Australian Government Architecture
Search

Type

Policy

Reference

Mandate

Endorsed

Status

Core

Responsible agency

Department of Home Affairs

Protective Security Policy Framework (PSPF)

Direct link: protectivesecurity.gov.au 
Responsible agency: Department of Home Affairs 
Last updated: November 2024 

The PSPF sets out Australian Government policy across six security domains and prescribes what Australian Government entities must do to protect their people, information and resources, both domestically and internationally. Application of the PSPF assures government that entities are implementing sound and responsible protective security practices and identifying and mitigating security risks and vulnerabilities. 

The PSPF comprises five tiers: 

  • Principles – apply to all aspects of protective security. 
  • Protective security domains – define interconnected subject areas. 
  • Policy – detail requirements that entities must apply. 
  • Standards and Technical Manuals – detail additional mandatory requirements for specific areas of the PSPF. These include manuals maintained by Technical Authority Entities. 
  • Guidelines – provide advice and examples to assist entities in implementing the requirements and standards. 

The principles are applied through compliance with the mandatory requirements and standards in the following domains: 

  • Governance – security planning, roles, training and reporting. 
  • Risk – enterprise risk management and third-party risk management. 
  • Information – classification systems, information handling and data security. 
  • Technology – cyber security. 
  • Personnel – security vetting suitability assessments, access and separation.  
  • Physical – security zoning requirements and site selection. 

These domains are not mutually exclusive – each connects with, and impacts, the other. Entities must manage security within a framework of coordinated planning across these domains. 

The PSPF is reviewed annually to ensure it reflects the current threat environment. Entities are consulted on proposed updates via the Government Security Committee. Updates culminate in an annual release. 

Applicability 

Non-corporate Commonwealth entities that are subject to the Public Governance, Performance and Accountability Act 2013 must apply the PSPF (to the extent consistent with legislation). 

The PSPF represents better practice for corporate Commonwealth entities and wholly-owned Commonwealth companies under the PGPA Act. 

Non-government organisations that access security classified information may need to enter into a deed or agreement to apply relevant parts of the PSPF to that information. 

State and territory government agencies that hold or access Australian Government security classified information apply the PSPF to that information, consistent with arrangements agreed between the Commonwealth, states and territories. 

Access the policy 

The Protective Security Policy Framework website hosts the PSPF Annual Release (full text). 

Policy requirements 

The PSPF policy suite includes mandatory requirements in each domain that entities must implement to achieve minimum protective security standards. These requirements are listed at PSPF Release 2024 – List of Requirements

Was this information helpful?

Do not include any personal information. We are unable to respond to comments or feedback. If you would like a response, please email, or phone us. Our details are on the AGA contact page www.architecture.digital.gov.au/contact-us.