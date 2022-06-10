For years now, Crikey has kept a lonely vigil over one of the more bemusing administrative scandals of recent times in the Australian Public Service: the failure of departments and major agencies to meet the most basic requirements of cybersecurity put in place back when Labor was last in government in 2013 (you can find a history of the saga here).

When we last checked in March 2021, the auditor-general had busted Prime Minister and Cabinet, and Attorney-General -- two departments you'd kinda sorta wanna think might be pretty focused on security -- not just for not being compliant with the original "top four" requirements put in place back in 2013, but for claiming they were compliant when they weren't.

Since then the top four has been expanded to the more alliterative "essential eight" and enshrined in the Protective Security Policy Framework Policy 10, "Safeguarding data from cyber threats". Throughout that time, progress to meeting either the four or the eight by most departments has been ridiculously slow -- and attempts by bureaucrats to explain away their failures when MPs like Labor's Tim Watts pursued them just ridiculous.