The ASD periodically updates the Essential Eight Maturity Model to reflect changes in the threat landscape, advances in attacker techniques, and lessons from incidents affecting Australian organisations. The November 2023 update introduced several changes relevant to businesses actively working toward Essential Eight compliance.
MFA Requirements Tightened
The definition of phishing-resistant MFA was clarified and its requirement extended. At Maturity Level Two, phishing-resistant MFA is now required for privileged users accessing all systems — not just internet-facing services. This is a meaningful extension that affects organisations using standard TOTP-based MFA for privileged account access.
Patching Timeframes Clarified
The update clarified that the patching timeframes apply from the date a patch becomes available — not from the date of vulnerability disclosure. This distinction matters in practice: a vulnerability disclosed before a vendor patch is available starts the clock only when the patch ships.
Application Control Scope Extended
At Maturity Level Two, application control is now expected to cover Microsoft Office macros and content from the internet on all workstations and servers, not just user-writable locations. This aligns application control more tightly with the macro settings control.
What Organisations Should Do
Review your current Essential Eight assessment against the updated guidance. If you achieved an assessment against a prior version of the framework, a gap assessment against the November 2023 version is advisable before your next formal assessment or renewal of any certification relying on Essential Eight status.
