š Table of Contents
PSPF Release 2025
The Australian Government's minimum protective security standards for the secure delivery of government business, domestically and internationally
About the PSPF
The Protective Security Policy Framework (PSPF) sets out Australian Government policy across six security domains and prescribes what Australian Government entities must do to protect their people, information and resources, both domestically and internationally.
Applicability
The Directive on the Security of Government Business establishes the PSPF as Australian Government policy. Non-corporate Commonwealth entities must apply the PSPF in accordance with section 21 of the PGPA Act. The PSPF represents better practice for Corporate Commonwealth Entities and wholly-owned Commonwealth Companies.
State and territory government agencies that hold or access Australian Government security classified information are required to apply the PSPF to regulate access to that information, in accordance with arrangements agreed between the Commonwealth, states and territories.
Structure
The PSPF comprises five tiers:
- Principles ā apply to all aspects of protective security
- Protective security domains ā define interconnected subject areas
- Policy ā detail requirements that entities must apply
- Standards and Technical Manuals ā detail additional mandatory requirements for specific areas
- Guidelines ā provide advice and examples to assist entities in implementing the requirements and standards
Six Domains
The principles are applied through compliance with the mandatory requirements and standards in the following domains:
- Governance (Part One)
- Risk (Part Two)
- Information (Part Three)
- Technology (Part Four)
- Personnel (Part Five)
- Physical (Part Six)
These domains are not mutually exclusive ā each connects with, and impacts, the other. Entities must manage security within a framework of coordinated planning across these domains.
Contact: Email: PSPF@homeaffairs.gov.au | PSPF Hotline: (02) 5127 9999 | PSPF GovTEAMS community
Part One: Governance
Part One covers the governance lifecycle including whole-of-government protective security roles, entity protective security roles and responsibilities, security planning, incidents and training, and protective security reporting.
1. Whole of Government Protective Security Roles
1.1 Departments of State
Departments of State (DOS) are established by the Governor-General to conduct the core aspects of government operations, as detailed in the Department of Finance's Flipchart of Commonwealth entities and companies.
The Department of State supports portfolio entities to achieve and maintain an acceptable level of protective security through advice and guidance on government security.
1.2 Department of Home Affairs
In accordance with the Administrative Orders, the Department of Home Affairs is responsible for the administration of the PSPF, including managing and coordinating policy responses to systemic security risks to government.
The Secretary of the Department of Home Affairs may issue a Direction to Accountable Authorities to manage an unacceptable protective security risk to the Australian Government.
The Accountable Authority complies with all Protective Security Directions.
1.3 Technical Authority Entities
Technical Authority Entities (TAE) have additional accountabilities to provide domain-specific security advice, technical standards or intelligence services in support of Australian Government protective security outcomes.
The Technical Authority Entity provides technical advice and guidance to support entities to achieve and maintain an acceptable level of protective security.
1.4 Shared Service Provider Entities
Shared Service Provider Entities (SSPE) are non-corporate Commonwealth entities that provide corporate or technical services to other entities under an agreement or arrangement. The Accountable Authority of the supported entity remains responsible for the overall security of their entity.
The Shared Service Provider Entity supplies security services that help relevant entities achieve and maintain an acceptable level of security.
The Shared Service Provider Entity develops, implements and maintains documented responsibilities and accountabilities for partnerships or security service arrangements with other entities.
1.5 Authorised Vetting Agencies
Security vetting is conducted to ensure personnel are eligible and suitable to access security classified government information and resources. These functions may only be performed by vetting agencies authorised to assess, process and grant security clearances (Baseline up to and including Positive Vetting).
1.6 Sponsoring Entities
Australian Government entities are authorised to sponsor Australian Government security clearances. The Australian Government may also authorise non-government organisations to sponsor security clearances. State and territory government agencies are also authorised to sponsor security clearances.
2. Entity Protective Security Roles and Responsibilities
2.1 Accountable Authority
The Accountable Authority of a Commonwealth entity is defined under section 12 of the PGPA Act as the person or group of persons responsible for, and with control over, the entity's operations. The Accountable Authority has overall responsibility for the protective security of their entity's people, information and resources.
