NSW Government Cyber Security:
The Compliance Gap on the Public Record

NSW agencies self-assess their cyber maturity under the NSW Cyber Security Policy and publish the result. Independent validation is not required. The figures below are the sector’s own — drawn from the Audit Office of NSW and Cyber Security NSW. This brief sets out what that public record shows, and demonstrates, through a composite agency example, what an independent external assessment adds.

85%of agencies do not meet operating-system patching
77%of agencies are not fully compliant on multi-factor authentication
69%of mandatory ‘Protect’ requirements are unmet across the sector
62%of audited security-awareness training obligations unmet

Source: Cyber Security Insights 2025 (Cyber Security NSW). Percentages derived from reported agency counts.

Sector figures are real and published. The agency example that follows is a composite, illustrative of the sector.

This is a composite example. The agency described is a composite, drawn from patterns common across the NSW public sector. No single agency is named, assessed, or identifiable, and no systems were accessed to produce it. Where a real entity appears, it appears only as a matter of existing public record. The findings are realistic patterns; the consequences are the documented findings of the Audit Office of NSW.
Subject
Representative NSW cluster agency (composite)
Method
Passive OSINT & GRC — public/licensed sources only
Frameworks
NSW CSP · Essential Eight · ISO 27001

The Baseline Position: Self-Assessed, Unverified, and Built on an Expiring Standard

Every NSW department, Public Service agency and statutory authority must attest annually under the NSW Cyber Security Policy. They report a self-assessed Essential Eight maturity, publish an attestation in their annual report, and move on. The regime does not require that the self-assessment be independently proven — and, by deliberate design, per-agency results are not made public.

So the baseline position for a typical cluster agency is this: a maturity figure it assessed itself, that no independent party has tested, reported inside a portfolio aggregate that hides the individual result — measured against a framework the ASD has announced it will retire. Everything that follows sits on top of that.

What the Auditor-General found when someone did check Of the nine lead cluster departments audited, eight had implemented no Essential Eight strategy to Level 3, and all nine failed Level 1 on at least three strategies. Audited agencies routinely overstated their maturity and could not evidence their self-ratings. Self-attestation is not assurance — and independent assurance is the one thing the regime does not require.

An Independent, External Read — Mapped to Your Obligations

BlackFlag Advisory assesses an agency the way a regulator, a researcher, or an adversary would — from the outside, using only lawful public and licensed sources. The output is not another self-assessment. It is independent evidence, mapped to the NSW Cyber Security Policy, the Essential Eight, ISO/IEC 27001, and the incoming ASD Essentials series.

01
Passive OSINT Assessment

External exposure surfaced from procurement disclosures, DNS, certificate transparency and platform fingerprinting — the agency’s attack surface as it actually appears from outside.

02
Independent Validation

The self-attested Essential Eight maturity figure, tested. This is the assurance the CSP regime does not require and does not provide — the gap this brief exists to close.

03
Risk Register & Framework Mapping

Every finding rated by likelihood and impact and mapped to the NSW CSP, Essential Eight, ISO 27001 and the Essentials series — a living register, not a point-in-time score.

04
Board & Executive Reporting

Findings translated for the audit-and-risk committee and the agency head — in the language of accountability and obligation, not technical detail.

What the Assessment Found

Ten findings, rated and mapped to the NSW Cyber Security Policy, the Essential Eight and ASD guidance — spanning the assurance gap itself, credential exposure, unpatched CVEs, unaccounted connected and IoT devices across facilities, third-party blind spots, and the coming retirement of the Essential Eight. Each is drawn from patterns observable through lawful public and licensed sources. Each “what the record shows” block is the documented finding of the Audit Office of NSW or Cyber Security NSW — not our assertion, theirs.

3 Critical 4 High 2 Medium 1 Low
Critical F1 · Assurance GapEssential Eight maturity is self-attested and never independently verified NSW CSPEssential Eight

What we observed

The agency reports its Essential Eight maturity annually under the NSW Cyber Security Policy. That figure is self-assessed. From the outside there is no evidence — and by design there cannot be — that any independent party has tested the number, or that the controls behind it can be demonstrated on request.

