What's new in the Australian Government protective security policy?

1 May 2019

Policy amendment – Management structures and responsibilities

The Government Security Committee recommended the PSPF be amended to allow entities with fewer than 100 employees (classified as micro and extra small entities by the Australian Public Service Commission) to appoint their Chief Security Officer (CSO) at the EL2 level.

The amended policy requires that the EL2 officer report directly to the accountable authority on security matters and has both sufficient authority and capability to perform the responsibilities of the CSO role. The PSPF policy: Management structures and responsibilities has been updated to reflect this change. If you have any questions about this policy amendment, please contact the PSPF team.

New PSPF fact sheet and template

We have published a PSPF fact sheet on Significant security incidents [PDF]. This provides additional guidance on determining when a security incident is 'significant' enough to report to the Attorney-General's Department. A template to report [DOCX] a significant security incident has also been published to assist you with meeting the PSPF requirement 3 in policy: Management structures and responsibilities.

12 November 2018

The new email protective marking standard (EPMS) has been released. The EPMS is Annex B to the PSPF policy: 8 Sensitive and classified information.

The EPMS will help ensure all Australian Government entities use a standardised format for protective markings on emails exchanged both in and between entities. Applying a standard format for protective markings supports processes and systems, such as an entity's email gateway, to control the flow of information into and out of the entity. For message recipients it also identifies what handling protections are needed to safeguard the information. For more information see the new EPMS and the Security classification reforms fact sheet.

1 October 2018

It's here! The new Protective Security Policy Framework (PSPF) commenced on 1 October 2018 to assist Australian Government entities protect their people, information and assets, at home and overseas. These significant reforms will improve clarity, reduce unnecessary 'red tape' and foster a strengthened security culture across government agencies.
The reforms address findings from the 2015 Independent Review of Whole-of-Government Internal Regulation and ensures the PSPF keeps pace with international best practice by:

  • building and maintaining a strong security culture that effectively engages with risk
  • addressing the threat of the malicious insider through improved personnel security, and
  • increasing the cyber security of government networks and information.

The reforms were developed by the Attorney-General's Department in consultation with stakeholders across government and will apply to all non-corporate Commonwealth entities from today. Corporate Commonwealth entities and Commonwealth companies are encouraged to adopt the policy as best practice.

The PSPF is a living document and may be updated to reflect new and emerging issues, developments in protective security best practice and changes in Government policy. Significant changes will be noted on this page.