The Australian Government is in a caretaker period ahead of an election on 18 May 2019. During this period, information on this website will be published in accordance with the Guidance on Caretaker Conventions.
Australian Government - Attorney-General's Department

Protective Security Policy Framework

Skip breadcrumbHome » About » PSPF annual reports

PSPF annual reports

As a policy of the Australian Government, non-corporate Commonwealth entities (NCCEs) must apply the PSPF to the extent of their enabling legislation. Entities are required to report on security each financial year to their portfolio minister and the Attorney-General's Department.

From 30 June 2019, NCCE's will be required to report on their self-assessment of the maturity of the entity's security capability. It will include consideration of the entity's:

  • progress in achieving the PSPF governance, information, personnel and physical security outcomes
  • level of implementation and management of the PSPF core and supporting requirements
  • risk environment and tolerance for security risks
  • strategies and timeframes to manage identified and unmitigated risks
  • security risks to people, information and assets.

Reporting provides assurance that sound and responsible protective security practices are occurring. It also identifies security risks and vulnerabilities and the steps being taken to mitigate them.

The Attorney-General's Department will use this information to assess the overall protective security posture of the Australian Government and will release a summary report on this website in early 2020.

Complaince reporting under the previous PSPF

Under the PSPF in effect until 30 September 2018, NCCE’s were required to undertake an annual self-assessment of their PSPF compliance, then report on their security posture and measures taken to address identified key risks.

PSPF 2016-17 whole-of-government compliance report

All non-corporate Commonwealth entities submitted a PSPF compliance report for 2016-17. The consolidated PSPF 2016-17 compliance report provides an overview of the implementation of the 36 mandatory requirements for that period. While few entities are fully compliant with all of the PSPF, the government's security posture is still broadly sound - on average, non-corporate Commonwealth entities fully comply with a significant proportion of requirements.

If you require this document in an accessible format, please contact for an alternate version.