Overview

The Protective Security Policy Framework (PSPF) sets out Australian Government policy across six security domains and prescribes what Australian Government entities must do to protect their people, information and resources, both domestically and internationally.

📥 Download the Full PSPF Release 2025 PDF

Key Principles

The PSPF is built on fundamental principles that apply to all aspects of protective security:

• Risk-based approach - Security measures proportional to assessed risks
• Continuous improvement - Ongoing monitoring and enhancement of security posture
• Shared responsibility - Security is everyone's responsibility
• Outcome-focused - Emphasis on achieving security objectives rather than tick-box compliance
• Flexibility - Ability to adapt to unique entity contexts and emerging threats

Six Security Domains

1. Governance (Part One)

Purpose: Establish clear accountability and oversight for protective security across government.

Key Requirements:

• Chief Security Officer (CSO) - SES officer responsible for protective security oversight
• Chief Information Security Officer (CISO) - Accountable for cyber security strategy and implementation
• Security Planning - Comprehensive security plans addressing all domains
• Security Incident Management - Procedures for detecting, reporting and responding to security incidents
• Annual Reporting - Compliance reporting to ministers and Department of Home Affairs

Critical Focus: The Accountable Authority has overall responsibility for protective security and must ensure effective arrangements are in place.

2. Risk (Part Two)

Purpose: Identify, assess and manage security risks across all government operations.

Key Requirements:

• Security Risk Tolerance - Accountable Authority determines acceptable risk levels
• Third Party Risk Management - Robust assessment of suppliers, contractors and service providers
• Foreign Ownership, Control or Influence (FOCI) - Due diligence when engaging providers operating under FOCI
• Countering Foreign Interference - Measures to identify and mitigate espionage and foreign interference threats
• Insider Threat Programs - Proactive identification and management of insider risks
• Business Continuity Planning - Arrangements to maintain critical operations during disruptions

Critical Focus: All entities must consider how their security risk decisions impact other entities and whole of government security.

3. Information (Part Three)

Purpose: Protect the confidentiality, integrity and availability of government information.

Key Security Classifications:

• OFFICIAL - Routine government information
• OFFICIAL: Sensitive - Information requiring additional protection
• PROTECTED - Information causing damage if compromised
• SECRET - Information causing serious damage if compromised
• TOP SECRET - Information causing exceptionally grave damage if compromised

Key Requirements:

• Minimum Protections and Handling Requirements - Detailed controls for each classification level
• Information Sharing - Need-to-know principle and appropriate agreements for sharing
• Security Caveats - Additional protections for compartmented information
• Information Disposal - Secure destruction in accordance with approved methods
• Email Protective Marking Standard - Standardised format for protective markings

Critical Focus: Information must be classified at the lowest reasonable level, with appropriate protections applied throughout its lifecycle.

4. Technology (Part Four)

Purpose: Secure technology systems and protect against cyber threats.

Key Requirements:

• Information Security Manual (ISM) - ASD's ISM controls applied on risk-based approach
• Essential Eight - Implementation to Maturity Level Two minimum
  • Patch applications and operating systems
  • Multi-factor authentication
  • Restrict administrative privileges
  • Application control
  • Restrict Microsoft Office macros
  • User application hardening
  • Regular backups
• Technology System Authorisation - All systems authorised before operational use
• Cyber Security Strategy - Documented strategy and uplift plan aligned with Zero Trust principles
• Gateway Security - Protection of connections between security domains
• TikTok Restrictions - Prohibited on government devices unless legitimate business reason exists
• Post-Quantum Cryptography - PQC algorithms required for new cryptographic equipment (from 1 July 2025)

Critical Focus: Cyber security is critical to government operations. The CISO must report cyber security risks to the Audit Committee and provide biannual progress updates on the cyber security strategy.

5. Personnel (Part Five)

Purpose: Ensure personnel are suitable to access government resources and information.

