Essential Eight Maturity Level 3 is the highest tier of the ASD’s maturity model, built to resist adversaries who are adaptive, well-resourced, and willing to invest real time in a specific target. It is also the most misunderstood tier. Businesses chase it because it sounds like the finish line, when the ACSC’s own guidance says most organisations do not need it. This guide covers what ML3 actually requires, who genuinely needs it, and the trap that catches organisations trying to get there.
If you are earlier in the journey, start with our Essential 8 compliance guide or the ML2 requirements guide. This post assumes you know the eight strategies and the maturity model basics.
The maturity levels are pegged to adversary tradecraft, not organisation size. ML1 counters opportunistic, commodity attacks. ML2 counters adversaries with moderate capability who will invest in a target. ML3 counters adaptive adversaries who exploit the opportunities a weaker environment provides, move quickly once inside, and actively work around your defences.
The ACSC’s guidance positions ML3 as suitable for critical infrastructure providers and organisations operating in high threat environments. Under the Protective Security Policy Framework, the mandatory baseline for federal government entities is ML2, not ML3, although ML3-mapped controls in the Information Security Manual remain applicable and risk-managed for those entities. In the private sector, ML3 shows up in defence supply chain requirements, some SOCI Act obligations, and contracts where the client’s threat model is genuinely elevated.
The honest read for most Perth businesses: you do not need ML3, and pursuing it before consolidating ML2 wastes money. But if you operate critical infrastructure, supply the defence sector, or hold data a capable adversary would specifically target, ML3 is the standard your environment will be measured against.
The Essential Eight is implemented and assessed as a package. Your overall maturity is the lowest level you achieve across all eight strategies, and the ACSC expects a consistent level across all eight before you target the next one. Assessors apply the same logic: an ML3 assessment does not begin until ML2 has been demonstrated.
This bites hardest at the top. An organisation running ML3-grade application control and patching but ML1-grade backups is, for assessment purposes, ML1. At this tier the weakest strategy is usually one of the unglamorous ones: backup immutability, legacy component removal, or the monitoring discipline behind the logs. Plan the uplift across all eight at once or do not plan it at all.
The 48-hour window for critical or exploited vulnerabilities, which applies to online services at every maturity level, extends at ML3 to the applications staff use all day: office productivity suites, web browsers and their extensions, email clients, PDF software, and security products. Non-critical vulnerabilities in those applications must be addressed within two weeks. Every application no longer supported by its vendor is removed, not just the high-risk categories.
The 48-hour critical window extends from internet-facing systems to workstations, internal servers, and network devices, and the scanning scope expands to drivers and firmware. ML3 also requires running the latest, or the release immediately before the latest, operating system version. If your fleet still has devices two releases behind, that alone holds you at ML2.
Coverage extends to drivers, Microsoft’s recommended application and driver blocklists are in force, rulesets are validated annually, and blocked execution events are centrally logged and actively monitored for signs of compromise. The difference from ML2 is less about the policy and more about someone actually watching what the policy catches.
Only macros running from a sandboxed environment, a trusted location, or digitally signed by a trusted publisher are allowed to execute, and anything placed in a trusted location is reviewed for malicious code before it gets there. For most businesses this is the point where the macro estate finally gets inventoried and shrunk.
Legacy attack surface is removed rather than configured around: old PowerShell versions and .NET Framework 3.5 and below are gone, command-line and PowerShell events are centrally logged, and those logs are monitored. The hardening baselines follow ASD and vendor guidance rather than internal judgement.
Privileged access becomes just-in-time rather than standing: access is granted only for the duration and scope required. Windows credential protections such as memory integrity, Local Security Authority protection, and Credential Guard are enabled, and privileged activity is centrally logged and monitored. The Secure Admin Workstation pattern from ML2 carries through.
Phishing-resistant MFA, required for workstation logon from ML2, becomes the norm across the board at ML3, and MFA extends to authentication for data repositories. SMS codes and basic push approvals have no place anywhere in an ML3 environment.
Backups become immutable in practice: privileged accounts, including backup administrator accounts, are prevented from modifying or deleting backups within their retention period. This is the control that determines whether a ransomware incident is a bad fortnight or a company-ending event, and it is the one we find missing most often in otherwise mature environments.
