Protective Security Policy Framework (PSPF)
Federal entities bound by PSPF — governance, information, personnel + physical security.
criticalcurrentannual
Who must comply
All Commonwealth entities + contracted providers handling Commonwealth info.
What triggers it
Commonwealth entity status or handling of Commonwealth security-classified info.
When due
Annual maturity self-assessment + reporting.
Evidence required
PSPF maturity assessment report.
Max penalty
—
Effective from
1 July 2025
Summary
PSPF Release 2024 in force 1 July 2025. Sets minimum protective security requirements for Australian Government entities. Outcomes-based + 16 requirements. Annual reporting to Home Affairs.
Enforced by
Topics
cyber-securitypublic-sector
Related obligations
- CWLTHSoNS — Systems of National Significance (SOCI)Declared SoNS face enhanced cyber security obligations.
- CWLTHPublic Interest Disclosure Act 2013 (federal whistleblower)Federal public sector whistleblower regime + protections.
- CWLTHDefence Industry Security Program (DISP)Defence contractors handling classified info must be DISP-accredited at appropriate level.
- CWLTHData Availability and Transparency Act 2022Commonwealth data sharing regime — accredited users + entities.
Frequently asked questions
- Who must comply with Protective Security Policy Framework (PSPF)?
- All Commonwealth entities + contracted providers handling Commonwealth info.
- What triggers Protective Security Policy Framework (PSPF)?
- Commonwealth entity status or handling of Commonwealth security-classified info.
- When is Protective Security Policy Framework (PSPF) due?
- Annual maturity self-assessment + reporting.
- What evidence is required for Protective Security Policy Framework (PSPF)?
- PSPF maturity assessment report.
Source: https://www.protectivesecurity.gov.au. Rules Mate is not a law firm. Always verify against the live regulator source before acting.