems, while the office of the Attorney General’s implementation of a strategy for patching operating systems was found to be left wanting.

Three agencies – the PM&C, AGD and Future Fund – were flagged as lacking adequate cyber resilience, with PM&C and AGD categorised as “vulnerable” to cybersecurity incidents.

While the PM&C office contested the auditor’s findings, the AGD did accept the majority of the recommendations, agreeing to improve its processes for documenting ICT security risk assessments and management processes.

The audit was triggered due to concerns about past non-compliance by Federal Government agencies, as well as concerns around their laggard implementation of mandatory cybersecurity requirements.

The report concluded that the AGD, ASD and Home Affairs “could do more to improve support” for Government agencies implementing cybersecurity requirements.

Overall, the ANAO urged for “ongoing work” to support Commonwealth entities in achieving “a more mature and resilient cybersecurity posture”.

It added that it will continue to “hold entities to account” to further progress implementation of ASD-mandated cybersecurity requirements.