Nearly four in five federal government entities are failing to meet the mandatory baseline for cyber security, according to the Commonwealth Cyber Security Posture in 2025 report. The report, released by the Australian Signals Directorate (ASD), reveals that only 22 per cent of agencies have achieved the required Maturity Level 2 (ML2) across the Essential Eight mitigation strategies.
While this marks a slight increase from the 15 per cent success rate in 2024, progress has been outpaced by a hardening of security controls necessitated by an evolving threat environment. The result is a systemic compliance gap, with 78 per cent of government bodies unable to demonstrate a moderate level of protection against sophisticated cyber adversaries.
The Protective Security Policy Framework (PSPF) has required all non-corporate Commonwealth entities to achieve ML2 since July 2022. ML2 represents a robust security baseline designed to thwart adversaries using sophisticated, modern techniques, including phishing-resistant multi-factor authentication and patching critical software vulnerabilities within 48 hours.
A key reason for the failure is the persistent reliance on legacy IT systems, which 59 per cent of entities said actively inhibited their ability to implement basic security measures. While this is an improvement from 71 per cent in 2024, modernisation is often blocked by structural hurdles. The report identifies lack of dedicated funding (34 per cent) as the most significant reason for continued use of legacy systems, followed by lack of viable replacements (18 per cent) and shortage of skilled personnel (16 per cent).
Beyond technical failures, the report exposes a concerning decline in specialised workforce development. While general annual training increased to 87 per cent, the proportion of entities providing annual training for privileged users dropped from 51 per cent to 45 per cent. This retreat in specialised training occurs alongside a persistent culture of silence, with only 35 per cent of entities reporting at least half of their observed cyber incidents to the ASD.
