Fed agencies cop mass fail in core systems cyber review

Just one agency gets 'essential eight' tick for financial, HR systems.

Only one of the federal government’s largest agencies has fully applied the Australian Signals Directorate's essential eight to some of its most important systems, the national auditor has found.

The finding is contained in the 2019 interim financial controls audit of major entities, which reviewed the implementation of the controls now considered the baseline for cyber resilience.

The Australian National Audit Office’s review focused on the financial and HR systems of 18 agencies, including Defence, Services Australia, Home Affairs and the Tax Office.

“The review was undertaken to confirm the accuracy of reporting and identity cyber security risks that may impact on the preparation of financial statements,” the auditor said [pdf].

“The review consisted of analysis of policy and procedural documentation, testing of mitigation strategies specific to the FMIS and HRMIS, results of sprint assessments and interviews with entity personnel.”

It follows a series of target audits conducted by the auditor since 2013 that have uncovered serious cyber resilience shortcomings, particularly around the implementation of the top four.

But as with previous audits, the review found “maturity levels for most entities were significantly below” requirements under policy 10 of the protective security policy framework (PSPF).

Policy 10 requires entities to achieve the maturity level ‘managing’, which the ANAO said is equivalent to the essential eight maturity level three.

“Of the 18 entities assessed, only one was rated as achieving a managing maturity level across all eight controls,” the auditor said.

The review found the lowest level of compliance related to the application hardening, macro controls and multi-factor authentication controls - all non-mandatory under the essential eight.

“Achieving a Managing level for Application Hardening was viewed by entities to be difficult due to the number of applications in the entities’ systems and the difficulty in identifying all applicable hardening controls,” the auditor said.

But it also acknowledged that the majority of agencies are planning to address these concerns by July.

“Entities have implementation plans focused on reducing the number of applications in their environments, with an aim to lowering their attack surface and minimising risk,” the ANAO said.

“Implementation of these plans is currently being actioned by the majority of entities, with most plans scheduled for completion by July 2020.”

Restricting macros also differed widely between agencies, with agencies reporting the control as difficult “due to users relying heavily on macros to perform business activities”, with some relying on “additional mitigations” to address concerns.

For Multi-factor authentication, agencies “found the process of organising/distributing multi-factor authentication tokens for all users to be an onerous one”, with most instead accepting the risk and focusing on achieving a lesser maturity level.

“Entities prioritised multi-factor controls for remote access and privileged users, rather than all users,” the auditor said.

The ANAO also found that four agencies had incorrectly self-assessed, which the agencies blamed on a poor understanding of their requirements.

“The entities attributed the inaccuracies in their assessments to their interpretation of the scope of the requirement and indicated that they found it challenging to determine whether they had met the intention of the mitigation strategies,” the report states.

Most entities were also found to have “conducted their self-assessment at a system or environment level and did not specifically assess the controls required to minimise cyber risks to their FMIS or HRMIS applications”.

ANAO assessment worse than ACSC's

ACSC’s recent cyber security posture report to parliament found most government agencies were still struggling to implement the essential eight cyber security controls.

It said 73 percent of agencies reported below baseline levels of maturity with the mandatory top four controls last year, including 13 percent who reported ad hoc levels of maturity.

Ad hoc is considered the lowest possible score under the scoring metric, and indicates only “partial or basic implementation and management” of the top four.

But the auditor's report indicates that things are in fact even worse than this.

“ANAO found that 76 percent of controls were an ad-hoc or developing maturity level,” the report states.

“This is in line with ACSC findings, which noted ‘73 percent of non-corporate Commonwealth entities reporting ad hoc or developing levels of maturity’.”

As such, the auditor stressed “majority of the entities reviewed are not meeting the required Policy 10 maturity level” and said “significant progress was still required”.

The ANAO also pours cold water on any suggestion that changes to the PSPF in 2018 has led to any real improvement in cyber resilience.

This is despite the government’s cyber uplift in 2019, which assessed 25 agencies in the wake of the state-sponsored cyber attack against Parliament House - Australia’s “first national cyber crisis”.  

“The regulatory framework and self- assessments to date have not driven the achievement of the standard of cyber security required by Government policy,” the auditor said.

“The policy 10 requirements, that non-corporate Commonwealth entities implement the ASD Mandatory Strategies to Mitigate Cyber Security Incidents (Top Four), have been in place since 2013.

“Entities’ inability to meet these requirements indicates a weakness in implementing and maintaining strong security controls over time.

“Previous audits of cyber security by the ANAO to assess the progress of implementation against Policy 10 requirements have not found an improvement in the level of compliance with the controls over time. 

“The work undertaken as part of this review indicates that this pattern continues, with limited improvements.”