Key Security Clearance Levels:

• Baseline - Access to PROTECTED information
• Negative Vetting 1 (NV1) - Access to SECRET information
• Negative Vetting 2 (NV2) - Access to TOP SECRET information
• Positive Vetting (PV) - Access to TOP SECRET including caveated information (being replaced by TS-PA)
• TOP SECRET-Privileged Access (TS-PA) - New standard replacing PV

Key Requirements:

• Pre-Employment Screening - Identity and eligibility checks for all personnel
• Security Clearances - Required for ongoing access to security classified information
• Ongoing Assessment - Annual security checks and monitoring of clearance holders
• Clearance Maintenance - Regular revalidation and review for cause when concerns arise
• Separation Procedures - Debriefing and withdrawal of access when personnel leave

Critical Focus: Security vetting establishes eligibility and suitability at a point in time. Ongoing assessment and maintenance are essential to manage insider threat risks.

6. Physical (Part Six)

Purpose: Protect people, information and resources through physical security measures.

Security Zones:

• Zone One - Public areas with unrestricted access
• Zone Two - Entity office areas with restricted public access
• Zone Three - Restricted office areas, no public access
• Zone Four - Restricted areas requiring appropriate security clearance
• Zone Five - Highly restricted areas with dual-factor authentication

Key Requirements:

• Facility Security Planning - Risk assessment and security plan for all facilities
• Security Zone Certification - Zones certified and accredited before operational use
• Physical Security Measures - Appropriate controls including:
  • SCEC-approved security containers for classified information
  • Access control systems with appropriate authentication
  • Security alarm systems (Type 1A required for Zones 4-5)
  • Security guards and patrols
  • Technical surveillance countermeasures (TSCM)
• Perimeter Security - Appropriate doors, locks and hardware for each zone

Critical Focus: Physical security must be integrated throughout the facility lifecycle - from planning and design through to operation and retirement.

New and Updated Requirements (2025 Release)

Effective 31 October 2024

• Enhanced security governance arrangements
• Strengthened third-party risk management
• Updated minimum protections and handling requirements
• Refined security clearance processes

Effective 1 July 2025

• Chief Information Security Officer - Formal appointment and accountability requirements
• Technology Asset Stocktake - Visibility of internet-facing systems and services
• Post-Quantum Cryptography - PQC algorithms for new cryptographic equipment
• Cyber Security Partnership Program - Mandatory participation
• Cyber Threat Intelligence Sharing - Connection to ASD's CTIS platform
• Systems of Government Significance - Enhanced protection for declared SoGS
• Hosting Certification Framework - Certified providers required for classified information
• Gateway Security Standard - Gateways or Security Service Edges required
• Updated OFFICIAL: Sensitive sharing - Clarified requirements for sharing with non-government stakeholders

Critical Obligations

For All Entities

1. Comply with Protective Security Directions issued by the Secretary of Department of Home Affairs
2. Appoint CSO and CISO with appropriate authority and clearances
3. Develop and maintain security plans addressing all six domains
4. Report security incidents to relevant authorities within applicable timeframes
5. Complete annual PSPF reporting to minister and Department of Home Affairs
6. Implement Essential Eight to Maturity Level Two minimum
7. Conduct pre-employment screening for all personnel
8. Apply minimum protections to all official and security classified information
9. Certify and accredit Security Zones before operational use
10. Foster positive security culture through awareness training and leadership

For Accountable Authorities

• Overall responsibility for protective security
• Determine security risk tolerance
• Approve security plans and governance arrangements
• Consider impact of risk decisions on other entities
• Ensure compliance with PSPF requirements and standards

For Chief Security Officers

• Oversight of protective security arrangements (except cyber security)
• Develop security plans, procedures and practices
• Manage security incidents and investigations
• Foster positive security culture
• Report to Accountable Authority on security matters

For Chief Information Security Officers

• Oversight of cyber security program
• Develop and maintain cyber security strategy
• Implement ISM controls and Essential Eight
• Report cyber security risks to Accountable Authority and Audit Committee
• Manage cyber security incidents

Reporting Requirements

Annual PSPF Report

All entities must submit annual protective security reports to:

• Their Minister - By December each year
• Department of Home Affairs - Via PSPF Reporting Portal (for reports up to PROTECTED)

Reports must be approved by the Accountable Authority and cover compliance with PSPF requirements across all six domains.

