The Baseline Position: Self-Assessed, Unverified, and Built on an Expiring Standard
Every NSW department, Public Service agency and statutory authority must attest annually under the NSW Cyber Security Policy. They report a self-assessed Essential Eight maturity, publish an attestation in their annual report, and move on. The regime does not require that the self-assessment be independently proven — and, by deliberate design, per-agency results are not made public.
So the baseline position for a typical cluster agency is this: a maturity figure it assessed itself, that no independent party has tested, reported inside a portfolio aggregate that hides the individual result — measured against a framework the ASD has announced it will retire. Everything that follows sits on top of that.
An Independent, External Read — Mapped to Your Obligations
BlackFlag Advisory assesses an agency the way a regulator, a researcher, or an adversary would — from the outside, using only lawful public and licensed sources. The output is not another self-assessment. It is independent evidence, mapped to the NSW Cyber Security Policy, the Essential Eight, ISO/IEC 27001, and the incoming ASD Essentials series.
External exposure surfaced from procurement disclosures, DNS, certificate transparency and platform fingerprinting — the agency’s attack surface as it actually appears from outside.
The self-attested Essential Eight maturity figure, tested. This is the assurance the CSP regime does not require and does not provide — the gap this brief exists to close.
Every finding rated by likelihood and impact and mapped to the NSW CSP, Essential Eight, ISO 27001 and the Essentials series — a living register, not a point-in-time score.
Findings translated for the audit-and-risk committee and the agency head — in the language of accountability and obligation, not technical detail.
What the Assessment Found
Ten findings, rated and mapped to the NSW Cyber Security Policy, the Essential Eight and ASD guidance — spanning the assurance gap itself, credential exposure, unpatched CVEs, unaccounted connected and IoT devices across facilities, third-party blind spots, and the coming retirement of the Essential Eight. Each is drawn from patterns observable through lawful public and licensed sources. Each “what the record shows” block is the documented finding of the Audit Office of NSW or Cyber Security NSW — not our assertion, theirs.
F1 · Assurance GapEssential Eight maturity is self-attested and never independently verified ▼
What we observed
The agency reports its Essential Eight maturity annually under the NSW Cyber Security Policy. That figure is self-assessed. From the outside there is no evidence — and by design there cannot be — that any independent party has tested the number, or that the controls behind it can be demonstrated on request.
Why it matters
A self-assessed maturity score is a statement of belief, not a state of fact. The CSP sets Maturity Level One as the mandatory baseline, but nothing in the attestation regime requires the self-rating to be independently proven. The gap between a reported number and a demonstrable one is exactly where a breach lands.
What the Audit Office record shows
The Audit Office of NSW has found audited agencies routinely overstated their maturity and could not evidence their Essential Eight self-ratings. Of the nine lead cluster departments audited, eight had implemented no Essential Eight strategy to Level 3, and all nine fell short of the mandatory Level 1 baseline on at least three strategies.
Where this gets owned
This is where the Secretary’s attestation and the audit-and-risk committee’s oversight meet. The direction is independent validation of the attested figure — the assurance the self-assessment does not provide, and the committee cannot give itself. Maps to the NSW Cyber Security Policy and ISO/IEC 27001.
F2 · Concentration RiskCore services sit behind shared platforms — one failure, many agencies ▼
What we observed
Passive attribution — procurement disclosures, DNS, certificate transparency, hosting attribution — indicates the agency’s core services run on shared, whole-of-government platforms rather than an independent stack: consolidated ERP and shared services, central identity and security tooling, and common web platforms used across the sector.
Why it matters
Shared infrastructure concentrates risk. When many agencies depend on the same platform, a single compromise or outage is not one agency’s problem — it is a correlated failure across the sector. This is precisely the exposure per-agency compliance reporting cannot see, because each agency assesses itself in isolation.
What the Audit Office record shows
The centralisation is a matter of public record: health services largely delivered through eHealth NSW, ERP and shared services consolidated across more than 100 agencies, and much of the sector on central security tooling via shared licensing. A weakness in a shared platform is inherited by everyone on it.
Where this gets owned
This sits above any single agency — with the cluster CISO and Cyber Security NSW, which aggregates the sector’s posture. The direction is to map which dependencies are shared and where a single failure propagates, and to hold that as a governance risk. Maps to the NSW CSP and ASD supply-chain guidance.