- People ā employees, contractors, secondees and any service provider
- Information ā physical documents, electronic/digital data or intellectual information
- Resources ā applications, technology systems, mobile devices, tangible assets, equipment, facilities, buildings and intangible assets
The Accountable Authority is answerable to their minister for the entity's protective security.
The Accountable Authority is responsible for managing the security risks of their entity.
2.2 Chief Security Officer
The Chief Security Officer (CSO) is a Senior Executive Service (SES) officer responsible for oversight of the entity's protective security arrangements. Where an entity has fewer than 100 employees, the Accountable Authority may appoint their CSO at the Executive Level 2 (EL2).
A Chief Security Officer is appointed and empowered to oversee the entity's protective security arrangements.
The Chief Security Officer is a Senior Executive Service officer and holds a minimum security clearance of Negative Vetting 1.
2.3 Chief Information Security Officer
The Chief Information Security Officer (CISO) is accountable to the Accountable Authority and supports the CSO by providing cyber security leadership for the entity and the entity's most critical technology resources.
A Chief Information Security Officer is appointed to oversee the entity's cyber security program and the cyber security for the entity's most critical technology resources.
The Chief Information Security Officer has the appropriate capability and experience and holds a minimum security clearance of Negative Vetting 1.
2.4 Security Practitioners
Security practitioners perform security functions or specialist services to support the CSO and CISO in the day-to-day functions of protective security.
Where appointed, security practitioners are appropriately skilled, empowered and resourced to perform their designated functions.
2.5 Security Governance
Under the Public Governance, Performance and Accountability Rule 2014, entities are required to have an audit committee to review systems of risk oversight and management.
The Accountable Authority approves security governance arrangements that are tailored to the entity's size, complexity and risk environment.
A dedicated security email address is established and monitored as the central conduit for distribution of protective security-related information across the entity.
3. Security Planning, Incidents and Training
3.1 Security Planning
Security planning is unified and holistic, as part of a security life cycle approach. Entity security plans address all domains of protective security and establish the strategic direction for efficient and effective security management.
Key Point: Each entity's security plan must include mandatory elements covering security goals, risk environment, risk tolerance, security capability, risk management strategies, PSPF implementation, critical people and resources, threat levels, incident management, monitoring and review.
A security plan is developed, implemented and maintained to address the mandatory elements of the plan.
The Accountable Authority approves the entity's security plan.
The security plan is considered annually and reviewed at least every two years to confirm its adequacy and ability to adapt to shifts in the entity's risk, threat or operating environment.
3.2 Security Practices and Procedures
Procedures are developed, implemented and maintained to ensure all elements of the entity's security plan are achieved.
3.3 Continuous Monitoring and Improvement
Develop, establish and implement security monitoring arrangements to identify the effectiveness of the entity's security plan and establish a continuous cycle of improvement.
3.4 Positive Security Culture
The Accountable Authority and Chief Security Officer develop, implement and maintain a program to foster a positive security culture in the entity and support the secure delivery of government business.
3.5 Security Awareness Training
Security awareness training is provided to personnel, including contractors, at engagement and annually thereafter.
Targeted security training is provided to personnel, including contractors, in specialist or high-risk positions.
3.6 Security Incidents
A security incident is defined as an action, whether deliberate, reckless, negligent or accidental, that fails to meet protective security requirements or entity-specific practices and procedures that results in, or may result in, the loss, damage, corruption or disclosure of official information or resources.
A significant security incident is generally serious or complex and is likely to have wide ranging and critical consequences for the entity and/or the Australian Government.
Procedures are developed, implemented and maintained to ensure security incidents are responded to and managed.
Significant or externally reportable security incidents and referral obligations are reported to the relevant authority (or authorities) within the applicable timeframe.
3.7 Security Investigations
Procedures are developed, implemented and maintained to investigate security incidents in accordance with the principles of the Australian Government Investigations Standards.
