← Frameworks / Security Controls

ASD Essential Eight Maturity Model

Eight prioritised mitigation strategies from the Australian Signals Directorate, each with four maturity levels (0-3). Covers application control, patching applications and operating systems, Microsoft Office macro settings, user application hardening, restricting administrative privileges, multi-factor authentication, and regular backups.

Clauses: 32

Avg Coverage: 80.2%

Publisher: Australian Signals Directorate Version: 2023

ASD Essential Eight → SP 800-53 SP 800-53 → ASD Essential Eight Coverage Analysis

Clause	Title	SP 800-53 Controls
E8-1	Application Control	CM-07 CM-11 CM-14
E8-1 ML1	Application control - Maturity Level 1: Prevent execution of unapproved executables on workstations	CM-07
E8-1 ML2	Application control - Maturity Level 2: Extend to all user-facing systems; logging of blocked attempts	AU-02 AU-03 CM-07
E8-1 ML3	Application control - Maturity Level 3: Microsoft's recommended block rules, WDAC, driver control	CM-07 CM-14
E8-2	Patch Applications	RA-05 SI-02
E8-2 ML1	Patch Applications - ML1: Patch internet-facing services within 2 weeks; scanners within 48 hours	SI-02 RA-05
E8-2 ML2	Patch Applications - ML2: Patch within 48 hours for exploited vulnerabilities	RA-05 SI-02
E8-2 ML3	Patch Applications - ML3: Automated asset discovery and patch coverage	CM-08 CM-12 RA-05 SI-02
E8-3	Configure Microsoft Office Macro Settings	CM-07 CM-06 SI-03 SC-18
E8-3 ML1	Macros - ML1: Disable macros for users who don't require them	CM-07 CM-06
E8-3 ML2	Macros - ML2: Block macros from the internet, antivirus scanning of macros	CM-07 SI-03 SC-18
E8-3 ML3	Macros - ML3: Only signed macros from trusted publishers	CM-07 CM-06 SI-07 CM-14
E8-4	User Application Hardening	CM-06 CM-07 SC-18
E8-4 ML1	App Hardening - ML1: Block Flash, ads, Java in browsers; disable unneeded features	CM-07 CM-06 SC-18
E8-4 ML2	App Hardening - ML2: Disable PowerShell 2.0, constrained language mode	CM-07 CM-06
E8-4 ML3	App Hardening - ML3: .NET Framework 3.5 removal, PowerShell constrained mode, WDAC enforcement	CM-07 CM-06
E8-5	Restrict Administrative Privileges	AC-02 AC-06
E8-5 ML1	Admin Privileges - ML1: Restrict privileged access to admin tasks	AC-02 AC-06
E8-5 ML2	Admin Privileges - ML2: Separate admin workstations, no internet/email from privileged accounts	AC-02 AC-06 SC-07
E8-5 ML3	Admin Privileges - ML3: JIT admin, credential guard, block privileged account internet access	AC-02 AC-06 IA-05
E8-6	Patch Operating Systems	RA-05 SA-22 SI-02
E8-6 ML1	Patch OS - ML1: Patch internet-facing OS within 2 weeks	SI-02 RA-05
E8-6 ML2	Patch OS - ML2: Patch within 48 hours for exploited vulnerabilities	SI-02
E8-6 ML3	Patch OS - ML3: Latest OS versions, automated patch compliance	CM-08 SA-22 SI-02
E8-7	Multi-factor Authentication	IA-02 IA-05
E8-7 ML1	MFA - ML1: MFA for internet-facing services	IA-02
E8-7 ML2	MFA - ML2: MFA for all privileged access and important data repositories	AC-17 IA-02
E8-7 ML3	MFA - ML3: Phishing-resistant MFA (FIDO2, smart cards)	IA-02
E8-8	Regular Backups	CP-06 CP-09 CP-10
E8-8 ML1	Backups - ML1: Backups of important data, software, configuration settings	CP-09
E8-8 ML2	Backups - ML2: Backups stored disconnected, backup restoration tested	CP-06 CP-09
E8-8 ML3	Backups - ML3: Unprivileged accounts cannot modify/delete backups	CP-09 AC-06 AC-03