Why it matters

A self-assessed maturity score is a statement of belief, not a state of fact. The CSP sets Maturity Level One as the mandatory baseline, but nothing in the attestation regime requires the self-rating to be independently proven. The gap between a reported number and a demonstrable one is exactly where a breach lands.

What the Audit Office record shows

The Audit Office of NSW has found audited agencies routinely overstated their maturity and could not evidence their Essential Eight self-ratings. Of the nine lead cluster departments audited, eight had implemented no Essential Eight strategy to Level 3, and all nine fell short of the mandatory Level 1 baseline on at least three strategies.

Where this gets owned

This is where the Secretary’s attestation and the audit-and-risk committee’s oversight meet. The direction is independent validation of the attested figure — the assurance the self-assessment does not provide, and the committee cannot give itself. Maps to the NSW Cyber Security Policy and ISO/IEC 27001.

Critical F2 · Concentration RiskCore services sit behind shared platforms — one failure, many agencies NSW CSPASD

What we observed

Passive attribution — procurement disclosures, DNS, certificate transparency, hosting attribution — indicates the agency’s core services run on shared, whole-of-government platforms rather than an independent stack: consolidated ERP and shared services, central identity and security tooling, and common web platforms used across the sector.

Why it matters

Shared infrastructure concentrates risk. When many agencies depend on the same platform, a single compromise or outage is not one agency’s problem — it is a correlated failure across the sector. This is precisely the exposure per-agency compliance reporting cannot see, because each agency assesses itself in isolation.

What the Audit Office record shows

The centralisation is a matter of public record: health services largely delivered through eHealth NSW, ERP and shared services consolidated across more than 100 agencies, and much of the sector on central security tooling via shared licensing. A weakness in a shared platform is inherited by everyone on it.

Where this gets owned

This sits above any single agency — with the cluster CISO and Cyber Security NSW, which aggregates the sector’s posture. The direction is to map which dependencies are shared and where a single failure propagates, and to hold that as a governance risk. Maps to the NSW CSP and ASD supply-chain guidance.

Critical F3 · Credential ExposureGovernment email credentials appear in public breach corpora NSW CSPEssential Eight

What we observed

A passive review of public and licensed breach and infostealer sources surfaced government email credentials associated with the agency’s domains. Reuse patterns suggest some may open more than one system. We do not test credentials; whether any remain current is for the agency to confirm.

Why it matters

Exposed credentials are the most common way in, because they require no exploit — an attacker signs in. Where multi-factor authentication is not consistently enforced, a single exposed credential is often enough to reach a real system.

What the Audit Office record shows

The ASD’s ACSC found compromised credentials the leading initial-access vector in encryption incidents in 2024–25 — 42%, up from 23% — and issued 9,587 credential-exposure notifications in a single year. Across the NSW sector, fewer than 15 of 66 reporting agencies were fully compliant on multi-factor authentication.

Where this gets owned

One for the agency’s identity and security function. The direction is to treat exposed accounts as compromised and to close the reliance on a password alone. Maps to Essential Eight (MFA) and the NSW CSP.

High F4 · Unpatched VulnerabilitiesPublic-facing systems running software with known, unremediated CVEs Essential EightASD

What we observed

Public-facing systems fingerprinted from the outside are running software and platform versions with known, published CVEs against them — some rated critical. Beyond the individual vulnerabilities, there is no external evidence of a governed, owned patching cadence: the exposure is both the specific unpatched systems and the absence of a rhythm that closes them.

Why it matters

A known CVE is a documented attack path, frequently with exploit code freely available. The Essential Eight requires extreme-risk vulnerabilities to be patched within 48 hours. Across a large, mixed estate that window is routinely missed — and without a cadence someone owns, patching stays reactive.

