TL;DR
The Australian Cyber Security Centre’s 2025 Commonwealth Cyber Security Posture Report shows steady improvement in governance, planning, and preparedness across government.
But it also highlights a persistent gap: consistent implementation of technical controls, particularly the Essential Eight remains uneven across entities.
For government, critical infrastructure, and regulated organisations, this is a clear signal: cyber maturity is improving, but operational execution still needs to catch up. 6clicks is built specifically to help close that gap.
The Australian Cyber Security Centre (ACSC), part of the Australian Signals Directorate (ASD), released the 2025 Commonwealth Cyber Security Posture Report, providing a detailed view of cyber security maturity across Australian Government entities. Let's take a look at what the numbers actually show, where the gaps remain, and what this means for organisations working to operationalise cyber security controls like the Essential Eight.
The report highlights meaningful progress across Australian Government organisations, particularly in governance and preparedness:
Taken together, these figures show a clear trend: government entities are becoming more structured, more prepared, and more intentional in how they approach cyber security. However, they also highlight areas of inconsistency, particularly in privileged access training and supply chain risk management, both of which are critical to reducing real-world exposure.
This reinforces a broader pattern reflected throughout the report: strong governance and planning do not automatically translate into consistent implementation of technical controls. Governance controls are easier to define, document, and report. Technology security controls are operational, system-dependent, and harder to evidence consistently.
This is most clearly reflected in Essential Eight outcomes:
Only 22% of entities achieved Maturity Level 2 across all eight Essential Eight mitigation strategies in 2025.
For organisations using ASD guidance as a benchmark, the question becomes: how confident are you that your controls are consistently implemented and operating as intended across your environment?
The Essential Eight is ASD’s prioritised set of mitigation strategies designed to help organisations protect against common cyber threats. It defines four maturity levels (ML0–ML3), with ML1–ML3 representing target maturity levels and ML0 indicating that the requirements for ML1 are not met.
The eight strategies are:
On paper, the Essential Eight looks manageable. In practice, tracking compliance across all eight areas at the right maturity level, across multiple systems, for multiple entities or business units is genuinely difficult. Here is why:
6clicks is a Governance, Risk, and Compliance (GRC) platform purpose-built for complex environments. For organisations tracking the Essential Eight, it addresses the core problems outlined above, not with a generic compliance module, but with capabilities designed for the specific operational realities of government and critical infrastructure.
Hailey, the AI engine at the core of 6clicks, supports intelligent evidence collection. Rather than waiting for an audit cycle to pull together proof of compliance, teams can ingest evidence continuously from documents, system exports, logs, and connected sources, and map it automatically to Essential Eight controls. This shifts the posture from reactive to continuous.
6clicks includes a built-in Content Library with pre-mapped frameworks, including the Essential Eight maturity model. Controls can be mapped once and reused across related frameworks (PSPF, ISO 27001, NIST Cybersecurity Framework) without duplicating effort. For entities that operate across multiple standards simultaneously, this delivers a material reduction in effort and time required to manage compliance across frameworks.
For government departments, large enterprises, and critical infrastructure operators managing compliance across multiple entities or business units, 6clicks Hub & Spoke enables a centralised governance with local autonomy. A central team can oversee aggregate Essential Eight maturity across the whole portfolio while individual entities manage their own evidence and assessments. The ACSC report highlights that only 22% of entities achieved Maturity Level 2 across all eight Essential Eight mitigation strategies, underscoring that consistency of implementation is a portfolio-level challenge as much as an individual entity one. Hub & Spoke is built for exactly that scale.
Not every government or critical infrastructure environment can use a standard SaaS platform. 6clicks supports deployment across hyperscaler SaaS, sovereign cloud, self-hosted environments, and on-premises via the 6clicks GRC Appliance, a certified hardware deployment option for air-gapped and classified environments. This matters because GRC tooling that cannot operate in restricted or air-gapped environments forces manual workarounds, which is precisely the kind of operational gap the ACSC report highlights.
The 2025 ACSC report is not a negative assessment of the Australian Government’s cyber posture. It reflects genuine progress in governance, planning, and preparedness across entities, but it also surfaces a structural challenge that every compliance-focused organisation faces: governance and policy are easier to establish than consistent control implementation in practice.
The report highlights this clearly. Despite ongoing uplift, only 22% of entities achieved Maturity Level 2 across all eight Essential Eight mitigation strategies, underscoring how difficult it is to implement controls consistently across complex environments.
Improving maturity is not about creating more policies. It is about operationalising the Essential Eight, making control implementation continuous, evidence-based, trackable, and scalable. That is a tooling and operating model challenge, and one that 6clicks is specifically designed to solve.
What is the Essential Eight maturity model?
The Essential Eight Maturity Model, published by the ASD, defines four maturity levels (ML0–ML3) for each of the eight mitigation strategies. ML1 to ML3 represent target maturity levels, aligned to increasing threat sophistication, while ML0 indicates that the requirements for ML1 are not met. ML1 is designed to mitigate opportunistic threats, while ML3 is intended to help organisations defend against more targeted and adaptive adversaries. Organisations select a target maturity level based on their threat environment and are expected to implement and maintain controls at that level.
How does the ACSC assess Essential Eight maturity for Australian Government entities?
Australian Government entities self-assess their implementation of the Essential Eight maturity model as part of broader cyber security reporting obligations, including alignment with the Protective Security Policy Framework (PSPF). These self-assessments are reported to the Department of Home Affairs and contribute to whole-of-government posture insights. The ACSC then publishes aggregated findings and trends in the Commonwealth Cyber Security Posture Report, highlighting maturity levels and areas of variability across entities.
What do the ACSC findings mean in practice for Essential Eight implementation?
The 2025 report shows that while governance and planning are improving, consistent implementation of the Essential Eight remains a challenge across entities. Notably, only 22% of entities achieved Maturity Level 2 across all eight mitigation strategies, indicating that many organisations are still working to implement controls consistently across their environments. This does not necessarily mean those organisations are compromised, but it does highlight gaps in control coverage, consistency, or sustainability that may increase exposure to common cyber threats.
Can 6clicks help with Essential Eight maturity assessments?
Yes. 6clicks includes the Essential Eight framework and maturity assessment templates in its Content Library, supports evidence mapping to each control and maturity level, and enables continuous tracking rather than point-in-time assessments. It also supports the requirement-based assessment workflow for structured gap analysis against target maturity levels.
Is 6clicks suitable for Australian Government entities under IRAP?
Yes. 6clicks can be deployed to meet Information Security Registered Assessors Program (IRAP) requirements, including deployment options that satisfy data sovereignty requirements for Protected and higher classifications. Contact the 6clicks team to discuss your specific deployment constraints.
If the 2025 ACSC report has prompted you to take a harder look at how your organisation tracks Essential Eight maturity, particularly in complex, restricted, or multi-entity environments, join us for our upcoming webinar: GRC that works where others can't.
We'll be covering how the 6clicks Sovereign GRC Stack supports Essential Eight compliance in exactly the kinds of environments where standard cloud-first GRC platforms fall short: air-gapped networks, sovereign cloud requirements, and complex, multi-entity operations.