The principles of procedural fairness are applied to all security investigations, with due regard to national security considerations.
4. Protective Security Reporting
4.1 Security Reporting to Government
The Department of Home Affairs prepares two annual reports using the annual PSPF reporting data:
- PSPF Assessment Report ā consolidated report on the aggregated annual reporting data, published on the PSPF website for public transparency
- PSPF Classified Assessment Report ā provides the Government with entity-specific results and identifies entities not meeting the requirements. This classified report is not made publicly available.
4.2 Annual Protective Security Report
The annual protective security report is provided to the entity's Minister.
The annual protective security report is submitted to the Department of Home Affairs.
The Accountable Authority approves the entity's annual protective security report and confirms that they have verified the report's content.
The annual Cyber Security Survey is submitted to the Australian Signals Directorate.
Part Two: Risk
Part Two covers the risk lifecycle including security risk management, third party risk management, countering foreign interference and espionage, and contingency planning.
5. Security Risk Management
Overall accountability for security risk management rests with the Accountable Authority. Security risks form part of the entity's enterprise risk management framework.
5.1 Security Risk Tolerance
Risk tolerance is an informed decision by the Accountable Authority to accept a certain level of risk. It is highly dependent on the entity's unique context and the Accountable Authority's judgement.
The Accountable Authority determines their entity's tolerance for security risks and documents in the security plan.
5.2 Security Risk Management Process
A risk steward (or manager) is identified for each security risk or category of security risk, including shared risks.
The Accountable Authority considers the impact that their security risk management decisions could potentially have on other entities, and shares information on risks where appropriate.
6. Third Party Risk Management
6.1 Procurement, Outsourcing and Contract Management
The Commonwealth Procurement Rules govern how entities procure goods and services. When an entity outsources the provision of goods or services, accountability for the goods or service and associated delivery outcomes remains with the entity.
An unacceptable level of risk is when the identified security risks cannot be mitigated to a reasonable or acceptable level, or the security risks to the Australian Government are too great. In these circumstances, entities must seek alternative procurement arrangements.
The entity is accountable for the management of security risks arising from procuring goods and services and ensures procurement and contract decisions do not expose the entity or the Australian Government to an unacceptable level of risk.
Procurement, contracts and third-party outsourced arrangements contain proportionate security terms and conditions.
6.1.3 Foreign Ownership, Control or Influence in Procurement
Australian Government entities that enter into commercial arrangements with organisations operating under Foreign Ownership, Control or Influence (FOCI) are at increased risk of foreign interference and espionage.
Procurement and contract decisions consider the security risks before engaging providers operating under foreign ownership, control or influence.
6.2 Third Party Risk Management Lifecycle
Security risks arising from contractual arrangements for the provision of goods and services are managed, reassessed and adjusted over the life of a contract.
Secure and verifiable third-party vendors, providers, partners and associated services are used unless business operations require use, and the residual risks are managed and approved by the Chief Information Security Officer.
7. Countering Foreign Interference and Espionage
Left unchecked, foreign interference can have a corrosive effect on our national security. It can weaken our free and open system of government, our social cohesion and our economic prosperity.
7.1 Recognising Foreign Interference and Espionage
Espionage is the theft of information or capabilities by someone acting on behalf of, or intending to provide information to, a foreign power that will prejudice Australia's national security.
Foreign interference involves activities carried out by, or on behalf of, a foreign power that are clandestine or deceptive and detrimental to Australia's interests. It is not the same as foreign influence, which is open and transparent.
Entities manage the security risks associated with engaging with foreign partners.
7.1.4 International Travel
International travel (both personal and official) carries heightened risks for government personnel. Personnel may be targeted by foreign actors during travel to obtain information or as part of cultivation operations.
7.1.5 Protecting Personal Information
Key Point: Government employees who post details of clearance levels, position titles, projects and specialised systems on social media could make themselves a more attractive target for foreign actors.
Personnel do not publicise their security clearance level on social media platforms, including employment-focused platforms such as LinkedIn.