F3 · Credential ExposureGovernment email credentials appear in public breach corpora ▼
What we observed
A passive review of public and licensed breach and infostealer sources surfaced government email credentials associated with the agency’s domains. Reuse patterns suggest some may open more than one system. We do not test credentials; whether any remain current is for the agency to confirm.
Why it matters
Exposed credentials are the most common way in, because they require no exploit — an attacker signs in. Where multi-factor authentication is not consistently enforced, a single exposed credential is often enough to reach a real system.
What the Audit Office record shows
The ASD’s ACSC found compromised credentials the leading initial-access vector in encryption incidents in 2024–25 — 42%, up from 23% — and issued 9,587 credential-exposure notifications in a single year. Across the NSW sector, fewer than 15 of 66 reporting agencies were fully compliant on multi-factor authentication.
Where this gets owned
One for the agency’s identity and security function. The direction is to treat exposed accounts as compromised and to close the reliance on a password alone. Maps to Essential Eight (MFA) and the NSW CSP.
F4 · Unpatched VulnerabilitiesPublic-facing systems running software with known, unremediated CVEs ▼
What we observed
Public-facing systems fingerprinted from the outside are running software and platform versions with known, published CVEs against them — some rated critical. Beyond the individual vulnerabilities, there is no external evidence of a governed, owned patching cadence: the exposure is both the specific unpatched systems and the absence of a rhythm that closes them.
Why it matters
A known CVE is a documented attack path, frequently with exploit code freely available. The Essential Eight requires extreme-risk vulnerabilities to be patched within 48 hours. Across a large, mixed estate that window is routinely missed — and without a cadence someone owns, patching stays reactive.
What the Audit Office record shows
The ASD’s ACSC found inadequate patching behind the majority of the significant incidents it responded to; in one Australian case an unpatched server took attackers four days to reach full encryption. Across NSW, about 15 of 66 agencies met application patching and only about 10 of 66 met operating-system patching (Cyber Security Insights 2025).
Where this gets owned
Sits with the agency’s IT operations, or the shared-service provider running the platform. The direction is a patch-remediation SLA against CVE severity that someone owns and can evidence. Maps to Essential Eight (patch applications and operating systems).
F5 · Access ControlMulti-factor authentication is not consistently enforced ▼
What we observed
Externally observable authentication surfaces — login portals, federation endpoints, email access — indicate multi-factor authentication is applied unevenly across the estate, with legacy and secondary systems the most likely to rely on a password alone.
Why it matters
MFA is the control that stops a stolen password becoming a breach. Applied unevenly, it protects the systems that were easy to cover and leaves the ones that were not — often the older systems holding the most.
What the Audit Office record shows
Across the NSW sector, fewer than 15 of 66 reporting agencies were fully compliant on multi-factor authentication (Cyber Security Insights 2025). It is a core Essential Eight control and a mandatory CSP requirement, and remains one of the least consistently met.
Where this gets owned
Sits with the agency’s identity and security function. The direction is to enforce MFA everywhere it can be applied and to make a deliberate decision about anything that cannot. Maps to Essential Eight (MFA) and the NSW CSP.
F6 · Third-Party OversightA large share of mandatory controls is run by third parties, unmonitored ▼
What we observed
Procurement disclosures and platform attribution indicate a material portion of the agency’s mandatory protections are delivered by third-party and shared-service providers. Whether those providers meet the required controls is not visible to the agency from the outside — and often not from the inside either.
Why it matters
Outsourcing a control does not outsource accountability for it. Where a mandatory protection is run by a third party and not independently monitored, the agency can be non-compliant without knowing it — and cannot demonstrate otherwise if asked.
What the Audit Office record shows
Cyber Security Insights 2025 found 22% of mandatory protection measures are managed by third parties, where non-compliance may be unknown to the agency and to Cyber Security NSW. The Audit Office has repeatedly flagged reliance on third-party providers without adequate oversight as a recurring weakness.
Where this gets owned
Sits with procurement and the cluster CISO. The direction is a consolidated view of which controls are delegated to whom, with evidence each provider meets them. Maps to the NSW CSP and APP 8.
