The Essential 8 maturity levels are ML1, ML2 and ML3, a tiered scale defined by the Australian Signals Directorate's Australian Cyber Security Centre (ACSC) to describe how strongly you have implemented the eight mitigation strategies. Each level is built to defend against an increasingly capable adversary, and the levels are cumulative: ML2 includes everything in ML1, and ML3 includes everything in ML1 and ML2. Most Australian businesses pursuing government work target ML1 or ML2, with the specific level usually set by the contract or agency.
What are the Essential 8 maturity levels?
The Essential 8 maturity levels are the ACSC's way of measuring how well an organisation has implemented the eight strategies, on a scale from Maturity Level Zero up to Maturity Level Three. Per the ACSC's Essential Eight Maturity Model, the three target levels (ML1, ML2 and ML3) are based on mitigating increasing levels of adversary tradecraft (the tools, tactics, techniques and procedures an attacker uses) and targeting.
The eight strategies themselves are: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. Your maturity level is not a single overall score. It is assessed strategy by strategy, and the ACSC recommends you reach the same level across all eight before you climb higher. You can assess where you stand across all eight using the Essential 8 maturity assessment.
Maturity Level Zero
Maturity Level Zero means the requirements of ML1 have not yet been met for one or more strategies. The ACSC describes ML0 as signifying weaknesses in an organisation's overall cyber security posture that, when exploited, could compromise the confidentiality of data or the integrity and availability of systems and data. It is not a target to aim for. It is the starting point most organisations are at before they begin, and it exists so assessors have an honest rating for gaps that fall short of ML1.
Essential 8 ML1: who it is for and what it stops
ML1 is the baseline level, designed to stop opportunistic attackers using widely available, off-the-shelf techniques. Per the ACSC, the focus of Maturity Level One is malicious actors content to leverage commodity tradecraft that is widely available in order to gain access to, and likely control of, a system. These attackers are typically looking for any victim rather than a specific one. They scan broadly for common weaknesses such as unpatched vulnerabilities with publicly available exploits, or accounts secured with stolen, reused, brute-forced or guessed credentials.
ML1 is the right target for most small and medium Australian businesses starting their Essential 8 journey, and it is frequently the minimum bar for lower-risk government and supplier engagements. In a Microsoft 365 environment, ML1 covers fundamentals such as enforcing multi-factor authentication on internet-facing services and for users, blocking or disabling untrusted Office macros, keeping operating systems and applications patched within ACSC timeframes, and restricting who holds administrative privileges. It is achievable for most organisations without major new infrastructure, which is why it is the natural first milestone.
Essential 8 ML2: the step up most contracts ask for
ML2 raises the bar to defend against attackers willing to invest more time and effort, and it is the level many medium-sized organisations and government-adjacent contracts require. Per the ACSC, Maturity Level Two focuses on malicious actors operating with a modest step-up in capability from ML1. These actors are willing to invest more time in a target and in the effectiveness of their tools, and they are likely to be more selective about who they go after, though still somewhat conservative in the money and effort they will spend.
Because the levels are cumulative, ML2 includes every ML1 control plus tighter, more frequent and better-monitored versions of them. A defining addition at ML2 is the centralised collection, protection and analysis of event logs to detect potential signs of compromise, together with reporting and responding to identified cyber security incidents. In practice this means shorter patching windows, stronger application control, phishing-resistant multi-factor authentication for more user groups, and genuine logging and monitoring rather than controls that exist only on paper. ML2 is where many organisations move from "we have the settings configured" to "we can detect and respond when something goes wrong."
Essential 8 ML3: hardened against targeted adversaries
ML3 is the highest level, built to resist adaptive attackers who deliberately work around your specific controls. Per the ACSC, Maturity Level Three targets malicious actors who are more adaptive and much less reliant on public tools and techniques. These actors are more focused on particular targets and are willing and able to invest effort into circumventing the particular policy and technical controls a target has implemented.
ML3 adds requirements focused on hardening the administrative infrastructure that privileged users rely on. The ACSC specifically references using Secure Admin Workstations and enabling both memory integrity (memory isolation) and Local Security Authority protection within Microsoft Windows. ML3 is typically reserved for organisations handling sensitive government data or operating in higher-threat environments, and reaching it is a significant program of work. Importantly, the ACSC is clear that even ML3 is not a guarantee against every threat. It is a strong, risk-based baseline, not a promise of total protection.
