The Protective Security Policy Framework: what PSPF requires of Commonwealth entities

What the PSPF is

The Protective Security Policy Framework (PSPF) is the Australian Government’s security policy framework, administered by the Attorney-General’s Department. It provides a standardised approach to security across government.

The PSPF establishes mandatory security requirements for non-corporate Commonwealth entities. While mandatory for these entities, it is also recommended for corporate Commonwealth entities and state and territory bodies.

The framework is organised to ensure a comprehensive approach to security, structured around 16 policies. These policies are grouped into four key outcomes:

• Security governance
• Information security
• Personnel security
• Physical security

Entities can use tools like the Essential Eight maturity check to assess their compliance.

Security governance + reporting

Commonwealth entities are required to establish robust security governance arrangements. A key element of this is the designation of a Chief Security Officer (CSO) who holds responsibility for protective security within the entity.

Entities have a mandatory obligation to conduct an annual self-assessment against the Protective Security Policy Framework (PSPF) requirements. The results of this assessment must be reported to both portfolio Ministers and the Attorney-General's Department.

Furthermore, entities must adhere to PSPF expectations regarding the reporting of material security incidents.

Information security and the Essential Eight

PSPF information-security policies require Commonwealth entities to adhere to the Australian Signals Directorate's Information Security Manual (ISM) for technical controls. This provides a framework for managing information security risks.

Non-corporate Commonwealth entities are specifically required to implement the Australian Signals Directorate’s Essential Eight mitigation strategies. These strategies must be implemented to at least Maturity Level Two for systems that hold OFFICIAL: Sensitive or higher classifications. Entities should use the cyber incident notification tool to report any incidents.

Higher classifications, such as PROTECTED, SECRET, and TOP SECRET, necessitate more stringent handling, storage, and access controls than those applied to OFFICIAL: Sensitive information.

Reach into government contractors

PSPF requirements extend beyond Commonwealth entities to encompass their contractors. Government contracts are increasingly incorporating PSPF-derived requirements, particularly where contractors handle government information or provide critical services. This reflects a recognition of the shared responsibility for protecting government assets and data.

Contractors should anticipate that tender processes will include questions designed to assess their PSPF alignment. These questions are likely to cover areas such as the implementation of an Information Security Management System (ISM), the maturity level of their Essential Eight controls, and the processes they have in place for personnel security clearances.

The Australian Government Security Vetting Agency (AGSVA) administers industry security clearances, and these arrangements are aligned with PSPF. Contractors should familiarise themselves with AGSVA guidance to ensure compliance.