F7 · Framework TransitionNo plan for the retirement of the Essential Eight ▼
What we observed
The agency’s entire attested position rests on the Essential Eight. There is no external indication of a plan for what happens when that framework is withdrawn — and the mixed, legacy-heavy estate typical of agencies this size is exactly the shape the successor framework is being written to address.
Why it matters
Building compliance on a framework announced for retirement, without a transition plan, means the baseline itself will move. The controls carry across, but the assessment model changes — and an organisation with no plan for that is planning to be caught out.
What the Audit Office record shows
On 24 June 2026 the ASD confirmed the Essential Eight will be retired — deprecation from around mid-2027, full retirement around mid-2028 — and replaced by the outcomes-based Essentials series. The Essential Eight remains in force today and is still what the CSP references.
Where this gets owned
Sits with the cluster CISO and the agency’s risk function. The direction is to keep maturing against the Essential Eight while building controls that transition cleanly to the Essentials series — the position ASD itself recommends. Maps to Essential Eight and the ASD Essentials series.
F8 · Connected Devices / IoTNetworked and operational devices unaccounted for in the asset inventory ▼
What we observed
Attribution of the agency’s external footprint indicates networked and operational devices — building management, monitoring, sensors and other connected hardware across multiple facilities — unlikely to sit in any consolidated asset inventory. In a large, multi-site agency this device layer is typically the least governed part of the estate.
Why it matters
You cannot patch, monitor or defend a device you have not inventoried. Connected and operational devices frequently run unsupported firmware, are rarely covered by the controls applied to IT, and sit on networks that reach real systems — an attack surface no self-assessment counts.
What the Audit Office record shows
The ASD’s ACSC repeatedly warns that edge and operational-technology devices are a favoured route for attackers, and that supply-chain compromise through connected hardware is among the hardest risks to detect.
Where this gets owned
Sits with IT and facilities, alongside procurement. The direction is a single inventory of every connected device, with unmanaged or unsupported hardware segmented and monitored. Maps to Essential Eight (asset visibility) and ASD edge/OT guidance.
F9 · AccountabilityPortfolio-level reporting hides which agency is exposed ▼
What we observed
The agency’s cyber posture is reported to Cyber Security NSW at portfolio or cluster level. From outside — and to a degree from inside the cluster — it is not possible to isolate this agency’s individual position from the aggregate it is folded into.
Why it matters
Aggregation is a governance risk in its own right. When results are reported at cluster level, a weak agency is averaged into a portfolio, an accountable owner is harder to identify, and the incentive to close a specific gap weakens because the gap is no longer visible.
What the Audit Office record shows
From 2024 the sector reports at portfolio level: 66 reports covered 177 agencies (Cyber Security Insights 2025). The Auditor-General has noted this structurally reduces visibility of which specific agency is non-compliant.
Where this gets owned
Sits with the agency head and the audit-and-risk committee. The direction is to obtain the agency’s own position, independently, beneath the portfolio figure — the only level at which it can be managed. Maps to the NSW CSP.
F10 · Email SecurityAnti-spoofing gaps on secondary domains ▼
What we observed
Public DNS shows the primary domain reasonably configured, but secondary and program-specific government domains associated with the agency carry weaker anti-spoofing posture — DMARC absent or set to no-enforcement, incomplete SPF, missing DKIM.
Why it matters
A government domain that can be spoofed is a ready-made vehicle for phishing that carries public trust. Secondary domains are the ones most often forgotten, and the ones an attacker will reach for precisely because they are.
What the Audit Office record shows
Anti-spoofing configuration is directly readable from public DNS — an attacker can identify a spoofable government domain as easily as a defender can. It is low-cost to fix and high-value to exploit.
Where this gets owned
Sits with the agency’s email and security function. The direction is consistent DMARC enforcement across every domain the agency owns, not just the flagship one. Maps to the NSW CSP.
Ten findings is a list. A board needs a decision. The matrix converts the findings into one view of where to act first — plausibility of exposure against business impact — so scarce remediation effort is spent on the top-right corner, not on whichever finding is loudest. The critical cluster is where an independent assessment says the money goes first.
The agency’s risk profile
Findings plotted by plausibility of exposure against business impact. Indicative and qualitative — each point is a plausible path to compromise, not a prediction.
