Australian Government Architecture

Protective Security Policy Framework (PSPF)

What is the Protective Security Policy Framework (PSPF)?

Although not administered by the DTA, the PSPF (administered by the Attorney-General’s Department) assists Australian Government entities to protect their people, information, and assets – both at home and overseas, and is an important consideration of digital proposals.

The PSPF is one of the whole-of-government digital policies and standards that the DTA uses to assess whether a digital or ICT-enabled investment proposal is robust, of high quality and can be brought forward for Government consideration.

Further detail on the requirements for agencies when bringing forward digital and ICT-enabled investment proposals for Government consideration can be found at the Contestability (Budget) stage of the Whole-of-Government Digital and ICT Oversight Framework.


The framework applies to Non-corporate Commonwealth entities subjected to the Public Governance, Performance and Accountability Act 2013, and entities must apply the PSPF as it relates to their risk environment. 

Non-government organisations that access security ‑ classified information may be required to enter into a deed or agreement to apply relevant parts of the PSPF for that information. 

State and territory government agencies that hold or access Commonwealth security ‑ classified information must apply the PSPF to that information consistent with arrangements agreed between the Commonwealth, states and territories. 

Policy Requirements

There are 16 core requirements in the PSPF. Accountable entities must achieve appropriate application of the protective security to its operational environment so that it effectively enables entities to protect the Government’s people, information, and assets.

  • The accountable authority is answerable to their minister and the government for the security of their entity.

    The accountable authority of each entity must:

    1. determine their entity's tolerance for security risks
    2. manage the security risks of their entity
    3. consider the implications their risk management decisions have for other entities, and share information on risks where appropriate

    The accountable authority of a lead security entity must:

    1. provide other entities with advice, guidance and services related to government security
    2. ensure that the security support it provides helps relevant entities achieve and maintain an acceptable level of security
    3. establish and document responsibilities and accountabilities for partnerships or security service arrangements with other entities.
  • The accountable authority must:

    1. appoint a Chief Security Officer (CSO) at the Senior Executive Service level to be responsible for security in the entity
    2. empower the CSO to make decisions about:
      1. appointing security advisors within the entity
      2. the entity's protective security planning
      3. the entity's protective security practices and procedures
      4. investigating, responding to, and reporting on security incidents, and
    3. ensure personnel and contractors are aware of their collective responsibility to foster a positive security culture, and are provided sufficient information and training to support this.
  • Each entity must have in place a security plan approved by the accountable authority to manage the entity's security risks. The security plan details the:

    1. security goals and strategic objectives of the entity, including how security risk management intersects with and supports broader business objectives and priorities
    2. threats, risks and vulnerabilities that impact the protection of an entity's people, information and assets
    3. entity's tolerance to security risks
    4. maturity of the entity's capability to manage security risks
    5. entity's strategies to implement security risk management, maintain a positive risk culture and deliver against the PSPF.
  • Each entity must assess the maturity of its security capability and risk culture by considering its progress against the goals and strategic objectives identified in its security plan

  • Each entity must report on security:

    1. each financial year to its portfolio minister and the Attorney-General's Department on:
      1. whether the entity achieved security outcomes through effectively implementing and managing requirements under the PSPF
      2. the maturity of the entity's security capability
      3. key risks to the entity's people, information and assets, and
      4. details of measures taken to mitigate or otherwise manage identified risks
    2. affected entities whose interests or security arrangements could be affected by the outcome of unmitigated security risks, security incidents or vulnerabilities in PSPF implementation, and
    3. the Australian Signals directorate in relation to cyber security matters.
  • Each entity is accountable for the security risks arising from procuring goods and services, and must ensure contracted providers comply with relevant PSPF requirements

  • Each entity must adhere to any provisions concerning the security of people, information and assets contained in international agreements and arrangements to which Australia is a party

  • Each entity must:

    1. identify information holdings
    2. assess the sensitivity and security classification of information holdings
    3. implement operational controls for these information holding proportional to their value, importance and sensitivity.
  • Each entity must enable appropriate access to official information. This includes:

    1. sharing information within the entity, as well as with other relevant stakeholders
    2. ensuring that those who access sensitive or security classified information have an appropriate security clearance and need to know that information
    3. controlling access (including remote access) to supporting ICT systems, networks, infrastructure, devices and applications.
  • Each entity must mitigate common cyber threats by:

    1. implementing the following mitigation strategies from the Strategies to Mitigate Cyber Security Incidents:
      1. application control
      2. patch applications
      3. configure Microsoft Office macro settings
      4. user application hardening
      5. restrict administrative privileges
      6. patch operating systems
      7. multi-factor authentication
      8. regular backups
    2. considering which of the remaining mitigation strategies from the Strategies to Mitigate Cyber Security Incidents need to be implemented to achieve an acceptable level of residual risk for their entity.
  • Each entity must assess ensure the secure operation of their ICT systems to safeguard information and the continuous delivery of government business by applying the Australian Government Information Security Manual's cyber security principles during all stages of the lifecycle of each system

  • Each entity must ensure the eligibility and suitability of its personnel who have access to Australian Government resources (people, information and assets).

    Entities must use the Australian Government Security Vetting Agency (AGSVA) to conduct vetting, or where authorised, conduct security vetting in a manner consistent with the Personnel Security Vetting Standards.

  • Each entity must assess and manage the ongoing suitability of its personnel and share relevant information of security concern, where appropriate

  • Each entity must ensure that separating personnel:

    1. have their access to Australian Government resources withdrawn
    2. are informed of any ongoing security obligations.
  • Each entity must implement physical security measures that minimise or remove the risk of:

    1. harm to people, and
    2. information and physical asset resources being made inoperable or inaccessible, or being accessed, used or removed without proper authorisation.
  • Each entity must:

    1. ensure it fully integrates protective security in the process of planning, selecting, designing and modifying its facilities for the protection of people, information and physical assets
    2. in areas where sensitive or security classified information and assets are used, transmitted, stored or discussed, certify its facility’s physical security zones in accordance with the applicable ASIO Technical notes, and
    3. accredit its security zones.
  • Entities must prevent installation and remove existing instances of the TikTok application on government devices, unless a legitimate business reason exists which necessitates the installation or ongoing presence of the application

Was this information helpful?

Do not include any personal information. We are unable to respond to comments or feedback. If you would like a response, please email, or phone us. Our details are on the AGA contact page