Adopt Essential Eight Maturity Level 2 (federal subcontractors)
Federal government contractors handling OFFICIAL: Sensitive must meet Right Fit For Risk (RFFR) including E8 ML2.
Who must comply
Federal government contractors and subcontractors handling OFFICIAL: Sensitive data.
What triggers it
Government contract requiring RFFR compliance.
When due
Before access to data; annual reassessment.
Evidence required
IRAP assessment report, ISM compliance documentation, E8 maturity attestation.
Max penalty
Loss of contract / panel access; reputational exposure on Commonwealth supplier registers
Summary
Right Fit For Risk requirements apply to providers handling OFFICIAL: Sensitive Commonwealth data. The ASD Information Security Manual (ISM) and Essential Eight Maturity Model are the baseline. Independent assessment by an IRAP-endorsed assessor is required.
Enforced by
Industries
Topics
Related obligations
- CWLTHReport cyber security incidents to ASD (SOCI)Critical infrastructure asset operators must report critical incidents within 12 hours and other incidents within 72 hours.
- CWLTHComply with APRA CPS 234 (Information Security)APRA-regulated entities must maintain information security capability commensurate with the size and extent of threats.
- CWLTHComply with SOCI Positive Security Obligation (PSO) per sectorSector-specific cyber + risk obligations under SOCI Part 2.
- CWLTHAdopt and maintain a Critical Infrastructure Risk Management Program (CIRMP)Covered critical infrastructure entities must adopt a CIRMP addressing cyber, physical, personnel, and supply-chain hazards.
- CWLTHGovernment cyber incident reporting via ASD ACSCFederal entities + critical infrastructure report cyber incidents to ASD ACSC.
- CWLTHISO/IEC 27001 ISMS certification — increasingly customer-mandatedInformation Security Management System per ISO 27001 increasingly required by customers + government.
Frequently asked questions
- Who must comply with Adopt Essential Eight Maturity Level 2 (federal subcontractors)?
- Federal government contractors and subcontractors handling OFFICIAL: Sensitive data.
- What triggers Adopt Essential Eight Maturity Level 2 (federal subcontractors)?
- Government contract requiring RFFR compliance.
- When is Adopt Essential Eight Maturity Level 2 (federal subcontractors) due?
- Before access to data; annual reassessment.
- What is the maximum penalty for Adopt Essential Eight Maturity Level 2 (federal subcontractors)?
- Loss of contract / panel access; reputational exposure on Commonwealth supplier registers
- What evidence is required for Adopt Essential Eight Maturity Level 2 (federal subcontractors)?
- IRAP assessment report, ISM compliance documentation, E8 maturity attestation.
Source: https://cyber.gov.au/resources-business-and-government/essential-cyber-security/essential-eight. Rules Mate is not a law firm. Always verify against the live regulator source before acting.