Application of the Protective Security Policy Framework

Who needs to follow the PSPF?

The Protective Security Policy Framework (PSPF) applies to non-corporate Commonwealth entities subject to the Public Governance, Performance and Accountability Act 2013 (PGPA Act) to the extent consistent with legislation.

The PSPF represents better practice for corporate Commonwealth entities and wholly-owned Commonwealth companies under the PGPA Act.
Non-government organisations that access security classified information may be required to enter into a deed or agreement to apply relevant parts of the PSPF for that information.

State and territory government agencies that hold or access Australian Government security classified information apply the PSPF to that information consistent with arrangements agreed between the Commonwealth, states and territories.

How do entities apply the PSPF?

Entities apply the PSPF using a security risk management approach. This allows entities to apply the PSPF in a way that best suits their individual security goals and objectives, risk and threat environment, risk tolerance and security capability.

The Attorney-General's Department is committed to supporting entities in their implementation of the PSPF. More information and support is available on the resources page of this website, on the protective security community on GovTEAMS and through the communities of practice run by the Attorney-General's Department.