Cyber Security Survey

All entities must complete ASD's annual Cyber Security Survey to inform the Commonwealth Cyber Security Posture Report to Parliament.

Security Incident Reporting

Externally reportable security incidents must be reported to relevant authorities within specified timeframes (see Section 3.6.3 of full PSPF for comprehensive list).

Key Changes from Previous Release

Structural Changes

• Reorganised content for improved clarity and usability
• Enhanced guidance on remote working arrangements
• Updated protections for mobile devices and international travel
• Expanded coverage of innovative technologies (AI, quantum computing, connected devices)

Policy Updates

• Strengthened requirements for CISO role and reporting
• Enhanced third-party risk management provisions
• Updated security clearance maintenance obligations
• New requirements for post-quantum cryptography
• Mandatory participation in ASD cyber security programs
• Clarified OFFICIAL: Sensitive sharing requirements

Technical Updates

• Updated Essential Eight maturity requirements
• Enhanced gateway security requirements
• New technology asset stocktake requirements
• Revised hosting certification framework
• Updated ISM references and controls

Implementation Guidance

Getting Started

1. Review current compliance - Assess gaps against PSPF requirements
2. Prioritise actions - Focus on mandatory requirements and high-risk areas
3. Develop implementation plan - Include timelines and resource allocation
4. Engage stakeholders - Ensure CSO, CISO and senior leadership are aligned
5. Monitor progress - Regular reviews and adjustments

Key Resources

• PSPF Guidelines - Detailed implementation advice for each requirement
• ASIO Technical Notes - Specifications for physical security measures (available on GovTEAMS)
• ASD Information Security Manual - Comprehensive cyber security controls
• Australian Government Personnel Security Adjudicative Standard - Vetting assessment criteria
• Security Equipment Evaluated Product List - SCEC-approved security equipment (available on GovTEAMS)

Support Available

• PSPF Contact: PSPF@homeaffairs.gov.au
• PSPF Hotline: (02) 5127 9999
• PSPF GovTEAMS Community - Collaboration platform for security practitioners
• Technical Authority Entities - Domain-specific advice and guidance

Compliance and Assurance

Quality Assurance

The Department of Home Affairs may undertake quality assurance of annual protective security reports to review security maturity and support continuous improvement.

Security Exercises

Entities should conduct regular security exercises to test incident management plans and procedures, including:

• Cyber security incident response
• Physical security breaches
• Insider threat scenarios
• Business continuity activation

Continuous Improvement

Security maturity requires ongoing effort:

• Regular security risk assessments
• Annual review of security plans
• Monitoring of emerging threats
• Uplift activities to address identified gaps
• Lessons learned from incidents and exercises

Contact and Further Information

Department of Home Affairs (PSPF Administration)

• Email: PSPF@homeaffairs.gov.au
• Hotline: (02) 5127 9999
• Website: protectivesecurity.gov.au

📥 Download Full PSPF Release 2025 PDF

Additional Resources

• PSPF Guidelines: Available on protective security website
• GovTEAMS Community: Collaboration platform for practitioners
• Technical Authority Contacts: Listed in PSPF Guidelines

Summary

The PSPF Release 2025 represents the Australian Government's comprehensive approach to protective security. By implementing these requirements across the six security domains, entities can effectively protect their people, information and resources while maintaining the flexibility to adapt to their unique operating environments and emerging threats.

Remember: Security is everyone's responsibility. Effective protective security requires leadership commitment, adequate resourcing, positive security culture, and continuous improvement.

This summary provides an overview of key requirements. Entities must refer to the full PSPF Release 2025 and associated standards for detailed implementation requirements.

Last Updated: October 2025
Document Version: PSPF Release 2025