7.3 Insider Threat Programs
Insider threat is when an insider intentionally or unintentionally uses their access to conduct activities that could cause harm or negatively affect an entity or its operations.
An insider threat program is implemented by entities that manage Baseline to Positive Vetting security clearance subjects, to manage the risk of insider threat in the entity.
8. Contingency Planning
8.1 Exceptional Circumstances
Exceptional circumstances are situations beyond the entity's control that are not routine in nature, not enduring, and are unforeseen, unavoidable or unexpected (e.g. natural disasters, emergency situations).
Where exceptional circumstances prevent or affect an entity's capability to implement a PSPF requirement or standard, the Accountable Authority may vary application, for a limited period of time, consistent with the entity's risk tolerance.
8.3 Business Continuity Planning
A business continuity plan is developed, implemented and maintained to respond effectively and minimise the impacts of significant business disruptions to the entity's critical services and assets.
8.4 Emergency Management
Plans for managing a broad range of emergencies are integrated within the business continuity plan.
Personnel who are likely to be impacted are notified if there is a heightened risk of an emergency.
Part Three: Information
Part Three covers the information lifecycle including classifications and caveats, information holdings, information disposal, and information sharing.
9. Classifications and Caveats
All official information requires an appropriate degree of protection. Australian Government entities are required to maintain the confidentiality, integrity and availability of official information.
9.2 Security Classifications
The Australian Government uses four security classifications:
| Classification | Business Impact | Expected Level of Damage |
|---|---|---|
| TOP SECRET | Level 5 ā Catastrophic | Exceptionally grave damage to the national interest, organisations or individuals |
| SECRET | Level 4 ā Extreme | Serious damage to the national interest, organisations or individuals |
| PROTECTED | Level 3 ā High | Damage to the national interest, organisations or individuals |
| OFFICIAL: Sensitive | Level 2 ā Low to medium | Limited damage to an individual, organisation or government generally |
| OFFICIAL | Level 1 ā Low | No or insignificant damage. Majority of routine information |
The value, importance or sensitivity of official information is assessed by the originator by considering the potential damage that would arise if the information's confidentiality were compromised.
The security classification is set at the lowest reasonable level.
Security classified information is clearly marked with the applicable security classification.
9.3 Minimum Protections and Handling Requirements
The minimum protections and handling requirements are applied to protect OFFICIAL and security classified information.
Access Control by Classification
| Classification | Minimum Clearance | Need-to-Know |
|---|---|---|
| TOP SECRET | NV2 | Yes |
| SECRET | NV1 | Yes |
| PROTECTED | Baseline | Yes |
| OFFICIAL: Sensitive | Nil (employment screening) | Yes |
| OFFICIAL | Nil (employment screening) | Recommended |
10ā12. Information Holdings, Disposal and Sharing
10. Information Holdings
Entities must maintain information asset registers to identify and manage aggregated information holdings that may require a higher level of protection than the individual components.
11. Information Disposal
Information disposal must follow classification-appropriate destruction methods. TOP SECRET requires Class A shredder or ASIO-T4 approved destruction, supervised and documented. SECRET requires Class A shredder or ASIO-T4. PROTECTED requires Class B shredder or ASIO-T4.
12. Information Sharing
The need-to-know principle applies to all security classified information. Domestic information sharing between entities must be governed by appropriate agreements.
International Sharing: Australian Government security classified information and assets must not be shared with a foreign entity unless explicit legislative provisions, international agreements or arrangements for protection are in place.
Part Four: Technology
Part Four covers the technology lifecycle including technology lifecycle management, cyber security strategies, and cyber security programs.
13. Technology Lifecycle Management
13.3 Technology System Authorisation
Technology systems processing, storing or communicating security classified information must be assessed and authorised by the relevant authority before use. The authorisation framework includes the Infosec Registered Assessors Program (IRAP).
13.5 Social Media Applications
The use of social media applications on government systems introduces security risks. Entities must assess and manage these risks in accordance with the Information Security Manual.
13.6 TikTok Application
TikTok Ban: The TikTok application must not be installed or maintained on any Australian Government-issued device. Entities must prevent installation through mobile device management controls.