How this is rated. Impact reflects the sensitivity and reach of the services and information exposed, and the obligations attaching under the NSW Cyber Security Policy. Plausibility reflects how readily the exposure could be reached from outside the agency, using only lawful public and licensed sources — not a forecast of attacker intent.
How This Was Assembled — Lawfully, From the Outside
Everything in this assessment is drawn from sources that are public or licensed, and that require no access to any system, no credentials, and no disruption. The same view is available to a regulator, a researcher, or an adversary. The disciplines used here are the disciplines used in a real BlackFlag engagement:
- Procurement disclosure. Mandatory transparency under the GIPA Act — the buy.nsw Register of Notices, agency contract registers, annual-report consultancy disclosures — reveals named ICT, SaaS and security vendors, contract values and terms.
- Public DNS. MX, SPF, DKIM and DMARC records reveal the email platform, the security gateway, and the anti-spoofing posture — read directly, without contact.
- Hosting & edge attribution. ASN ownership, passive DNS and response headers attribute cloud, CDN and WAF providers.
- Certificate Transparency. Public CT logs surface subdomains and the SaaS tenants behind them — including the forgotten ones.
- Platform fingerprinting. Generator tags, headers and known fingerprints identify the web CMS and common whole-of-government builds.
- Workforce & vendor signals. Security tooling named in public recruitment listings, and vendor case studies, indicate the stack indirectly.
The Findings, on the Public Record
Every consequence cited is drawn from published Audit Office of NSW, Cyber Security NSW, NSW Ombudsman, or ASD material. The agency is a composite; these findings are real.
- Audit Office of NSW — Compliance with the NSW Cyber Security Policy (2021, year to 30 June 2020): of the nine audited lead cluster departments, eight had implemented no Essential Eight strategy to Level 3; all nine failed Level 1 on at least three strategies; agencies routinely overstated maturity and could not evidence self-ratings.
- Cyber Security Insights 2025 (Cyber Security NSW): only 31% of ‘Protect’ requirements met; fewer than 15 of 66 agencies fully MFA-compliant; ~15 of 66 met application patching and ~10 of 66 OS patching; 22% of mandatory protections managed by third parties; 152 high/extreme residual risks across 27 agencies; 66 reports covering 177 agencies.
- Audit Office of NSW — Cyber security in Local Health Districts (Dec 2025): systemic non-compliance with the NSW Cyber Security Policy identified across Local Health Districts.
- NSW Ombudsman — The new machinery of government (Nov 2021): automated decision-making across the NSW public sector built largely without a specific regulatory framework; Revenue NSW’s automated garnishee-order system found unlawful on external legal advice.
- ASD Australian Cyber Security Centre — Annual Cyber Threat Reports (2021–22 to 2024–25): compromised credentials the leading initial-access vector (42% in 2024–25; 9,587 exposure notifications); inadequate patching behind the majority of significant incidents.
- ASD — Essential Eight retirement (24 June 2026): Essential Eight to be deprecated from around mid-2027 and retired around mid-2028, replaced by the Essentials series; Essential Eight remains in force during the transition.
The agency in this assessment is a composite, drawn from patterns common across the NSW public sector; no single agency is named, assessed, or identifiable. Where a real entity appears (NSW Health / Local Health Districts, Revenue NSW), it appears solely as a matter of existing public record. Risk ratings are indicative, qualitative assessments of plausible exposure — not predictions of a certain outcome. No systems were accessed.
Every Gap Here Is a Gap That Can Be Closed.
None of the findings in this brief is a technical catastrophe. A number nobody verified. A control nobody owned. A plan nobody tested. These are gaps in documentation, ownership and independent assurance — and that is exactly why they can be closed, deliberately, before a crisis forces the issue.
That is the work BlackFlag Advisory does. We turn a self-assessed number into an independently validated one. We find what is exposed before someone else does. And we give an audit-and-risk committee evidence it can stand behind — in the language of obligation, not jargon. The gap is real. It is also entirely closeable.
If it would be useful, we can provide an external assessment of your agency’s public-facing footprint — the same passive methodology applied in this brief, using only lawful public and licensed sources. There is no charge for it, and no obligation that follows. It is simply the fastest way to see what an attacker, a regulator, or an auditor can already see.
Request an Assessment →