PSPF annual reporting
- A new assessment model
- Online reporting portal
- Compliance reporting under the previous PSPF
The Directive on the Security of Government Business requires all non-corporate Commonwealth entities to apply the PSPF as it relates to their risk environment. The PSPF represents better practice for corporate Commonwealth entities and wholly-owned Commonwealth companies.
Under the PSPF, entities report on security each financial year to their portfolio minister and the Attorney-General's Department. This provides assurance to government that entities are implementing sound and responsible protective security practices, and that security risks and vulnerabilities are being identified and mitigated.
A new assessment model
As part of broader reforms to the PSPF made in October 2018, the PSPF adopts a security risk management approach. It focuses on fostering a positive culture of security within the entity and across the government. This is supported by the introduction of a maturity assessment model for annual reporting.
This model encourages entities to make an assessment of the maturity of their security capability based on the entity's overall security position within its specific risk environment and risk tolerances. This represents a shift from a compliance-based assessment model.
The new maturity self‑assessment model supports each entity to consider the elements of its security capability. This includes:
- implementation and management of each PSPF core and supporting requirement
- achievement of security outcomes for governance, information, personnel and physical security
- security risks to people, information and assets
- risk environments and tolerance for security risks
- strategies and timeframes to manage identified and unmitigated risks.
Reporting under the PSPF is aligned to meet:
- the desired four protective security outcomes relating to security governance, information, personnel and physical security
- the sixteen core requirements that articulate what entities must do to achieve the four protective security outcomes. These core requirements have a number of supporting requirements that help facilitate a standardised approach to implementing security across government.
The new assessment model takes these elements into account and they have been incorporated into the new PSPF reporting portal to enable entities to provide their assessment.
The Attorney-General's Department will use this information to assess the overall protective security posture of the Australian Government and will release a summary report on this website in early 2020.
Online reporting portal
Go to the PSPF reporting portal.
The PSPF reporting portal allows Commonwealth entities to:
- complete and submit their annual security maturity self‑assessment online
- access benchmarking reports at the conclusion of the submission period
- in future years, access assessments and reports from previous reporting periods.
Once the submission period has started, registered users can access the portal via the links tab on the right of the screen. A help link is located on the reporting portal to assist registered users with queries.
- PSPF reporting portal – quick start guide [PDF 214KB]
- PSPF reporting portal – quick start guide [DOCX 527KB]
Compliance reporting under the previous PSPF
Under the PSPF in effect until 30 September 2018, non-corporate Commonwealth entities were required to undertake an annual self-assessment of their PSPF compliance, then report on their security posture and measures taken to address identified key risks. The consolidated PSPF compliance reports provide an overview of the implementation of the 36 mandatory requirements for that period.
If you require these documents in an accessible format, please contact PSPF@ag.gov.au for an alternate version.
PSPF 2017-18 whole-of-government compliance report
All non-corporate Commonwealth entities submitted a PSPF compliance report for the 2017–18 reporting period. In addition to this, eight corporate Commonwealth entities voluntarily submitted compliance reports. While few entities reported full compliance with all of the PSPF, the government's security posture is still broadly sound - on average, non-corporate Commonwealth entities fully comply with a significant proportion of requirements.
- PSPF 2017-18 consolidated compliance report [PDF 847KB]
- PSPF 2017-18 consolidated compliance report [DOCX 1.8MB]
PSPF 2016-17 whole-of-government compliance report
All non-corporate Commonwealth entities submitted a PSPF compliance report for 2016-17.