Reading the control list, ML3 looks like configuration work. It is not. The common thread through the ML3 deltas is monitoring: event logs from workstations and servers centrally collected, watched for signs of compromise, with incidents reported to the CISO and to the ASD, and an incident response plan that actually gets enacted. That is a security operations capability, whether you build it internally or buy it as managed detection and response.
This is why our Essential Eight service page puts ML3 at twelve months or more beyond ML2. The technical controls might land in a quarter. The operating rhythm of detection, triage, and response takes longer to become real, and an assessor following the ASD’s assessment process will test the rhythm, not just the configuration. Evidence quality matters at every level, but at ML3 the expectation is effectively continuous: timestamped logs, tested restores, recorded reviews.
Worth knowing for anyone building GRC tooling around this: the ASD publishes the ISM in the machine-readable OSCAL format, including resolved baselines for ML1, ML2, and ML3. If you are tracking hundreds of ISM-mapped controls for an ML3 programme, ingesting the OSCAL baseline beats maintaining a spreadsheet.
Yes, plan for it if you operate critical infrastructure, supply defence or intelligence-adjacent work, or your contracts and regulators name ML3 explicitly.
Probably not yet if you are a commercial SMB without those obligations. Consolidate ML2, close the monitoring gap with an MDR service, and put the budget difference into the Further Five controls, which buy more practical risk reduction for most businesses than the ML2-to-ML3 jump does.
Different framework entirely if you have no Essential Eight contractual driver at all. SMB1001 delivers a formal certification with far less overhead, and our Essential Eight vs SMB1001 comparison walks through that decision. If the pressure is coming from enterprise clients or international partners, the framework they recognise by name is usually ISO 27001 rather than an Essential Eight maturity level; our ISO 27001 accreditation guide covers when certification is worth the investment and how Essential Eight work counts toward it.
We run Essential Eight gap assessments aligned to the ASD’s assessment process, giving you a defensible maturity rating across all eight strategies and a costed path to your target level. For organisations heading to ML3, we implement the technical uplift and provide the managed detection and response layer that the monitoring requirements demand. Contact us on 1300 EPIC IT for a free gap analysis.
Essential Eight Maturity Level 3 is the highest level of the ASD’s maturity model, designed to mitigate adversaries who are adaptive, well-resourced, and willing to target a specific organisation. It tightens patching to 48 hours for critical vulnerabilities across workstations and servers, requires phishing-resistant MFA throughout, makes backups immutable, and demands centralised logging with active monitoring and incident response.
The ACSC positions ML3 as suitable for critical infrastructure providers and organisations in high threat environments, including parts of the defence supply chain and entities with SOCI Act obligations. The PSPF baseline for federal government entities is ML2. Most commercial SMBs do not need ML3 and get better risk reduction from consolidating ML2 and adding the Further Five controls.
ML3 extends 48-hour critical patching from internet-facing systems to workstations, servers, drivers, and firmware, restricts macros to sandboxed, trusted, or signed code only, removes legacy components like old PowerShell versions, introduces just-in-time administration, requires phishing-resistant MFA across the board, makes backups unmodifiable even by backup administrators, and requires centralised event logging that is actively monitored. The practical difference is a standing security operations capability.
Twelve months or more from a genuine ML2 position, for most organisations. The configuration work is the fast part. Building the monitoring, detection, and incident response rhythm that ML3 assessors test takes sustained effort, and many organisations buy it as a managed detection and response service rather than building an internal security operations team.
No. The ACSC does not certify any Essential Eight maturity level. Your ML3 status is established through assessment, either self-assessed or by an independent assessor following the ASD’s Essential Eight assessment process guide, and independent assessment is commonly required by government directives, regulators, or contracts at this level. Assessments must also progress in order: ML2 must be demonstrated before an ML3 assessment begins.
You can implement controls unevenly, but your overall maturity is the lowest level achieved across all eight strategies, so ML3 in two strategies and ML1 in one still reports as ML1. The ACSC explicitly advises reaching a consistent maturity level across all eight before targeting the next, because the strategies are designed to complement each other.
