Skip to main content

The Administrative Arrangements Order of 3 August 2023 transferred responsibility for protective security policy, including the Protective Security Policy Framework, to the Department of Home Affairs from the Attorney-General’s Department. These Machinery of Government (MOG) changes commenced on 4 August 2023.

Policy update – Robust ICT systems

The Attorney-General's Department has updated the PSPF policy 11: Robust ICT systems to realign the PSPF requirements and guidance with the Australian Cyber Security Centre's (ACSC) updated advice on assessment and authorisation of information and communication technology (ICT) systems using a risk-based approach.

The amended policy:

  • introduces an authorisation framework for ICT systems that process, store and communicate government information based on the Information Security Manual's (ISM) six-step risk-based approach
  • focuses on applying cyber security principles to manage security risks during the lifecycle of the system (from inception to disposal)
  • clarifies the need for entities to consider all of the ISM's security controls and guidelines, and
  • provides clearer linkages to other government policies and guidance on related systems and services, such as the ACSC's new cloud guidance following the closure of the Cloud Services Certification Program.

The Attorney-General's Department worked closely with the ACSC and the Digital Transformation Agency to ensure the updated policy aligns with the ISM and the Australian Government Secure Cloud Strategy. However, the requirement to implement a secure internet gateway remains largely unchanged. The department expects that during the next twelve months, further amendments to PSPF policy 11 will be required to accommodate the Hardening of Government IT Systems program.