What the Audit Office record shows

The ASD’s ACSC found inadequate patching behind the majority of the significant incidents it responded to; in one Australian case an unpatched server took attackers four days to reach full encryption. Across NSW, about 15 of 66 agencies met application patching and only about 10 of 66 met operating-system patching (Cyber Security Insights 2025).

Where this gets owned

Sits with the agency’s IT operations, or the shared-service provider running the platform. The direction is a patch-remediation SLA against CVE severity that someone owns and can evidence. Maps to Essential Eight (patch applications and operating systems).

High F5 · Access ControlMulti-factor authentication is not consistently enforced Essential EightNSW CSP

What we observed

Externally observable authentication surfaces — login portals, federation endpoints, email access — indicate multi-factor authentication is applied unevenly across the estate, with legacy and secondary systems the most likely to rely on a password alone.

Why it matters

MFA is the control that stops a stolen password becoming a breach. Applied unevenly, it protects the systems that were easy to cover and leaves the ones that were not — often the older systems holding the most.

What the Audit Office record shows

Across the NSW sector, fewer than 15 of 66 reporting agencies were fully compliant on multi-factor authentication (Cyber Security Insights 2025). It is a core Essential Eight control and a mandatory CSP requirement, and remains one of the least consistently met.

Where this gets owned

Sits with the agency’s identity and security function. The direction is to enforce MFA everywhere it can be applied and to make a deliberate decision about anything that cannot. Maps to Essential Eight (MFA) and the NSW CSP.

High F6 · Third-Party OversightA large share of mandatory controls is run by third parties, unmonitored NSW CSPAPP 8

What we observed

Procurement disclosures and platform attribution indicate a material portion of the agency’s mandatory protections are delivered by third-party and shared-service providers. Whether those providers meet the required controls is not visible to the agency from the outside — and often not from the inside either.

Why it matters

Outsourcing a control does not outsource accountability for it. Where a mandatory protection is run by a third party and not independently monitored, the agency can be non-compliant without knowing it — and cannot demonstrate otherwise if asked.

What the Audit Office record shows

Cyber Security Insights 2025 found 22% of mandatory protection measures are managed by third parties, where non-compliance may be unknown to the agency and to Cyber Security NSW. The Audit Office has repeatedly flagged reliance on third-party providers without adequate oversight as a recurring weakness.

Where this gets owned

Sits with procurement and the cluster CISO. The direction is a consolidated view of which controls are delegated to whom, with evidence each provider meets them. Maps to the NSW CSP and APP 8.

High F7 · Framework TransitionNo plan for the retirement of the Essential Eight Essential EightASD

What we observed

The agency’s entire attested position rests on the Essential Eight. There is no external indication of a plan for what happens when that framework is withdrawn — and the mixed, legacy-heavy estate typical of agencies this size is exactly the shape the successor framework is being written to address.

Why it matters

Building compliance on a framework announced for retirement, without a transition plan, means the baseline itself will move. The controls carry across, but the assessment model changes — and an organisation with no plan for that is planning to be caught out.

What the Audit Office record shows

On 24 June 2026 the ASD confirmed the Essential Eight will be retired — deprecation from around mid-2027, full retirement around mid-2028 — and replaced by the outcomes-based Essentials series. The Essential Eight remains in force today and is still what the CSP references.

Where this gets owned

Sits with the cluster CISO and the agency’s risk function. The direction is to keep maturing against the Essential Eight while building controls that transition cleanly to the Essentials series — the position ASD itself recommends. Maps to Essential Eight and the ASD Essentials series.

Medium F8 · Connected Devices / IoTNetworked and operational devices unaccounted for in the asset inventory Essential EightASD

What we observed

Attribution of the agency’s external footprint indicates networked and operational devices — building management, monitoring, sensors and other connected hardware across multiple facilities — unlikely to sit in any consolidated asset inventory. In a large, multi-site agency this device layer is typically the least governed part of the estate.

Why it matters

You cannot patch, monitor or defend a device you have not inventoried. Connected and operational devices frequently run unsupported firmware, are rarely covered by the controls applied to IT, and sit on networks that reach real systems — an attack surface no self-assessment counts.