13.10 Innovative Technologies
This includes artificial intelligence, quantum computing, and other emerging technologies. Entities must assess and manage the security risks associated with the use of innovative technologies, particularly where they process, store or communicate security classified information.
14. Cyber Security Strategies
14.2 Essential Eight Strategies
The ASD Essential Eight Maturity Model provides eight mitigation strategies to assist entities in protecting their systems against a range of cyber threats. All entities must implement the Essential Eight strategies.
| Strategy | Purpose |
|---|---|
| Application control | Prevent execution of unapproved applications |
| Patch applications | Remediate known security vulnerabilities in applications |
| Configure Microsoft Office macro settings | Block untrusted macros |
| User application hardening | Reduce attack surface of applications |
| Restrict administrative privileges | Limit access to operating systems and applications |
| Patch operating systems | Remediate known security vulnerabilities in operating systems |
| Multi-factor authentication | Provide additional verification of user identity |
| Regular backups | Maintain availability of critical data |
15. Cyber Security Programs
Whole of government cyber security services are coordinated by the Australian Signals Directorate's Australian Cyber Security Centre (ACSC). Key programs include Secure Cloud, Gateway Security, Vulnerability Disclosure Programs, and the Cyber Security Partnership Program.
15.7 Systems of Government Significance
A System of Government Significance (SOGS) is a technology system or capability of national importance whose compromise, disruption or destruction would have a significant impact on the delivery of government services or national security.
Part Five: Personnel
Part Five covers the personnel lifecycle including pre-employment eligibility, access to resources, security clearances, the vetting process, Australian officials and office holders, maintenance and ongoing assessment, and separation.
16. Pre-Employment Eligibility
Pre-employment screening verifies a person's identity, qualifications, professional memberships and employment history to confirm they are eligible and suitable for engagement before commencing duties.
Pre-employment screening is conducted for all personnel, including contractors.
17. Access to Resources
17.1 Temporary Access
Temporary access may be granted in situations where an individual requires access to security classified information or resources but does not hold an appropriate security clearance. Temporary access must be time-limited and risk-assessed.
17.3 Remote Access
Remote access to security classified information introduces additional security risks. Working remotely in Australia requires risk assessment and appropriate security controls. Working remotely outside Australia (international) requires additional scrutiny.
18. Security Clearances
18.1 Security Clearance Levels
| Clearance Level | Access | Validity |
|---|---|---|
| Baseline | PROTECTED | 15 years |
| NV1 (Negative Vetting 1) | SECRET | 10 years |
| NV2 (Negative Vetting 2) | TOP SECRET | 7 years |
| PV (Positive Vetting) | Codeword and specially controlled information | 5 years |
18.4 Sponsoring Security Clearances
A security clearance can only be initiated through sponsorship by an entity authorised to sponsor security clearances. The sponsoring entity must have a legitimate operational need for the individual to access security classified information.
18.5 Eligibility for a Security Clearance
Eligibility: An individual must be an Australian citizen and have a checkable background to be eligible for a security clearance at any level.
18.6 Eligibility Waivers
In exceptional circumstances, a citizenship eligibility waiver may be granted where there is a demonstrated need in the national interest. The Accountable Authority must approve the waiver request.
18.7 Clearance Subject Responsibilities
Security clearance holders must comply with the entity's protective security practices and procedures, report any changes in personal circumstances, and complete security awareness training.
19. Personnel Security Vetting Process
19.2 Personnel Security Adjudicative Standard
The adjudicative standard sets criteria for assessing an individual's suitability to hold a security clearance. The criteria relate to loyalty to Australia, trustworthiness, maturity of judgement, honesty and integrity.
19.3 Minimum Personnel Security Checks
| Check | Baseline | NV1 | NV2 |
|---|---|---|---|
| Identity verification | Yes | Yes | Yes |
| National criminal history check | Yes | Yes | Yes |
| Financial assessment | Yes | Yes | Yes |
| ASIO assessment | Yes | Yes | Yes |
| Referee checks | ā | Yes | Yes |
| Personal interview | ā | ā | Yes |
19.7 Procedural Fairness
The principles of procedural fairness require that individuals whose rights, interests or expectations are adversely affected by a vetting decision be informed of the case against them and given an opportunity to respond before an unbiased decision-maker.
