← Frameworks / ASD Essential Eight / Coverage Analysis

ASD Essential Eight Maturity Model — SP 800-53 Coverage

How well do NIST SP 800-53 Rev 5 controls address each ASD Essential Eight requirement? This analysis maps from framework clauses back to SP 800-53, with expert coverage weightings and gap identification.

Clauses: 32
Avg Coverage: 80.2%
Publisher: Australian Signals Directorate
Coverage Distribution
Full (85-100%): 15 Substantial (65-84%): 16 Partial (40-64%): 1 Weak (1-39%): 0
ASD Essential Eight → SP 800-53 SP 800-53 → ASD Essential Eight Coverage Analysis

Clause-by-Clause Analysis

Sorted by clause
E8-1 Application Control
CM-07 CM-11 CM-14
92%

Rationale

CM-07(4) application allowlisting; CM-07(5) authorized software; CM-11 user-installed software restrictions. CM-14 (new in Rev 5) signed components adds cryptographic verification of application integrity, strengthening application control enforcement.

Gaps

Minimal gap. CM-14 improves integrity verification for allowed applications.

Mapped Controls

CM-07 CM-11 CM-14
E8-1 ML1 Application control - Maturity Level 1: Prevent execution of unapproved executables on workstations
CM-07
90%

Rationale

CM-07(4)/(5) application allowlisting directly covers ML1 requirements.

Gaps

Minimal gap.

Mapped Controls

CM-07
E8-1 ML2 Application control - Maturity Level 2: Extend to all user-facing systems; logging of blocked attempts
AU-02 AU-03 CM-07
85%

Rationale

CM-07(4)/(5) application allowlisting; AU-02/AU-03 logging of security events.

Gaps

Minor: ASD E8 ML2 requires specific logging of blocked execution attempts and coverage of internet-facing servers.

Mapped Controls

AU-02 AU-03 CM-07
E8-1 ML3 Application control - Maturity Level 3: Microsoft's recommended block rules, WDAC, driver control
CM-07 CM-14
72%

Rationale

CM-07(4)/(5) application allowlisting covers the concept. CM-14 (new in Rev 5) signed components supports driver integrity verification relevant to ML3 driver control requirements.

Gaps

ASD E8 ML3 specifies Microsoft-specific implementation (WDAC, recommended block lists, driver control). SP 800-53 is technology-neutral. CM-14 strengthens signed component verification but doesn't address Microsoft-specific implementations.

Mapped Controls

CM-07 CM-14
E8-2 Patch Applications
RA-05 SI-02
90%

Rationale

SI-02 flaw remediation with automated mechanisms; RA-05 vulnerability scanning.

Gaps

Minimal gap. SP 800-53 patching controls align well with ASD Essential Eight application patching.

Mapped Controls

RA-05 SI-02
E8-2 ML1 Patch Applications - ML1: Patch internet-facing services within 2 weeks; scanners within 48 hours
SI-02 RA-05
80%

Rationale

SI-02 flaw remediation; RA-05 vulnerability scanning.

Gaps

ASD E8 ML1 specifies patch timeframes (48 hours for critical vulnerabilities, 2 weeks for internet-facing). SP 800-53 requires timely patching but doesn't specify these timeframes.

Mapped Controls

SI-02 RA-05
E8-2 ML2 Patch Applications - ML2: Patch within 48 hours for exploited vulnerabilities
RA-05 SI-02
80%

Rationale

SI-02 with automated patching; RA-05 vulnerability scanning.

Gaps

ASD E8 ML2 specifies 48-hour patching for exploited vulnerabilities. SP 800-53 supports timely patching but specific timelines are organization-defined.

Mapped Controls

RA-05 SI-02
E8-2 ML3 Patch Applications - ML3: Automated asset discovery and patch coverage
CM-08 CM-12 RA-05 SI-02
88%

Rationale

SI-02(1) automated patching; CM-08(1) automated discovery; RA-05(2) update vulnerability database. CM-12 (new in Rev 5) information location improves asset-to-patch coverage tracking by identifying where software components reside.

Gaps

Minor: ASD E8 ML3 requires automated patch compliance reporting. CM-12 improves information location for patch coverage assessment.

Mapped Controls

CM-08 CM-12 RA-05 SI-02
E8-3 Configure Microsoft Office Macro Settings
CM-07 CM-06 SI-03 SC-18
68%

Rationale

CM-07 least functionality; CM-06 configuration settings; SI-03 malware protection; SC-18 mobile code restrictions.

Gaps

ASD E8 specifically addresses Microsoft Office macros. SP 800-53 covers application configuration generally but macro-specific controls are technology-specific.

Mapped Controls

CM-07 CM-06 SI-03 SC-18
E8-3 ML1 Macros - ML1: Disable macros for users who don't require them
CM-07 CM-06
70%

Rationale

CM-07 least functionality supports disabling unnecessary features; CM-06 configuration settings.

Gaps

ASD E8 ML1 specifies macro disablement. SP 800-53 supports through general configuration controls but Office macro-specific guidance not provided.

Mapped Controls

CM-07 CM-06
E8-3 ML2 Macros - ML2: Block macros from the internet, antivirus scanning of macros
CM-07 SI-03 SC-18
65%

Rationale

CM-07 configuration; SI-03 malware scanning; SC-18 mobile code.

Gaps

ASD E8 ML2 specifies blocking internet-originated macros and AV scanning. SP 800-53 covers malware protection generally.

Mapped Controls

CM-07 SI-03 SC-18
E8-3 ML3 Macros - ML3: Only signed macros from trusted publishers
CM-07 CM-06 SI-07 CM-14
65%

Rationale

CM-07 least functionality; CM-06 configuration; SI-07 integrity verification. CM-14 (new in Rev 5) signed components provides cryptographic verification relevant to macro signing enforcement.

Gaps

ASD E8 ML3 specifies trusted publisher macro signing. CM-14 strengthens signed component verification but macro signing policy remains technology-specific.

Mapped Controls

CM-07 CM-06 SI-07 CM-14
E8-4 User Application Hardening
CM-06 CM-07 SC-18
80%

Rationale

CM-06 configuration settings; CM-07 least functionality; SC-18 mobile code restrictions.

Gaps

Minor: ASD E8 specifically addresses web browser hardening, blocking ads/Java/Flash. SP 800-53 covers application configuration generally.

Mapped Controls

CM-06 CM-07 SC-18
E8-4 ML1 App Hardening - ML1: Block Flash, ads, Java in browsers; disable unneeded features
CM-07 CM-06 SC-18
75%

Rationale

CM-07 least functionality; CM-06 settings; SC-18 mobile code.

Gaps

ASD E8 ML1 specifies browser hardening. SP 800-53 covers through general configuration controls.

Mapped Controls

CM-07 CM-06 SC-18
E8-4 ML2 App Hardening - ML2: Disable PowerShell 2.0, constrained language mode
CM-07 CM-06
65%

Rationale

CM-07 least functionality; CM-06 configuration settings.

Gaps

ASD E8 ML2 specifies PowerShell constraints. SP 800-53 covers least functionality generally but scripting engine restrictions are technology-specific.

Mapped Controls

CM-07 CM-06
E8-4 ML3 App Hardening - ML3: .NET Framework 3.5 removal, PowerShell constrained mode, WDAC enforcement
CM-07 CM-06
55%

Rationale

CM-07 least functionality; CM-06 configuration.

Gaps

ASD E8 ML3 specifies Windows-specific hardening (.NET removal, PowerShell constraints, WDAC). SP 800-53 is technology-neutral; Microsoft-specific hardening guidance not provided.

Mapped Controls

CM-07 CM-06
E8-5 Restrict Administrative Privileges
AC-02 AC-06
90%

Rationale

AC-06 least privilege with comprehensive enhancements; AC-02 account management.

Gaps

Minimal gap. SP 800-53 least privilege controls align well with ASD Essential Eight admin privilege restriction.

Mapped Controls

AC-02 AC-06
E8-5 ML1 Admin Privileges - ML1: Restrict privileged access to admin tasks
AC-02 AC-06
90%

Rationale

AC-06 least privilege; AC-06(5) privileged accounts; AC-02 account management.

Gaps

Minimal gap.

Mapped Controls

AC-02 AC-06
E8-5 ML2 Admin Privileges - ML2: Separate admin workstations, no internet/email from privileged accounts
AC-02 AC-06 SC-07
80%

Rationale

AC-06(2) non-privileged access for non-security functions; SC-07 boundary protection; AC-02 account management.

Gaps

ASD E8 ML2 requires privileged access workstations (PAWs) and internet restrictions. SP 800-53 supports through privilege and boundary controls but PAW concept is implementation-specific.

Mapped Controls

AC-02 AC-06 SC-07
E8-5 ML3 Admin Privileges - ML3: JIT admin, credential guard, block privileged account internet access
AC-02 AC-06 IA-05
70%

Rationale

AC-06 least privilege; AC-02(6) dynamic privilege management; IA-05 credential management.

Gaps

ASD E8 ML3 specifies just-in-time administration and credential guard. SP 800-53 covers dynamic access and credential management but JIT and Credential Guard are implementation-specific.

Mapped Controls

AC-02 AC-06 IA-05
E8-6 Patch Operating Systems
RA-05 SA-22 SI-02
85%

Rationale

SI-02 flaw remediation; SI-02(1) automated mechanisms; RA-05 vulnerability scanning; SA-22 unsupported system components.