Why the maturity levels are cumulative
The levels are cumulative because each one is built on top of the one below it, so you cannot claim a higher level while leaving lower-level requirements unmet. To be assessed at ML2 for a given strategy, you must satisfy all of the ML1 requirements for that strategy plus the additional ML2 requirements. The same applies stepping from ML2 to ML3. There is no shortcut where you skip ahead and implement only the advanced controls.
This is also why the ACSC recommends implementing the Essential 8 as a package and reaching the same maturity level across all eight strategies before moving up. The strategies are designed to reinforce one another. Strong multi-factor authentication does little if your administrative privileges are unrestricted, and patching is undermined if untrusted macros can still run. Lifting all eight together avoids leaving a single weak strategy that an attacker can pivot through.
Which maturity level does your business need?
The level you need is usually set by your obligations, not chosen freely, so start by checking what your contracts, agency or regulator require. Many Australian government and defence-related engagements specify a minimum maturity level, and that requirement should anchor your target. If no specific level is mandated, ML1 is a sound and widely recommended baseline for small and medium businesses, with ML2 as the next goal as your risk profile or client expectations grow.
A practical approach is to assess your current state across all eight strategies first, identify the strategy holding back your overall rating, then close that gap before lifting the whole set. You can map your current position with the Essential 8 maturity assessment, and see how automated scanning and remediation fit together on the Essential 8 compliance page.
How CYBERWHITE helps you reach your target maturity level
CYBERWHITE combines a self-guided Essential 8 assessment with automated scanning of your Microsoft 365 environment, so you can see your maturity level strategy by strategy rather than guessing. Where a gap can be remediated through Microsoft Graph, one-click AutoFix can apply the change for you, with an approval step before anything is deployed. Findings are prioritised using the CARS adaptive risk scoring algorithm, so you tackle the gaps that most affect your maturity rating first.
CYBERWHITE is Australian owned and operated (ABN 31 598 198 475) and a DSI Licensed Commercial Holder of SMB1001. We are not IRAP assessed and we are not a substitute for a formal ACSC assessment. We are a tool to help you understand your current maturity, fix what you can quickly, and prepare the evidence you will need. To compare options for your business, see pricing.
Frequently asked questions
What are the Essential 8 maturity levels?
They are ML1, ML2 and ML3, three target levels defined by the ACSC that measure how strongly you have implemented the eight mitigation strategies, with each level designed to defend against a more capable adversary. There is also a Maturity Level Zero, which captures situations where ML1 requirements are not yet met.
Is ML2 cumulative, meaning it includes ML1?
Yes. To be assessed at ML2 for a strategy you must meet all of its ML1 requirements plus the additional ML2 requirements. ML3 in turn includes everything in ML1 and ML2.
What is Maturity Level Zero?
Maturity Level Zero indicates that the requirements of ML1 have not been met for one or more strategies. Per the ACSC, it signifies weaknesses in an organisation's cyber security posture that could be exploited to compromise data or systems. It is a starting rating, not a goal.
Which Essential 8 maturity level do I need for a government contract?
It depends on the specific contract, agency or regulator, as many specify a minimum maturity level. Check your tender or agreement documents first. Where no level is mandated, ML1 is a common baseline and ML2 a frequent next step.
What level should a small business aim for?
For most small and medium Australian businesses, ML1 is a sensible first target because it is achievable without major new infrastructure and addresses the most common, opportunistic attacks. ML2 is the logical follow-on as risk or client requirements increase.
What is the difference between ML1 and ML2?
ML1 defends against opportunistic attackers using commodity, widely available techniques. ML2 defends against attackers willing to invest more time and more effective tooling, and it adds requirements such as centralised event log collection, analysis, and incident response on top of stronger ML1 controls.
What does ML3 add over ML2?
ML3 targets adaptive attackers who work around specific controls and adds hardening of administrative infrastructure. Per the ACSC, this includes Secure Admin Workstations and enabling memory integrity and Local Security Authority protection in Microsoft Windows.
Does reaching ML3 make me fully secure?
No. The ACSC is clear that the Essential 8, even at ML3, is not a guarantee against all threats. It is a risk-based baseline that significantly reduces the likelihood and impact of common attacks, not a promise of total protection.
Do I have to reach the same level across all eight strategies?
The ACSC recommends planning your implementation to achieve the same maturity level across all eight strategies before moving to a higher level, because the strategies are designed to work as a package and reinforce one another.
How do I find out my current maturity level?
Assess each of the eight strategies against the ACSC requirements to see where you sit, then identify the weakest strategy dragging down your overall rating. The Essential 8 maturity assessment walks through this and can scan your Microsoft 365 environment to map your current state.