What the Audit Office record shows

The ASD’s ACSC repeatedly warns that edge and operational-technology devices are a favoured route for attackers, and that supply-chain compromise through connected hardware is among the hardest risks to detect.

Where this gets owned

Sits with IT and facilities, alongside procurement. The direction is a single inventory of every connected device, with unmanaged or unsupported hardware segmented and monitored. Maps to Essential Eight (asset visibility) and ASD edge/OT guidance.

Medium F9 · AccountabilityPortfolio-level reporting hides which agency is exposed NSW CSP

What we observed

The agency’s cyber posture is reported to Cyber Security NSW at portfolio or cluster level. From outside — and to a degree from inside the cluster — it is not possible to isolate this agency’s individual position from the aggregate it is folded into.

Why it matters

Aggregation is a governance risk in its own right. When results are reported at cluster level, a weak agency is averaged into a portfolio, an accountable owner is harder to identify, and the incentive to close a specific gap weakens because the gap is no longer visible.

What the Audit Office record shows

From 2024 the sector reports at portfolio level: 66 reports covered 177 agencies (Cyber Security Insights 2025). The Auditor-General has noted this structurally reduces visibility of which specific agency is non-compliant.

Where this gets owned

Sits with the agency head and the audit-and-risk committee. The direction is to obtain the agency’s own position, independently, beneath the portfolio figure — the only level at which it can be managed. Maps to the NSW CSP.

Low F10 · Email SecurityAnti-spoofing gaps on secondary domains NSW CSP

What we observed

Public DNS shows the primary domain reasonably configured, but secondary and program-specific government domains associated with the agency carry weaker anti-spoofing posture — DMARC absent or set to no-enforcement, incomplete SPF, missing DKIM.

Why it matters

A government domain that can be spoofed is a ready-made vehicle for phishing that carries public trust. Secondary domains are the ones most often forgotten, and the ones an attacker will reach for precisely because they are.

What the Audit Office record shows

Anti-spoofing configuration is directly readable from public DNS — an attacker can identify a spoofable government domain as easily as a defender can. It is low-cost to fix and high-value to exploit.

Where this gets owned

Sits with the agency’s email and security function. The direction is consistent DMARC enforcement across every domain the agency owns, not just the flagship one. Maps to the NSW CSP.

Ten findings is a list. A board needs a decision. The matrix converts the findings into one view of where to act first — plausibility of exposure against business impact — so scarce remediation effort is spent on the top-right corner, not on whichever finding is loudest. The critical cluster is where an independent assessment says the money goes first.

The agency’s risk profile

Findings plotted by plausibility of exposure against business impact. Indicative and qualitative — each point is a plausible path to compromise, not a prediction.

High impact
27
13
Medium impact
6
45
Low impact
10
89
Low
Medium
High
Plausibility of exposure →
F1Essential Eight maturity is self-attested and never independently verified
F2Core services sit behind shared platforms — one failure, many agencies
F3Government email credentials appear in public breach corpora
F4Public-facing systems running software with known, unremediated CVEs
F5Multi-factor authentication is not consistently enforced
F6A large share of mandatory controls is run by third parties, unmonitored
F7No plan for the retirement of the Essential Eight
F8Networked and operational devices unaccounted for in the asset inventory
F9Portfolio-level reporting hides which agency is exposed
F10Anti-spoofing gaps on secondary domains

How this is rated. Impact reflects the sensitivity and reach of the services and information exposed, and the obligations attaching under the NSW Cyber Security Policy. Plausibility reflects how readily the exposure could be reached from outside the agency, using only lawful public and licensed sources — not a forecast of attacker intent.

