PSPF – The Australian Government’s Protective Security Policy Framework 

Australian Government agencies need to be compliant with the PSPF.

Your CEO needs to report to the portfolio minister at the end of each financial year. He or she signs off as to  whether the agency meets the requirements of the PSPF. The report is also copied to the Auditor-General and the Secretary of the Attorney-General’s Department. If there are gaps, it is also made available to ACSC and ASIO.

Many state and territory agencies and private sector organisations, like those that are a part of the DISP are also adopting the PSPF or the Defence version (DSPF). If this is you, the reporting requirements will be different, but the work to become compliant is very similar.

As agencies become more sophisticated, they will require similar standards of organisations that they are dependent on. Service providers for government will need to become PSPF aware to win contracts and tenders.

We can help your agency work out what it needs to do to comply because our people developed the PSPF.

Alex Webling was the Head of Protective Security in the Attorney-General’s Department and was responsible for bringing about this major change in the way that the Australian Government does security. He understands how the PSPF is meant to be implemented and can help your organisation undertake a pain free adoption!

We’re here to help. Since 2012, we’ve been helping agencies including Australian Intelligence Community members to assess their compliance with the PSPF. Contact us, we’re always happy for a chat.

Why did the government change?

Previous protective security requirements were based on a compliance model. If an agency was compliant with the PSM, it was ok. The problem was that there were increasing numbers of agencies which were compliant but not secure.

This approach was not fit for the purpose of protecting the diverse range of government service agencies in an information rich 21st Century environment. The PSM did not allow for sufficient flexibility in handling unclassified but sensitive material, such as commercial and private information. It also didn’t recognise how some agencies need to work to engage with their clientele.

Resilience Outcomes’ work on the PSPF changed the game. It requires agency heads to take a risk managed perspective to their security because they are the risk owners. This is the same approach to that taken in the financial management of agencies.

The PSPF also addresses new challenges posed by information technology and importantly additional risks from the aggregation of data. It allows more flexibility in how organisations develop their protective security, but at the same time puts more responsibility on agency heads to get it right.

Only some agencies need to do this don’t they?

Non-corporate Commonwealth entities must apply the PSPF as it relates to their risk environment. It represents better practice for corporate Commonwealth entities and wholly-owned Commonwealth companies. The PSPF is also considered better practice for state and territory agencies. More information is available at 

The Australian Government is also requiring its agencies to ensure that stakeholders accessing national security classified information apply the PSPF. This includes state/ territory government agencies such as police and premiers’ departments.

Directive on the Security of Government Business.

The directive is issued by the Attorney-General on behalf of the Executive Government. In 2018, the former Attorney-General Christian Porter MP updated the Directive on the Security of Government Business. The directive requires agency heads to identify their level of risk tolerance, meet the mandatory requirements of the PSPF, and develop an appropriate security culture to ensure the agency meets these requirements.

The PSPF consists of:

Five principles that apply to every area of security. These are fundamental values that represent what is desirable for all entities – security principles guide decision making.

  • Security is everyone’s responsibility. Developing and fostering a positive security culture is critical to security outcomes.
  • Security enables the business of government. It supports the efficient and effective delivery of services.
  • Security measures applied proportionately protect entities’ people, information and assets in line with their assessed risks.
  • Accountable authorities own the security risks of their entity and the entity’s impact on shared risks.
  • A cycle of action, evaluation and learning is evident in response to security incidents.

The PSPF structure comprises:

Four outcomes that outline the desired end-state results the Government aims to achieve. The protective security outcomes relate to security governance, information security, personnel security and physical security.

Sixteen core requirements that articulate what entities must do to achieve the government’s desired protective security outcomes.

Most core requirements have a number of supporting requirements that are intended to facilitate a standardised approach to implementing security across government.

Guidance that provides advice on how PSPF core and supporting requirements can be effectively implemented.

More information –

Resilience Outcomes Australia is a member of the Defence Industry Security Program (DISP)


In 2010, the Attorney-General, Robert McClelland MP released the first directive on the security of (Australian) government business.

In 2012, an updated directive was issued by Attorney-General Nicola Roxon MP

In 2018, the former Attorney-General Christian Porter MP reissued the Directive on the Security of Government Business with an updated PSPF.

The PSPF replaced the 2007 Protective Security Manual (PSM) which had become outdated.

Tags: PSPF, Government, Protective Security Policy, Governance

Back To Top