Applying the Protective Security Policy Framework
Entities that must follow the PSPF
The Directive on the Security of Government Business establishes the Protective Security Policy Framework (PSPF) as Australian Government policy.
This means that non-corporate Commonwealth entities that are subject to the Public Governance, Performance and Accountability Act 2013 must apply the PSPF (to the extent consistent with legislation).
The PSPF represents better practice for corporate Commonwealth entities and wholly-owned Commonwealth companies under the PGPA Act.
Non-government organisations that access sensitive and security classified information may need to enter into a deed or agreement to apply relevant parts of the PSPF to that information.
State and territory government agencies that hold or access Australian Government sensitive and security classified information apply the PSPF to that information, consistent with arrangements agreed between the Commonwealth, states and territories.
How entities apply PSPF
Entities apply the PSPF using a security risk management approach. This allows them to apply the PSPF in a way that best suits their individual security goals and objectives, their specific risk and threat environment, as well as their risk tolerance and security capability.
Find out more
The Attorney-General's Department supports entities to implement the PSPF.
For more information or support, you can: