Free tool

Essential Eight maturity check

The Essential Eight is ASD's baseline cyber strategy. Federal subcontractors handling OFFICIAL: Sensitive data must meet ML2 under Right Fit For Risk. Your overall maturity equals the LOWEST of the eight.

Target maturity

Current maturity per strategy

Application control

Patch applications

Configure Microsoft Office macro settings

User application hardening

Restrict administrative privileges

Patch operating systems

Multi-factor authentication

Regular backups

Overall maturity

ML0

Target

ML2

6 gap(s)

Why

Overall Essential Eight maturity is ML0 — the LOWEST of the eight strategies.
Your target is ML2.
ML2 is the standard baseline for Australian federal subcontractors handling OFFICIAL: Sensitive data (Right Fit For Risk).

Gaps to close

Application controlML0 → ML2
Patch applicationsML1 → ML2
Configure Microsoft Office macro settingsML0 → ML2
User application hardeningML0 → ML2
Restrict administrative privilegesML1 → ML2
Patch operating systemsML1 → ML2

Next steps

Close the 6 gap(s) below to reach ML2.
Schedule independent IRAP assessment after remediation — required for RFFR / OFFICIAL: Sensitive contracts.
Build evidence pack: policies, technical configurations, training records, vulnerability scans, backup test results.
Implement continuous monitoring — E8 ML is a moving target as threat models evolve.

Sources

Reference tool — does not substitute an IRAP assessment. For RFFR contracts you must engage an IRAP-endorsed assessor to validate the maturity rating.