Government cybersecurity
frameworks: navigating
ISM, PSPF &
Essential Eight.

The Government Threat Landscape Is Not Theoretical

Government agencies are not facing hypothetical threats. The ASD's 2023-24 Annual Cyber Threat Report confirmed that government remains one of the most targeted sectors in Australia. State-sponsored actors from multiple countries are actively targeting government networks for espionage, intellectual property theft, and pre-positioning within critical infrastructure for potential future disruption.

The threat categories facing government agencies are distinct from the private sector in important ways:

• State-sponsored espionage. Nation-state actors target government networks to access classified information, policy deliberations, diplomatic communications, and intelligence on Australia's strategic positioning. These adversaries are well-resourced, patient, and operate with technical sophistication that exceeds most criminal groups.
• Critical infrastructure disruption. Government agencies operate or oversee essential services including water, energy, transport, and communications. Adversaries are increasingly pre-positioning within these networks, establishing persistent access that can be activated during a geopolitical crisis.
• Citizen data at scale. Federal agencies like Services Australia, the ATO, and Medicare hold some of the largest and most sensitive datasets in the country. A breach of these systems affects millions of Australians and carries consequences that extend well beyond financial loss.
• Supply chain targeting. Government procurement creates complex supply chains. Adversaries increasingly target smaller contractors and suppliers as a pathway into larger government networks, exploiting the trust relationships inherent in interconnected systems.

The practical implication is that government agencies cannot treat cybersecurity as an IT problem to be managed at the operational level. The threats are strategic, and the response needs to be governed accordingly.

The Regulatory Stack: What Government Agencies Must Actually Comply With

Australian government cybersecurity operates under a layered regulatory framework. Understanding which obligations apply, and how they interact, is the first step toward a coherent security programme rather than a compliance patchwork.

Protective Security Policy Framework (PSPF)

The PSPF is the overarching security policy for all Commonwealth Government entities. It covers governance, personnel security, physical security, and information security. The information security component requires agencies to implement the ASD Essential Eight at Maturity Level 2 as a minimum baseline. Agencies must also comply with the ISM and report cyber incidents to ASD.

PSPF compliance is assessed through annual self-assessments submitted to the Attorney-General's Department. The reliability of these self-assessments has been questioned repeatedly. ANAO audits conducted between 2013 and 2022 consistently found that agencies self-reporting compliance were not independently verified as compliant, with the gap between self-assessed and independently verified maturity running as high as 30 percentage points.

Information Security Manual (ISM)

The ISM is ASD's technical control catalogue. It contains over 800 controls across governance, physical security, personnel security, communications security, ICT security, and cyber security domains. The ISM is updated regularly by ASD to reflect the evolving threat landscape and is the primary reference for securing government systems at different classification levels.

For practical purposes, the ISM is what IRAP assessors evaluate systems against. If your agency is deploying a cloud service, a new application, or a network change, the ISM controls applicable to your classification level are the benchmark.

Essential Eight

The Essential Eight mitigation strategies are ASD's prioritised list of technical controls. For Commonwealth entities, ML2 is mandatory under the PSPF. The eight strategies cover application control, patching applications, configuring Microsoft Office macro settings, user application hardening, restricting administrative privileges, patching operating systems, multi-factor authentication, and regular backups.

The 2025 Commonwealth Cyber Security Posture Report revealed the scale of the compliance gap. Only 22% of entities had achieved ML2 across all eight strategies. The most challenging strategies for agencies are consistently application control, user application hardening, and restricting administrative privileges, each of which requires sustained operational commitment rather than a one-off implementation project.

Security of Critical Infrastructure Act (SOCI Act)

The SOCI Act applies to organisations operating critical infrastructure assets across 11 sectors, including government services, communications, data storage, and defence industry. It imposes positive security obligations including risk management programmes, mandatory incident reporting to the Australian Cyber Security Centre, and enhanced cybersecurity obligations for systems of national significance.

Government agencies that operate or oversee critical infrastructure are directly caught by the SOCI Act's requirements, in addition to their existing PSPF obligations. This creates a dual compliance requirement that many agencies have not yet reconciled into a single programme.

Cyber Security Act 2024

The Cyber Security Act 2024 added new obligations relevant to government operations. These include mandatory ransomware payment reporting within 72 hours, a limited-use framework for information shared with the National Cyber Security Coordinator during incidents, and minimum security standards for connected devices. For agencies that experience ransomware incidents, the 72-hour reporting obligation runs in parallel with existing ASD notification requirements under the PSPF.

Why the Compliance Gap Is So Large

The gap between mandate and implementation across Australian Government is not primarily a funding problem. It is a structural problem with several contributing factors.

Legacy systems dominate the estate. The 2025 Commonwealth Cyber Security Posture Report found that 59% of entities identified legacy IT as a barrier to Essential Eight implementation. Systems that cannot support modern application control, current operating system versions, or phishing-resistant MFA create compliance blockers that no amount of policy can resolve without capital investment in remediation or replacement.

