What's new in Australian Government protective security policy?

18 November 2019

Policy rewrite – Sensitive and security classified information

PSPF Policy 8: Sensitive and classified information has been reviewed and updated to clarify the core and supporting requirements and ensure the guidance helps end-users to better understand their responsibilities. Policy 8 now provides clear minimum protections for information as part of the supporting requirements–protections that are fit for purpose and appropriate for government's increasing use of mobile devices and flexible workplace practices.

Updates focused on the use and storage of sensitive and classified information, particularly when outside the office (for example when travelling domestically or overseas, attending external meetings or for home-based work), and differentiating between physical information and information accessed via mobile devices. A summary of the protections required for each protective marking and classification is provided in new Annexes (A-E).

In addition, the guidance on information management markers that was previously in Policy 9: Access to information is now incorporated into Policy 8.

Go to Sensitive and classified information page to read the revised policy. For more information on the changes see the Summary of changes to PSPF policy 8.

12 November 2019

PSPF Compliance Report 2017-18

The 2017–18 PSPF consolidated compliance report is now available.

The consolidated PSPF compliance report provides an overview of the implementation of the 36 mandatory requirements under the PSPF in effect until 30 September 2018.

This is the last compliance report under the old PSPF.

Entities have now completed their reporting for the 2018-19 period. This year entities have reported on their security maturity using the new PSPF reporting portal. The 2018-19 reporting period has closed and the PSPF team have started analysing the data provided.

8 November 2019

Policy amendment – Access to information

PSPF Policy 9: Access to Information has been amended to allow entities to disclose sensitive information to a person outside government, with additional guidance provided to help entities identify circumstances that might indicate the need to use a written agreement to protect sensitive information (see amended Requirement 1). Minor amendments also clarify the guidance on access to caveated information and the list of Australian office holders who are not required to hold a security clearance.

Go to Access to information page to read the revised policy.

Policy amendment – Safeguarding information from cyber threats

Policy 10: Safeguarding information has been amended to reflect recent changes to the Australian Government Information Management Manual (ISM) and the Essential Eight maturity model.

In particular:

  • the core requirement was amended to require entities to consider all of the strategies to mitigate cyber security incidents, while continuing to mandate the Top Four
  • we removed the supporting requirements that established specific controls to implement the Top Four, as these are specified in the ISM.

Entities are encouraged to seek technical advice from the Australian Cyber Security Centre (ACSC) and the ISM.

Go to Safeguarding information from cyber threats page to read the revised policy.

1 May 2019

Policy amendment – Management structures and responsibilities

The Government Security Committee recommended the PSPF be amended to allow entities with fewer than 100 employees (classified as micro and extra small entities by the Australian Public Service Commission) to appoint their Chief Security Officer (CSO) at the EL2 level.

The amended policy requires that the EL2 officer report directly to the accountable authority on security matters and has both sufficient authority and capability to perform the responsibilities of the CSO role. The PSPF policy: Management structures and responsibilities has been updated to reflect this change. If you have any questions about this policy amendment, please contact the PSPF team.

New PSPF fact sheet and template

We have published a PSPF fact sheet on Significant security incidents [PDF]. This provides additional guidance on determining when a security incident is 'significant' enough to report to the Attorney-General's Department. A template to report [DOCX] a significant security incident has also been published to assist you with meeting the PSPF requirement 3 in policy: Management structures and responsibilities.

12 November 2018

The new email protective marking standard (EPMS) has been released. The EPMS is Annex B to the PSPF policy: 8 Sensitive and classified information.

The EPMS will help ensure all Australian Government entities use a standardised format for protective markings on emails exchanged both in and between entities. Applying a standard format for protective markings supports processes and systems, such as an entity's email gateway, to control the flow of information into and out of the entity. For message recipients it also identifies what handling protections are needed to safeguard the information. For more information see the new EPMS and the Security classification reforms fact sheet.

1 October 2018

It's here! The new Protective Security Policy Framework (PSPF) commenced on 1 October 2018 to assist Australian Government entities protect their people, information and assets, at home and overseas. These significant reforms will improve clarity, reduce unnecessary 'red tape' and foster a strengthened security culture across government agencies.
The reforms address findings from the 2015 Independent Review of Whole-of-Government Internal Regulation and ensures the PSPF keeps pace with international best practice by:

  • building and maintaining a strong security culture that effectively engages with risk
  • addressing the threat of the malicious insider through improved personnel security, and
  • increasing the cyber security of government networks and information.

The reforms were developed by the Attorney-General's Department in consultation with stakeholders across government and will apply to all non-corporate Commonwealth entities from today. Corporate Commonwealth entities and Commonwealth companies are encouraged to adopt the policy as best practice.

The PSPF is a living document and may be updated to reflect new and emerging issues, developments in protective security best practice and changes in Government policy. Significant changes will be noted on this page.