The ACSC Essential Eight and Website Certificate Management

The Australian Cyber Security Centre (ACSC) Essential Eight is the Australian government's baseline cybersecurity framework for organisations. While it doesn't address SSL certificate management as a standalone control, certificate management intersects directly with several of the Eight — and organisations at Maturity Level 2 and above have implicit obligations that include maintaining valid SSL certificates.

Disclaimer: This post is for informational purposes only and does not constitute legal or compliance advice. Verify all requirements against current ACSC publications before making compliance decisions.

This post explains how certificate management fits into the Essential Eight and what Australian organisations need to demonstrate.

What Is the Essential Eight?

The Essential Eight is a set of baseline mitigation strategies prioritised by the ACSC to protect against cyber threats. It is mandated for non-corporate Commonwealth entities under PSPF Policy 10, and widely adopted by state government agencies, critical infrastructure operators, and private organisations seeking to demonstrate security baseline compliance.

The Eight strategies are:

1. Patch applications
2. Patch operating systems
3. Multi-factor authentication
4. Restrict administrative privileges
5. Application control
6. Restrict Microsoft Office macros
7. User application hardening
8. Regular backups

The Essential Eight is mandated for non-corporate Commonwealth entities under PSPF Policy 10 (with a target of Maturity Level 2 by 2030), and is widely adopted by state government agencies, critical infrastructure operators, and private organisations seeking to demonstrate security baseline compliance.

SSL certificates don't appear by name in any of the Eight. But they're implicated in at least three of them.

Essential Eight Intersection Points

1. Patch Applications (Strategy 1)

Patching applications to fix security vulnerabilities is the first and highest-priority Essential Eight strategy. SSL/TLS libraries (OpenSSL, LibreSSL, SChannel, NSS) are applications in this context.

Critical vulnerabilities in SSL/TLS libraries — Heartbleed (OpenSSL, 2014), POODLE (SSLv3, 2014), BEAST (TLS 1.0, 2011) — have required rapid patching. An organisation that hasn't patched its web server to a current SSL/TLS implementation is non-compliant with this strategy.

At Maturity Level 2 and above: Applications (including web servers) must be patched within defined timeframes based on vulnerability severity (check the current ACSC Essential Eight Maturity Model for exact timelines, as these are revised periodically). SSL/TLS library vulnerabilities frequently score high on the CVSS scale.

Certificate management intersects here because certificate configuration on an unpatched server may be weakened by the underlying vulnerability even if the certificate itself is valid.

2. Patch Operating Systems (Strategy 2)

Web servers run on operating systems. The OS manages low-level cryptographic functions and TLS implementations. OS patching affects TLS security.

Microsoft's monthly security updates regularly include cryptographic library patches. Linux distributions push updates to OpenSSL. An unpatched OS may have an outdated TLS stack regardless of your certificate configuration.

3. User Application Hardening (Strategy 7)

This strategy covers the configuration of browsers and applications to remove unnecessary features and reduce the attack surface. For web-facing services, it extends to the hardening of web servers and their TLS configuration.

The ACSC's specific guidance for TLS hardening includes:

• Disable SSL 2.0 and SSL 3.0
• Disable TLS 1.0 and TLS 1.1
• Use TLS 1.2 with strong cipher suites minimum, TLS 1.3 preferred
• Disable weak cipher suites (RC4, 3DES, export-grade ciphers)
• Enable Perfect Forward Secrecy (PFS) cipher suites
• Configure HSTS (HTTP Strict Transport Security)

These are not optional recommendations at higher maturity levels — they are assessed as part of Essential Eight evaluations.

SSL certificate validity is a prerequisite for all of these. A properly hardened TLS configuration is meaningless if the certificate expires.

The Maturity Model and Certificate Management

The Essential Eight Maturity Model has three levels:

Maturity Level 1: Mitigation strategies to prevent opportunistic attacks.

Maturity Level 2: Mitigation strategies to prevent more sophisticated attacks. Evidence of implementation and monitoring is required.

Maturity Level 3: Mitigation strategies to prevent targeted attacks by advanced adversaries. Continuous monitoring and formal evidence are required.

At Maturity Level 2 and above, organisations must demonstrate that controls are implemented and working. This includes:

• Evidence that TLS is properly configured (assessors use SSL Labs-style tools)
• Evidence that application patches are applied within required timeframes
• Evidence that hardening has been applied and maintained

A certificate that expires represents a failure of the organisation's process controls — something an assessor would document as a gap, even if not specifically named in the Eight.

The ACSC Information Security Manual (ISM)

For more detailed guidance, the ACSC publishes the Information Security Manual (ISM), which is the mandatory framework for Australian government systems classified Official and above, and a widely referenced standard for private sector security.

The ISM contains specific controls for TLS:

Key ISM controls relevant to TLS (as of the October 2024 ISM — verify control IDs against the current ACSC ISM as these are updated monthly):

• Web servers must use TLS 1.2 or later, with TLS 1.3 preferred
• Strong cipher suites must be configured
• HTTPS must be used to protect sensitive information in transit
• Certificates must be issued by a browser-trusted certificate authority

For organisations subject to the ISM (Commonwealth entities and their suppliers), these are mandatory controls that will be assessed.

What You Need to Document

For Essential Eight assessments, you need to demonstrate that your TLS configuration is maintained. Practical documentation includes:

Certificate inventory: A record of all publicly accessible systems and their SSL certificates, including domains, issuing CA, and expiry dates.

TLS configuration baseline: Documentation of the TLS version(s) and cipher suites enabled on each system.

Change management records: Evidence that certificate renewals, configuration changes, and patches are managed through a formal process.

Monitoring evidence: Logs showing that certificate status is actively monitored. An alert history from a monitoring tool — showing regular checks and timely notifications — is evidence that this control is operating.

Patch records: Evidence that SSL/TLS library patches have been applied within the required timeframes.

Practical Steps for Essential Eight Compliance

For organisations at any maturity level:

1. Run SSL Labs on all publicly accessible web services and document the results
2. Disable TLS 1.0 and 1.1 on all web servers
3. Implement HSTS on all public-facing web services
4. Create a certificate inventory

For Maturity Level 2 and above:

1. Implement formal certificate monitoring with alert logging
2. Document the certificate renewal process with defined ownership
3. Schedule quarterly TLS configuration reviews
4. Include SSL/TLS library patches in your patch management process

For organisations subject to the ISM:

1. Implement specific controls referenced above
2. Ensure all public-facing certificates are from approved CAs (Let's Encrypt qualifies)
3. Maintain audit trails of certificate management activities
4. Verify with your assessor whether your chosen certificate authority meets ISM requirements for your specific classification context (Let's Encrypt is browser-trusted and broadly accepted, but confirm suitability for your environment)

CertGuard provides continuous monitoring with exportable logs that serve as evidence of active certificate management — a documented control rather than an ad hoc process.

Free for up to 3 domains. Business and Enterprise plans support the full certificate inventories required for larger organisations.