Self-assessment creates false confidence. Agencies that self-assess as compliant may genuinely believe they are. But the consistent finding from independent audits is that self-assessed maturity exceeds independently verified maturity by a significant margin. This is not necessarily dishonest; it often reflects a misunderstanding of what the ASD's maturity model actually requires at each level.

Cybersecurity competes with service delivery. Government agencies exist to deliver services to citizens. Cybersecurity investment that does not directly improve service delivery is politically difficult to sustain, especially when the consequences of under-investment are invisible until an incident occurs. This creates a cycle where funding flows to visible priorities and security receives the remainder.

Workforce constraints are acute. The Australian cybersecurity workforce shortage is well documented, but it hits government particularly hard. Public sector salary bands often cannot compete with private sector compensation, and the clearance requirements for government roles further constrain the available talent pool. Agencies struggle to recruit, and when they do recruit, they struggle to retain.

What a Strong Government Cybersecurity Posture Looks Like

Organisations that get this right share several characteristics. They are not necessarily the best-funded agencies. They are the ones that treat cybersecurity as a governance problem with technical components, rather than a technical problem that occasionally reaches the executive.

Executive ownership, not delegation

Effective government cybersecurity programmes have a named accountable executive, typically the CISO or equivalent, with direct access to the agency head and a clear reporting line to the audit and risk committee. When cybersecurity is buried three layers down in the IT division, it does not get the attention, funding, or organisational authority it needs. Security governance that connects technical risk to business risk is what separates agencies that achieve genuine compliance from those that produce compliant-looking reports.

Honest maturity assessment

The agencies that improve fastest are the ones that start with an honest picture of where they stand. This means independent assessment, not self-assessment. It means testing controls, not documenting controls. And it means accepting that the gap between your current state and your target state may be larger than you expected. A Lighthouse Assessment provides this independently verified baseline.

Risk-based prioritisation

Trying to implement all 800+ ISM controls simultaneously is a guaranteed way to make no meaningful progress on any of them. Effective agencies use risk assessment to identify which controls matter most for their specific threat profile, data holdings, and operational context. They sequence implementation based on risk reduction value, not on what is easiest to tick off a spreadsheet.

Architecture before tools

Government agencies are not short of security tools. They are frequently short of coherent security architecture that connects those tools into a functioning defensive capability. Network segmentation, identity architecture, zero trust principles, and logging strategy should be designed before products are procured. Otherwise, you end up with an expensive collection of tools that do not work together and gaps that no individual tool was designed to cover.

Third-party risk management

Government procurement creates extensive supply chains with contractors, managed service providers, and SaaS vendors who hold or process government data. Each of these relationships is a potential attack path. Effective agencies maintain visibility over their third-party risk exposure and impose security requirements that are proportionate to the sensitivity of the data or systems involved. The PSPF requires this; the question is whether agencies are actually doing it or merely documenting the requirement.

Incident preparedness, not just response plans

Every government agency has an incident response plan. Far fewer have tested that plan against realistic scenarios. Tabletop exercises that simulate ransomware, data exfiltration, or supply chain compromise, run with the actual decision-makers who would be involved in a real incident, reveal gaps that documentation alone cannot identify. The agencies that handle real incidents well are invariably the ones that practise.

State and Territory Considerations

Commonwealth Government gets most of the attention, but state and territory governments face their own cybersecurity challenges with varying policy frameworks.

NSW operates under the NSW Cyber Security Policy, which mandates Essential Eight ML1 as a minimum. Queensland requires Essential Eight compliance under its IS18 policy, with maturity targets determined by risk assessment. Victoria, South Australia, and other jurisdictions have their own frameworks with varying levels of prescription.

Local government is a particular concern. Councils hold significant volumes of citizen data, operate essential services, and frequently have the smallest cybersecurity budgets and least mature security programmes. The gap between threat exposure and security capability is often widest at the local government level.

For contractors and suppliers that work across multiple jurisdictions, this patchwork of requirements creates complexity. An organisation that supplies services to both Commonwealth and state agencies may need to demonstrate compliance with different frameworks, different maturity targets, and different reporting requirements simultaneously.

What to Do Next

If you work in government cybersecurity, the path forward is straightforward even if the execution is hard.

Start with an honest assessment. Not a self-assessment. An independent, evidence-based evaluation of your Essential Eight maturity, your ISM control implementation, and your actual security posture against the threats your agency faces. The gap between where you think you are and where you actually are is the most important number in your security programme.

Prioritise based on risk, not compliance checklists. PSPF compliance is important, but it is a means to an end. The end is protecting citizen data, maintaining service continuity, and defending against adversaries who are actively targeting your agency. The controls that reduce the most risk should come first, and those are not always the ones that are easiest to implement.

Build for sustainability. Essential Eight ML2 is not a project with an end date. It requires continuous operational processes: patching cycles, privilege reviews, MFA enforcement, and backup testing. If your programme does not have ongoing resource commitment, your compliance will degrade within months of achieving it.

Cliffside works with Australian government agencies at federal, state, and local levels. We hold ISO 27001 certification, we assess Essential Eight maturity, and we design security architectures for government environments. If you want an honest assessment of where your agency stands, book a Lighthouse Assessment. We will tell you what is working, what is not, and what to fix first.