Question 1

What is Essential Eight ML2?

Accepted Answer

Essential Eight ML2 (Maturity Level 2) is the second of three maturity levels of the ACSC's Essential Eight mitigation strategies. ML2 means each of the eight controls is implemented and operating at a level appropriate for an organisation that is being actively and selectively targeted by adversaries. It's the level federal contractors handling sensitive (but not classified) information are typically expected to meet, and the level most NFPs and mid-sized businesses with sensitive data should aim for.

Question 2

What is the list of Essential Eight ML2 controls?

Accepted Answer

The eight controls at ML2 are: (1) Application control — only approved applications can execute. (2) Patch applications — internet-facing apps patched within 48 hours of critical patch release, others within 1 month. (3) Configure MS Office macros — blocked from internet, only signed macros run from trusted locations. (4) User application hardening — Flash, ads, Java disabled in web browsers; PDF readers and Office hardened. (5) Restrict administrative privileges — privileged accounts restricted, separated, and reviewed. (6) Patch operating systems — same cadence as applications. (7) Multi-factor authentication — required for all users on internet-facing services, privileged actions, and important data repositories. (8) Regular backups — daily backups, tested quarterly, with retention appropriate to your business continuity needs.

Question 3

How do you implement Essential Eight ML2?

Accepted Answer

Order matters. We sequence Essential Eight ML2 implementation as: (1) baseline assessment of current state, (2) MFA across all internet-facing services and privileged accounts (highest-impact-lowest-cost win), (3) application control via AppLocker or WDAC on Windows endpoints, (4) patching cadence with automated tooling (Intune, Patch My PC, WSUS, or third-party), (5) Office macro and browser hardening via GPO/Intune policies, (6) restrict admin privileges (separate accounts, JIT, conditional access), (7) backup strategy with tested restore procedure, (8) operating system patching cadence. Each control needs evidence — the audit trail is half the work.

Question 4

What are Essential Eight controls over test environments?

Accepted Answer

Test and pre-production environments often slip through Essential Eight scoping because they're seen as non-production. ACSC's guidance is that test environments holding any production data, or accessible from production networks, must meet the same maturity level as production. That includes application control, patching cadence, MFA, and audit logging. The common gap we see is admin shortcuts in test (shared accounts, disabled MFA, unpatched legacy systems) that adversaries pivot through to reach production. Test environments either get the same controls or get isolated networks and ephemeral, sanitised data.

Question 5

Does Essential Eight ML2 application control apply to non-internet-facing servers?

Accepted Answer

Yes. ML2 application control applies to all workstations and standard server environments, not just internet-facing ones. Servers in your DMZ, in your internal network, and in private cloud all require allow-listed application execution. The exception clauses are narrow (highly specialised, pre-approved enclaves with compensating controls). The audit usually finds gaps in internal app servers, jump boxes, and developer workstations where teams have been less rigorous because 'no internet access' was treated as enough.

Question 6

Essential Eight ML2 vs ML3 — what's the difference?

Accepted Answer

ML2 covers organisations actively targeted by adversaries who are willing to invest more effort in a target (state-sponsored actors using known techniques). ML3 covers organisations targeted by adversaries with novel techniques, zero-days, and substantial resources. ML3 adds: tighter patching SLAs (48 hours for OS critical patches, not 1 month), more restrictive application control (cryptographic verification, not just publisher allow-listing), MFA on a wider scope (all important data repositories, not just internet-facing), and stronger admin-privilege restriction (JIT, conditional access with hardware tokens). ML3 is the bar for ASD-assessed and high-trust federal environments.

Question 7

How long does an Essential Eight ML2 uplift take?

Accepted Answer

For a 30-150 person organisation starting from ML0/ML1 baseline, typical uplift takes 4-9 months end-to-end. MFA and patching are usually fast wins (4-8 weeks). Application control and admin-privilege restriction are the longer pieces (3-6 months, mostly because of testing and change management on legacy apps). The audit trail and evidence collection runs alongside everything. We deliver under fixed price after the baseline assessment so finance has visibility before commitment.

Question 8

How much does Essential Eight ML2 uplift cost in Australia?

Accepted Answer

Most Australian SMB and mid-market uplifts land between $35,000 and $180,000 depending on starting maturity, headcount, application portfolio complexity, and the cleanness of your existing patching/admin setup. Federal-contractor environments with stricter audit requirements typically run $80,000-$250,000. We give you a fixed price after a paid baseline assessment ($6,000-$12,000) so you know the full programme cost before you commit.

Question 9

Do I need Essential Eight ML2 as a Commonwealth contractor?

Accepted Answer

If you're contracting to a Commonwealth entity, the requirement depends on the data sensitivity in your contract. Hosting OFFICIAL: Sensitive or higher generally requires ML2 baseline. PSPF-aligned contracts often specify ML2 or higher with audit attestation. Some contracts now reference ML3 for specific workloads. We review your contract clauses and map them to the controls you need to demonstrate, with the evidence pack your contracting entity expects to see.

Question 10

How does Essential Eight relate to Microsoft 365 Copilot rollouts?

Accepted Answer

Microsoft 365 Copilot's value depends on the underlying tenant configuration — DLP policies, sensitivity labels (MIP), audit logging, conditional access, and admin-privilege controls. These overlap with Essential Eight ML2 controls. We routinely sequence the Essential Eight uplift alongside a Copilot rollout because the alternative (Copilot first, security uplift later) means redoing significant parts of the rollout when controls land.

Essential Eight ML2done properly.

All eight, to ML2, with evidence.

Application control

Patch applications

Configure MS Office macros

User application hardening

Restrict administrative privileges

Patch operating systems

Multi-factor authentication

Regular backups

Baseline first. Fixed-price plan, then execute.

Baseline assessment

Quick-wins phase

Application control & admin

Evidence & attestation

Often runs alongside an E8 uplift.

Microsoft 365 Copilot rollout

Managed IT services

Federal contractor IT (Canberra)

Essential Eight questions Australian buyers ask.

Get your free systems review.

Ready to lift to ML2 with evidence?