Essential 8 Readiness · Deep dive 02

Meeting the 48-hour patch rule without living in the console

ASD's ML2 now expects critical internet-facing fixes in 48 hours. Here is the patch pipeline on Azure Policy and Defender that actually holds that line.

Draft outline · Operations lens
The anchor

The updated Essential Eight tightened patch timelines: Maturity Level 2 expects critical vulnerabilities on internet-facing assets patched within 48 hours, with faster application patching and weekly scanning. That is driven by the collapsing gap between disclosure and exploitation, exactly the pattern the Ivanti and Fortinet edge CVEs demonstrated.

Sources we build on
Primary

Primary source for the tightened patch timelines and what each level now requires.

Journalism
Ars Technica / The Record on the shrinking exploit window

Independent reporting showing why 48 hours exists: same-week, sometimes same-day exploitation.

Article outline
  1. Why 48 hours. The disclosure-to-exploitation window has collapsed.
  2. The pipeline. Update Manager, Azure Policy and Defender doing the currency work.
  3. Internet-facing first. Prioritising the assets the rule cares about most.
  4. Evidence for the assessor. Proving currency, not asserting it.
  5. The exceptions. Handling what cannot be patched in the window.
How it aligns to what we do

An operations piece: running a patch pipeline that meets a specific, demanding SLA. It connects the E8 requirement to the edge-device reality (the VPN dive) and shows we operate the control, not just recommend it.

Points to hit
Control it ratifies
ISM / E8 E8 Patch operating systems and Patch applications at Maturity Level 2; supports ISM vulnerability-management guidelines.