Cybersecurity in federal agencies improving but more work needed: ACSC

The Department of Home Affairs and the Australian Cyber Security Centre have released two key reports this month – the 2024–25 Protective Security Policy Framework (PSPF) Assessment Report and the 2025 Commonwealth Cyber Security Posture Report – which highlight progress is being made, though there remains more work to be done.

The PSPF Assessment Report shows 92% of entities achieved an overall rating of effective compliance under its new compliance-based reporting model.

While information security scored highly, technology security, inclusive of cybersecurity remains an area for improvement, with 79% of entities reporting effective compliance.

The 2025 Commonwealth Cyber Security Posture Report highlights ongoing progress in implementing the Australian Signals Directorate’s Essential Eight mitigation strategies.

In 2025, 22% of entities reached Maturity Level 2 when compensating controls were considered — up from 15% in 2024, however entities have not reached parity with 2023 levels when 25% of entities reached Maturity Level 2. In November 2023, ASD increased and hardened the controls required to reach Maturity Level 2 in response to the threat environment. Other improvements include:

• 90% of entities now have an incident response plan (up from 86%).
• 82% have a cybersecurity strategy (up from 75%).
• 91% have a planned body of work to improve cybersecurity.
• 87% provide annual cybersecurity training to staff.
   

“Cybersecurity uplift is not a one-off exercise — it’s a continuous process,” said Stephanie Crowe, Head of the Australian Signals Directorate’s Australian Cyber Security Centre. “These reports show we’re heading in the right direction, but the threat environment is evolving, and so must we.”

“The government is accelerating the security uplift of its most critical digital infrastructure under the Systems of Government Significance regime,” said Brendan Dowling, Deputy Secretary Critical Infrastructure and Protective Security. “Delivering this program is an important step in achieving our vision of government as an exemplar for good security.”

To strengthen their cyber resilience, entities are encouraged to:

• Continue implementing ASD’s Essential Eight mitigation strategies to at least Maturity Level 2.
• Prioritise effective logging to ensure entities are best placed to identify malicious activity.
• Implement strategies for managing legacy IT now and into the future.
• Ensure supply chain risk assessments are a core output for new IT procurements.
• Increase cybersecurity incident reporting and maintain a regularly tested incident response plan.
• Start preparing for post-quantum cryptography by locating and assessing algorithms that will need to transition to more secure forms of encryption.
• Provide annual cybersecurity and privileged user training to staff.
   

These steps, combined with ongoing collaboration across government and industry, will help ensure Australia’s systems remain secure against evolving threats.

Image credit: iStock.com/spawns