Skip to main content

The Administrative Arrangements Order of 3 August 2023 transferred responsibility for protective security policy, including the Protective Security Policy Framework, to the Department of Home Affairs from the Attorney-General’s Department. These Machinery of Government (MOG) changes commenced on 4 August 2023.

Policy amendment – information security

Protective Security Policy Framework (PSPF) Policy 11: Robust ICT systems has been amended to:

  • implement a new principles-based approach to the consumption of gateway services
  • mandate the Digital Transformation Agency's (DTA) Hosting Certification Framework (HCF), and
  • mandate the implementation of a vulnerability disclosure program (VDP).

The changes reflect updated technical guidance from the DTA and the Australian Signals Directorate (ASD) on requirements for gateways, the data flow control mechanisms that provide entities with protection at the perimeter of their networks and the internet.

This update also aligns the PSPF with DTA's HCF, which requires that all government data must be hosted with the appropriate level of privacy, sovereignty, and security controls. In addition, the changes address feedback from industry about the value of government entities establishing a VDP, which sets out how an entity will receive, verify, resolve and report on security vulnerabilities disclosed by both internal and external sources.