Australian Government - Attorney-General's Department

Security Policy

Achieving a Just and Secure Society

Skip breadcrumbHome

The Protective Security Policy Framework (PSPF)

The PSPF has been developed to assist Australian Government entities to protect their people, information and assets, at home and overseas.

The PSPF provides policy, guidance and better practice advice for governance, personnel, physical and information security. The 36 mandatory requirements assist Agency Heads to identify their responsibilities to manage security risks to their people, information and assets.

Non-corporate Commonwealth entities are required to apply the PSPF as it relates to their risk environment. It is best practice to do this through a security risk management approach, with a focus on fostering a positive culture of security within the entity and across the Australian Government.

Each individual Commonwealth entity is in the best position to assess their own risk environment and apply relevant and proportionate security controls in support of Australian Government resources.

The PSPF document map is designed to assist users of the PSPF to understand the relationships between protocols, guidelines and better practice guides that support the PSPF governance arrangements and core policies.​

Latest news

PSPF 2016-2017 Compliance Report

As a policy of the Australian Government, non-corporate Commonwealth entities must apply the PSPF to the extent of their enabling legislation. Entities are required to undertake an annual self-assessment of their PSPF compliance, then report on their security posture and measures taken to address identified key risks.

All non-corporate Commonwealth entities submitted a PSPF compliance report for 2016–17. The consolidated PSPF 2016-17 compliance report provides an overview of the implementation of the 36 mandatory requirements for that period. While few entities are fully compliant with all of the PSPF, the government's security posture is still broadly sound—on average, non-corporate Commonwealth entities fully comply with a significant proportion of requirements.

PSPF commencement date

Reforms to the PSPF will come into effect on 1 October 2018, instead of 1 July as previously advised.

  • Entities will also have longer to transition for some reforms (eg reforms to classification of information have an extended implementation period until October 2020)

The reforms will introduce a new principles-based policy architecture, separating mandatory requirements and guidance material. This is intended to better support the achievement of risk-based security outcomes. The new policy framework will not fundamentally change entities' responsibilities to protect their people, information and assets.

The new 1 October 2018 commencement of the reformed PSPF provides entities with more time to consider the implications of the reforms for their security risk environment, and assess any necessary changes to current entity practice and procedure. The Attorney-General's Department will support implementation across affected entities with communication and training materials. The department will hold a number of information sessions for Australian Government security personnel in September and October 2018. When dates and venues are confirmed, details will be available on the Protective Security Policy GovDex 'Events' page.

Contact the PSPF Team via email at or by phone on +61 2 6141 3600, if you have any queries

PSPF reforms

The Attorney-General's Department in consultation with stakeholder entities reviewed the PSPF in 2016 in response to recommendations from the Independent Review of Whole-of-Government Internal Regulation.

In May 2017, the proposed suite of PSPF reforms was endorsed by the Secretaries Board.

For Australian Government security personnel, the draft policy requirements and supporting guidance is available on the Protective Security Policy GovDex page.

Contact the PSPF team on +61 2 6141 3600 or if you have any queries.