19.8 Review of Decisions
Clearance subjects have the right to request a review of adverse vetting decisions through the Authorised Vetting Agency's internal review process and subsequently through the Security Division of the Administrative Appeals Tribunal.
20. Australian Officials and Office Holders
Certain Australian officials and office holders are exempt from requiring a security clearance due to the nature of their constitutional or statutory roles. This includes Members of Parliament and certain judicial officers. However, they remain subject to PSPF obligations when accessing security classified information.
21. Maintenance and Ongoing Assessment
21.1 Security Clearance Maintenance
Security clearance maintenance is a continuous process of assessing the ongoing suitability of individuals to hold a security clearance. Both Authorised Vetting Agencies and Sponsoring Entities have responsibilities.
21.4 Clearance Holder Maintenance Obligations
Clearance holders must report changes in personal circumstances including:
- Changes to financial circumstances (including bankruptcy, significant debt)
- Criminal charges or convictions
- Changes to relationships (marriage, divorce, new relationships with foreign nationals)
- Changes to citizenship or residency status
- Overseas travel (all international travel must be reported)
- Contact with foreign intelligence services
- Alcohol or substance abuse issues
21.5 Security Clearance Revalidation
Security clearances must be revalidated before expiry: Baseline every 15 years, NV1 every 10 years, NV2 every 7 years, and PV every 5 years.
22. Separation
When a clearance holder separates from an entity, debriefing procedures must be followed. The entity must withdraw access to all security classified information and resources, recover all security classified material, and notify the relevant Authorised Vetting Agency.
Post-separation, clearance holders retain residual security obligations regarding the protection of information they accessed during their employment.
Part Six: Physical
Part Six covers the physical lifecycle including physical security lifecycle, security zones, and physical security measures and controls.
23. Physical Security Lifecycle
The physical security lifecycle covers planning, designing, constructing or leasing, and operating entity facilities. Security must be considered at every stage, from initial planning through to ongoing operation and maintenance.
24. Security Zones
| Zone | Description | Max Classification |
|---|---|---|
| Zone 1 | Public areas ā reception, foyers, publicly accessible spaces | OFFICIAL |
| Zone 2 | Internal working areas with access control | OFFICIAL: Sensitive |
| Zone 3 | Secured areas with enhanced access control | PROTECTED |
| Zone 4 | High security areas | SECRET |
| Zone 5 | Highest security areas ā vault-type construction | TOP SECRET |
25. Physical Security Measures and Controls
Physical security measures and controls include authorised equipment and commercial services, security containers, cabinets and rooms, perimeter doors, locks and hardware, access control systems, security alarm systems, security guards, and technical surveillance countermeasures (TSCM).
Key Container Requirements
| Container Class | Stores Up To |
|---|---|
| Class A | TOP SECRET (Zone 5 only) |
| Class B | TOP SECRET (Zone 4/5), SECRET (Zone 3) |
| Class C | SECRET (Zone 4/5), PROTECTED (Zone 2/3) |
| Lockable container | OFFICIAL: Sensitive and OFFICIAL |
25.9 Technical Surveillance Countermeasures
Technical Surveillance Countermeasures (TSCM) are measures taken to detect, neutralise and exploit technical surveillance devices. TSCM inspections must be conducted by qualified personnel in Zone 4 and Zone 5 areas.
Important Resources
- PSPF Website: protectivesecurity.gov.au
- PSPF Contact: PSPF@homeaffairs.gov.au | PSPF Hotline: (02) 5127 9999
- AGSVA: agsva.gov.au | 1800 640 450
- ASD Cyber Security: cyber.gov.au | 1300 CYBER 1 (1300 292 371)
- National Security Hotline: 1800 123 400
- ASIO: asio.gov.au
Was this article helpful?