Gaps

Minor: ASD E8 specifies OS patching timeframes (48 hours for critical). SP 800-53 requires timely patching but timeframes are organization-defined.

Mapped Controls

RA-05 SA-22 SI-02
E8-6 ML1 Patch OS - ML1: Patch internet-facing OS within 2 weeks
SI-02 RA-05
80%

Rationale

SI-02 flaw remediation; RA-05 vulnerability scanning.

Gaps

ASD specifies 2-week timeframe. SP 800-53 requires timely remediation without specific timeframe.

Mapped Controls

SI-02 RA-05
E8-6 ML2 Patch OS - ML2: Patch within 48 hours for exploited vulnerabilities
SI-02
80%

Rationale

SI-02 with automated remediation mechanisms.

Gaps

ASD specifies 48-hour timeframe for exploited vulnerabilities. SP 800-53 timeframes are organization-defined.

Mapped Controls

SI-02
E8-6 ML3 Patch OS - ML3: Latest OS versions, automated patch compliance
CM-08 SA-22 SI-02
80%

Rationale

SI-02(1) automated patching; SA-22 unsupported components; CM-08(1) automated inventory.

Gaps

ASD ML3 requires latest/previous OS versions only. SA-22 covers unsupported components similarly.

Mapped Controls

CM-08 SA-22 SI-02
E8-7 Multi-factor Authentication
IA-02 IA-05
90%

Rationale

IA-02(1)/(2) MFA for privileged/non-privileged; IA-02(6) network access; IA-05 authenticator management.

Gaps

Minimal gap. SP 800-53 MFA controls align well with ASD Essential Eight MFA requirements.

Mapped Controls

IA-02 IA-05
E8-7 ML1 MFA - ML1: MFA for internet-facing services
IA-02
85%

Rationale

IA-02(1)/(2) MFA for accounts accessing systems.

Gaps

Minor: ASD E8 ML1 specifically targets internet-facing services. SP 800-53 covers MFA generally.

Mapped Controls

IA-02
E8-7 ML2 MFA - ML2: MFA for all privileged access and important data repositories
AC-17 IA-02
85%

Rationale

IA-02(1) MFA for privileged; AC-17 remote access.

Gaps

Minor: ASD E8 ML2 requires MFA for important data repositories. SP 800-53 covers through general MFA and access controls.

Mapped Controls

AC-17 IA-02
E8-7 ML3 MFA - ML3: Phishing-resistant MFA (FIDO2, smart cards)
IA-02
80%

Rationale

IA-02(1) MFA; IA-02(12) acceptance of PIV credentials.

Gaps

ASD E8 ML3 specifies phishing-resistant authenticators. SP 800-53 supports through MFA and PIV controls but phishing resistance as a specific requirement is implementation-dependent.

Mapped Controls

IA-02
E8-8 Regular Backups
CP-06 CP-09 CP-10
90%

Rationale

CP-09 system backup; CP-06 alternate storage; CP-10 recovery; CP-09(1) testing for reliability.

Gaps

Minimal gap. SP 800-53 backup controls align well with ASD Essential Eight backup requirements.

Mapped Controls

CP-06 CP-09 CP-10
E8-8 ML1 Backups - ML1: Backups of important data, software, configuration settings
CP-09
90%

Rationale

CP-09 directly covers backup of data, software, and configurations.

Gaps

Minimal gap.

Mapped Controls

CP-09
E8-8 ML2 Backups - ML2: Backups stored disconnected, backup restoration tested
CP-06 CP-09
85%

Rationale

CP-09 backup; CP-06 alternate storage; CP-09(1) testing restoration.

Gaps

Minor: ASD E8 ML2 requires offline/disconnected backup copies. CP-06 alternate storage covers but offline specifically is less explicit.

Mapped Controls

CP-06 CP-09
E8-8 ML3 Backups - ML3: Unprivileged accounts cannot modify/delete backups
CP-09 AC-06 AC-03
85%

Rationale

CP-09 backup with protection; AC-06 least privilege; AC-03 access enforcement.

Gaps

Minor: ASD E8 ML3 specifically addresses backup privilege separation. SP 800-53 covers through access control.

Mapped Controls

CP-09 AC-06 AC-03

Methodology and Disclaimer

This coverage analysis maps from ASD Essential Eight clauses/requirements back to NIST SP 800-53 Rev 5 controls, assessing how well the SP 800-53 control set addresses each framework requirement.

Coverage weighting represents an informed estimate based on control-objective alignment, not a definitive compliance determination. Weightings consider whether SP 800-53 controls address the intent of each framework requirement, even where terminology and structure differ.

This analysis should be validated by qualified assessors for use in compliance or audit activities. The authoritative source for any compliance determination is always the framework itself.