New Zealand’s National Cyber Security Centre (NCSC) has published its new Minimum Cyber Security Standards (MCSS), setting a new benchmark for cyber resilience.
Unlike a simple checklist, these standards are built on a maturity model, the Cyber Security Capability Maturity Model (CS-CMM). The goal isn't just to have a security control, but to prove that it is planned, repeatable, and effective. While intended for agencies under the Government Chief Information Security Officer (GCISO) mandate, the framework serves as a best-practice guide for any New Zealand organisation serious about building a mature security posture.
Achieving the mandated CS-CMM Level 2 (Planned & Tracked) and aspiring to higher levels of maturity requires a strategic approach. It's a goal that is difficult to sustain without mastering identity.
Identity is the common thread that runs through nearly every NCSC standard. Okta provides the central identity and access control plane to enforce policies, automate processes, and provide the critical audit evidence needed to demonstrate maturity.
NCSC’s MCSS for public sector agencies came into effect on October 30, 2025, mandating baseline controls for critical systems, with reporting on compliance starting April 2026.
How Okta Maps to the NCSC Standards
Okta plays a 'Primary' role with regards to the identity security controls, capabilities, and processes relevant to some standards, and a 'Supporting' role to others, where its capabilities may assist in reaching the requirements relevant to the standard.
| NCSC Standard | Okta's Role | |
|---|---|---|
| Risk Management | Supporting | Quantifies identity risks and maps them to compliance frameworks to prioritise remediation. |
| Security Awareness | Not Applicable | |
| Assets and their Importance | Supporting | Assigns business owners and risk classifications to digital assets to drive automated data-driven governance. |
| Secure Configuration of Software | Supporting | Enables configuration-as-code and continuous drift detection to help ensure policies remain secure. |
| Patching | Supporting | Enforces device compliance at the point of login, preventing unpatched devices from accessing resources. |
| Multi-factor Authentication | Primary | Enforces phishing-resistant, adaptive MFA across all applications, devices, and infrastructure. |
| Detect Unusual Behaviour | Primary | Automates the detection and remediation of identity threats post, during, and after authentication. |
| Least Privilege | Primary | Replaces standing privileges with automated, Just-in-Time (JIT) access for users and admins across applications and infrastructure. |
| Data Recovery | Not Applicable | |
| Response Planning | Supporting | Supports the vital records and immutable audit trails required to execute and verify response plans. |
While our full whitepaper details Okta's role across all primary and supporting standards, this post will focus on the three 'Primary' areas where identity is the core of the solution.
Multi-factor Authentication (Primary)
The NCSC standards identify Multi-Factor Authentication (MFA) as a foundational control. Okta delivers a comprehensive MFA solution that extends far beyond just modern web applications.
Our Adaptive MFA engine helps secure access to your cloud and third-party services. This coverage is extended by:
Okta Device Access (ODA) to enforce MFA from the desktop login screen on both Windows and macOS.
Okta Access Gateway (OAG) to apply modern MFA to your legacy on-premise applications.
Okta Privileged Access (OPA) to secure MFA for just-in-time access to critical infrastructure.
This unified approach allows you to advance in maturity by enforcing intelligent, risk-based policies and phishing-resistant factors like Okta Verify FastPass across your entire technology estate.
Detect Unusual Behaviour (Primary)
Okta's Role: Primary
Okta transforms threat detection from a reactive, manual process into a proactive, automated capability. We provide a centralised, immutable log of every identity event for your Security Incident and Event Management (SIEM), but our capabilities go far beyond just logging.
Adaptive MFA (AMFA) provides real-time risk analysis, using behavioural detections to trigger step-up authentication when activity is anomalous, protecting against account compromise.
Identity Threat Protection (ITP) offers built-in detections for active threats like session hijacking and brute-force attacks, leveraging Okta's own threat intelligence for continuous evaluation post authentication.
Okta Privileged Access (OPA) extends visibility to infrastructure, an area that is often overlooked. It can detect persistent, unmanaged administrator accounts on your servers so they can be brought under management or alerted on.
Identity Security Posture Management (ISPM) delivers deep posture analysis across Okta and your critical cloud applications and extends this continuous monitoring to automatically discover unmanaged “Shadow AI” usage and risky OAuth authorisations. Its detections can be fed into Okta Workflows to trigger automated remediation, such as suspending a user or seamlessly onboarding a newly discovered Shadow AI agent into centralised governance.
Least Privilege (Primary)
Okta's Role: Primary
This standard focuses on replacing high-risk standing privileges with an on-demand, just-in-time (JIT) model. Crucially, this extends beyond human administrators to govern the rapidly growing footprint of Non-Human Identities (NHI) and autonomous Agentic AI. Okta's unified identity security fabric enforces this by:
Okta Identity Governance (OIG) automates the entire access lifecycle. It uses Access Certification Campaigns—which can be scheduled or triggered dynamically by an event like a role change—to help ensure users do not accumulate access over time.
Okta Privileged Access (OPA) delivers temporary, policy-approved access to critical infrastructure like Windows/Linux servers and Active Directory, whilst Okta Identity Governance (OIG) provides just-in-time access to applications and cloud services.
Okta secures AI by treating autonomous AI agents as distinct identities that can only access data on behalf of a human user, and strictly within that user’s existing permissions, while subjecting their access to the same automated review cycles as human employees.
Okta Identity Security Posture Management (ISPM) provides continuous monitoring for identity risks. When combined with Okta Workflows, it can trigger automated remediation for a detected risk, such as removing a rogue privileged account.
Start Your Maturity Journey Today
The NCSC Minimum Cyber Security Standards challenge New Zealand organisations to build a truly resilient and provable security posture. Achieving CS-CMM Level 2 requires a strategic platform that can centralise, enforce, and automate your identity controls.
To see a detailed, control-by-control analysis of how Okta maps to every maturity level (CS-CMM 2, 3, and 4) and provides a clear pathway to maturity, download the full whitepaper today.
