R
Insights

Essential Eight ML2 for federal contractors: a guide to Right Fit For Risk

Federal subcontractors handling OFFICIAL: Sensitive data must meet ASD Essential Eight Maturity Level 2 under Right Fit For Risk. Here's what each of the 8 strategies actually means at ML2.

Published 18 May 2026
Share:X / TwitterLinkedInEmail

What is Right Fit For Risk?

Right Fit For Risk (RFFR) is the Australian Government's framework for assessing the cyber security maturity of providers that handle Commonwealth information. The baseline expectation for providers handling OFFICIAL: Sensitive data is Essential Eight Maturity Level 2 plus the broader controls in the ASD Information Security Manual (ISM).

Compliance is assessed by an IRAP-endorsed assessor — Information Security Registered Assessors Program practitioners certified by ASD.

The Essential Eight — strategy by strategy

The Essential Eight (E8) is ASD's baseline cyber strategy. At ML2, here's what each requires:

1. Application control

At ML2 — Application control implemented on workstations + internet-facing servers + an established subset of high-value servers. Blocks execution of unapproved software via an allow-list. Updated regularly.

2. Patch applications

At ML2 — Patches for internet-facing applications applied within 2 weeks, or 48 hours if a working exploit exists. Patch management automated.

3. Configure Microsoft Office macro settings

At ML2 — Macros disabled by default. Only signed macros from trusted publishers permitted. Logging of macro execution.

4. User application hardening

At ML2 — Internet Explorer 11 disabled / removed. Office macros from the internet blocked. PowerShell, Flash, web ads, Java applets blocked or restricted.

5. Restrict administrative privileges

At ML2 — Privileged access requests validated. Privileged accounts cannot browse the internet, check email, or run Office macros from privileged sessions. Privileged access reviewed annually.

6. Patch operating systems

At ML2 — OS patches applied within 2 weeks (48 hours if exploit known). Vendor-supported OS only.

7. Multi-factor authentication

At ML2 — MFA enforced for all users authenticating to important data repositories + privileged users + internet-facing services. MFA uses 'something you have' (not just SMS for high-risk).

8. Regular backups

At ML2 — Backups of important data + configuration tested quarterly. Backups stored in a way that prevents modification or deletion (immutable / offline / write-protected).

ML0 vs ML1 vs ML2 vs ML3 — what's the difference?

  • ML0 — Not implemented or weak implementation
  • ML1 — Baseline against opportunistic adversaries. Suitable for most non-government commercial environments.
  • ML2 — Resilience against targeted attacks. RFFR baseline.
  • ML3 — Resilience against well-resourced and adaptive adversaries (state-sponsored). Suitable for very high-value targets.

Your overall E8 maturity is the LOWEST of the eight — the chain is only as strong as the weakest strategy.

Independent IRAP assessment

For RFFR contracts, you cannot self-attest ML2 — you need an IRAP-endorsed assessor to validate. The assessment covers:

  • Scope definition — which environment is in scope (production, dev, contractor laptops?)
  • Control evidence — policies, configurations, screenshots, log samples
  • Sample testing — assessor verifies controls work in practice
  • Findings report — gaps, recommendations, residual risk

Cost: typically AUD $20K–$50K depending on scope. Time: 6–10 weeks.

Cadence: typically annual reassessment.

Common implementation traps

  1. Scope creep — RFFR scope must match where Commonwealth data lives. Don't pay to assess your whole environment.
  2. Patch automation gaps — assessors will look for evidence of patches deployed within 2 weeks, not just that you "have" patch management.
  3. MFA hidden exceptions — every "MFA exception" (legacy app, service account, executive bypass) is a finding.
  4. Macros via web download — blocking macros in attachments but not via web download is incomplete.
  5. Backup immutability — most providers fail this. Use S3 Object Lock, Azure Immutable Blob, or equivalent.

How long does ML2 take to achieve?

From a baseline of ML0:

  • Small environment (<50 staff, cloud-first): 3–6 months
  • Medium environment (50–500 staff, hybrid): 6–12 months
  • Large/complex environment: 12–24 months

Then ~6 weeks for IRAP assessment. Plan accordingly if you're tendering for federal work.

Use the E8 maturity self-assessment to identify your starting point.

Frequently asked

Is Essential Eight ML2 the same as ISO 27001?

No. They're complementary. ISO 27001 is an ISMS standard; E8 ML2 is a baseline of 8 specific technical controls. RFFR requires both E8 ML2 and broader ISM controls.

Can I self-assess for RFFR?

No — RFFR requires IRAP-endorsed assessor validation. Self-assessment is fine internally as a starting point but doesn't satisfy RFFR.

Do I need to be in Australia to be IRAP assessed?

Your data hosting must be in Australia (typically). The assessor must be IRAP-endorsed. International offices can be in scope depending on data flows.

Related

Obligations covered

Free tools