ESSENTIAL
EIGHT ML2
FOR DISP
The October 2024 mandate, all 8 controls at ML2, IRAP assessment requirements, and how to achieve compliance before your DISP application.
WHY ESSENTIAL EIGHT ML2 IS MANDATORY FOR DISP
The 2023 Defence Strategic Review identified the defence supply chain's cyber posture as a critical national security vulnerability.
The Australian Government mandated Essential Eight Maturity Level 2 as the minimum cyber security baseline for all DISP Baseline members in October 2024. This followed the 2023 Defence Strategic Review (DSR), which identified the cyber security posture of the defence supply chain as a critical vulnerability requiring urgent remediation.
Prior to October 2024, DISP members were required to implement the Essential Eight but were not required to achieve a specific maturity level. The October 2024 mandate closed this gap — all DISP Baseline members must now demonstrate ML2 compliance, verified by an ACSC-accredited IRAP assessor, as a condition of membership.
ML2 was chosen as the minimum because it provides meaningful protection against the most common attack vectors targeting the defence supply chain — phishing, credential theft, ransomware, and supply chain compromise — without imposing the full burden of ML3 on smaller defence suppliers.
ML1 vs ML2 vs ML3 — Key Differences
| Level | Consistency | DISP Requirement |
|---|---|---|
| ML1 | Controls implemented but inconsistently applied. Exceptions permitted. | Not sufficient |
| ML2 | Controls consistently applied across all in-scope systems. No exceptions. | ✓ Minimum for Baseline |
| ML3 | Controls deeply embedded, automated monitoring, continuous improvement. | Required for some NV1/NV2 controls |
ALL 8 ESSENTIAL EIGHT CONTROLS AT ML2
Each control must be consistently applied across all in-scope systems with no exceptions. IRAP assessors verify compliance against the ASD E8 Assessment Guide.
Application Control
Prevent execution of unapproved programs on all workstations and servers. Application control must be applied to all user profiles and administrator accounts. No exceptions permitted.
Patch Applications
Patch internet-facing services within 48 hours of release. All other applications patched within 2 weeks. Unsupported applications must be removed.
Configure Microsoft Office Macro Settings
Macros from the internet are blocked. Only macros from trusted locations or digitally signed by a trusted publisher are permitted. Macro antivirus scanning enabled.
User Application Hardening
Web browsers configured to block Flash, ads, and Java from the internet. Internet Explorer 11 disabled or removed. PDF viewers configured to block internet access.
Restrict Administrative Privileges
Admin privileges validated every 12 months. Privileged accounts cannot browse the internet or read email. Just-in-time administration implemented for privileged access.
Patch Operating Systems
Internet-facing systems patched within 48 hours. All other systems patched within 2 weeks. Unsupported operating systems must be removed.
Multi-Factor Authentication
MFA required for all remote access, all privileged accounts, and all access to important data repositories. Phishing-resistant MFA for internet-facing services.
Regular Backups
Daily backups of important data, applications, and settings. Backups retained for 3+ months. Restoration tested at least quarterly. Backups disconnected from network.
IRAP ASSESSMENT FOR DISP — WHAT TO EXPECT
Scope Definition
Define the boundary of systems in scope for the assessment. All systems that process, store, or transmit classified Defence information must be in scope.
Evidence Collection
Provide the IRAP assessor with evidence of compliance for each E8 control — configuration screenshots, policy documents, audit logs, and test results.
Assessment & Findings
The assessor tests controls against the ASD E8 Assessment Guide and documents findings. Findings are rated by severity — Critical, High, Medium, Low.
Remediation & Report
Remediate critical and high findings before DISP submission. The IRAP report is submitted with your DISP application as evidence of ML2 compliance.
ESSENTIAL EIGHT ML2 FOR DISP — FAQs
5 key questions about E8 ML2 requirements for DISP membership.
Why is Essential Eight ML2 required for DISP?
The Australian Government mandated Essential Eight Maturity Level 2 as the minimum cyber security baseline for all DISP Baseline members in October 2024, following the 2023 Defence Strategic Review (DSR). The DSR identified that the cyber security posture of the defence supply chain was a critical vulnerability. ML2 was chosen as the minimum because it provides meaningful protection against the most common attack vectors targeting the defence supply chain, including phishing, credential theft, and ransomware.
What are the 8 controls at ML2?
The 8 Essential Eight controls at Maturity Level 2 are: (1) Application Control — prevent execution of unapproved/malicious programs; (2) Patch Applications — patch internet-facing services within 48 hours, others within 2 weeks; (3) Configure Microsoft Office Macro Settings — disable macros from the internet, allow only vetted macros; (4) User Application Hardening — configure browsers, disable Flash/ads/Java; (5) Restrict Administrative Privileges — validate and revalidate admin access every 12 months; (6) Patch Operating Systems — patch internet-facing systems within 48 hours, others within 2 weeks; (7) Multi-Factor Authentication — MFA for remote access, privileged accounts, and important data repositories; (8) Regular Backups — daily backups of important data, retained for 3+ months, tested quarterly.
What is an IRAP assessment for DISP?
An IRAP (Information Security Registered Assessors Program) assessment is an independent assessment of your ICT systems conducted by an ACSC-accredited assessor. For DISP, the IRAP assessment verifies that your in-scope ICT systems meet Essential Eight ML2 requirements and relevant ISM controls. The assessment report is submitted as part of your DISP application. DISO requires a current IRAP assessment for all DISP applications — self-assessment is not accepted.
What is the difference between ML1, ML2, and ML3?
Maturity Level 1 (ML1) provides basic cyber hygiene — controls are implemented but not consistently applied and may have exceptions. Maturity Level 2 (ML2) requires controls to be consistently applied across all systems in scope, with no exceptions, and with evidence of effectiveness. Maturity Level 3 (ML3) requires controls to be deeply embedded in organisational processes, with automated monitoring, continuous improvement, and resistance to sophisticated targeted attacks. DISP Baseline requires ML2 as the minimum. Higher membership levels (NV1, NV2) may require ML3 for some controls.
How long does Essential Eight ML2 uplift take?
For most organisations, achieving Essential Eight ML2 from a typical starting point takes 3–6 months. Organisations with complex ICT environments, legacy systems, or significant gaps (particularly in application control and privileged access management) may require 6–12 months. The most time-consuming controls are typically Application Control (requires comprehensive application inventory and testing) and Restrict Administrative Privileges (requires process changes and potentially significant IAM work). Starting the uplift process early — before the DISP application — is critical to avoiding timeline delays.
GET YOUR
E8 ML2 GAP
ANALYSIS FREE.
Book a free Essential Eight ML2 Gap Analysis. We'll assess your current posture against all 8 controls and give you a prioritised remediation roadmap before your IRAP assessment.