Maturity Level 3 (ML3) is the advanced maturity level in the ACSC Essential Eight Maturity Model. It is calibrated for organisations facing well-resourced, persistent adversaries — typically nation-state-grade threat actors, though sophisticated criminal groups now operate at similar capability levels.
ML3 introduces significant additional controls. Notable examples: application control adds Microsoft-signed driver enforcement and validated rule sets; privileged access becomes just-in-time with jump servers and full session recording; multi-factor authentication must be phishing-resistant across the board (FIDO2, smart cards) including break-glass accounts; backups must be immutable, off-network, and restoration-tested monthly.
ML3 is the right target for organisations whose threat profile genuinely warrants nation-state-grade resilience — Commonwealth defence-adjacent agencies, critical infrastructure operators under the SOCI Act, and tier-1 banks. For mid-market firms, ML3 controls carry operational cost that rarely pays back. The pragmatic pattern: stabilise at ML2, document a planned ratchet to ML3, and execute the ratchet only when threat profile or regulatory exposure shifts.