How This Was Assembled — Lawfully, From the Outside

Everything in this assessment is drawn from sources that are public or licensed, and that require no access to any system, no credentials, and no disruption. The same view is available to a regulator, a researcher, or an adversary. The disciplines used here are the disciplines used in a real BlackFlag engagement:

  • Procurement disclosure. Mandatory transparency under the GIPA Act — the buy.nsw Register of Notices, agency contract registers, annual-report consultancy disclosures — reveals named ICT, SaaS and security vendors, contract values and terms.
  • Public DNS. MX, SPF, DKIM and DMARC records reveal the email platform, the security gateway, and the anti-spoofing posture — read directly, without contact.
  • Hosting & edge attribution. ASN ownership, passive DNS and response headers attribute cloud, CDN and WAF providers.
  • Certificate Transparency. Public CT logs surface subdomains and the SaaS tenants behind them — including the forgotten ones.
  • Platform fingerprinting. Generator tags, headers and known fingerprints identify the web CMS and common whole-of-government builds.
  • Workforce & vendor signals. Security tooling named in public recruitment listings, and vendor case studies, indicate the stack indirectly.
What we deliberately do not do. We do not infer or present a live internal defensive stack, and we do not publish a per-agency, actionable security-tool inventory. The Auditor-General anonymises agencies precisely so that unremediated gaps do not become a targeting map; this assessment observes the same discipline. What we present is combinatorial exposure and the governance gaps it implies — not a route in.

The Findings, on the Public Record

Every consequence cited is drawn from published Audit Office of NSW, Cyber Security NSW, NSW Ombudsman, or ASD material. The agency is a composite; these findings are real.

  • Audit Office of NSW — Compliance with the NSW Cyber Security Policy (2021, year to 30 June 2020): of the nine audited lead cluster departments, eight had implemented no Essential Eight strategy to Level 3; all nine failed Level 1 on at least three strategies; agencies routinely overstated maturity and could not evidence self-ratings.
  • Cyber Security Insights 2025 (Cyber Security NSW): only 31% of ‘Protect’ requirements met; fewer than 15 of 66 agencies fully MFA-compliant; ~15 of 66 met application patching and ~10 of 66 OS patching; 22% of mandatory protections managed by third parties; 152 high/extreme residual risks across 27 agencies; 66 reports covering 177 agencies.
  • Audit Office of NSW — Cyber security in Local Health Districts (Dec 2025): systemic non-compliance with the NSW Cyber Security Policy identified across Local Health Districts.
  • NSW Ombudsman — The new machinery of government (Nov 2021): automated decision-making across the NSW public sector built largely without a specific regulatory framework; Revenue NSW’s automated garnishee-order system found unlawful on external legal advice.
  • ASD Australian Cyber Security Centre — Annual Cyber Threat Reports (2021–22 to 2024–25): compromised credentials the leading initial-access vector (42% in 2024–25; 9,587 exposure notifications); inadequate patching behind the majority of significant incidents.
  • ASD — Essential Eight retirement (24 June 2026): Essential Eight to be deprecated from around mid-2027 and retired around mid-2028, replaced by the Essentials series; Essential Eight remains in force during the transition.

The agency in this assessment is a composite, drawn from patterns common across the NSW public sector; no single agency is named, assessed, or identifiable. Where a real entity appears (NSW Health / Local Health Districts, Revenue NSW), it appears solely as a matter of existing public record. Risk ratings are indicative, qualitative assessments of plausible exposure — not predictions of a certain outcome. No systems were accessed.

Every Gap Here Is a Gap That Can Be Closed.

None of the findings in this brief is a technical catastrophe. A number nobody verified. A control nobody owned. A plan nobody tested. These are gaps in documentation, ownership and independent assurance — and that is exactly why they can be closed, deliberately, before a crisis forces the issue.

That is the work BlackFlag Advisory does. We turn a self-assessed number into an independently validated one. We find what is exposed before someone else does. And we give an audit-and-risk committee evidence it can stand behind — in the language of obligation, not jargon. The gap is real. It is also entirely closeable.

If it would be useful, we can provide an external assessment of your agency’s public-facing footprint — the same passive methodology applied in this brief, using only lawful public and licensed sources. There is no charge for it, and no obligation that follows. It is simply the fastest way to see what an attacker, a regulator, or an auditor can already see.

Request an Assessment →