Skip to main content

The Administrative Arrangements Order of 3 August 2023 transferred responsibility for protective security policy, including the Protective Security Policy Framework, from the Attorney-General’s Department to the Department of Home Affairs. These Machinery of Government (MOG) changes began on 4 August 2023.

The PSPF Reporting Portal will transfer to the Department of Home Affairs on 24 May 2024. Before 24 May 2024, all entities and users must set up new authentication credentials through VANguard. You can get more information by contacting the Government Protective Security Policy section at or the PSPF hotline on 02 5127 9999.

Information security

The policies under this outcome outline how entities classify and handle official information to guard against information compromise. They also set out how to provide appropriate and secure access to official information, mitigate common and emerging cyber threats and safeguard official information and communication technology systems.

The 4 core requirements in these policies, and the accompanying supporting requirements, set out what entities must do to achieve the information security outcome.


Each entity maintains confidentiality, integrity and availability of all official information.

Core requirement

Each entity must:

  1. identify information holdings
  2. assess the sensitivity and security classification of information holdings
  3. implement operational controls for these information holding proportional to their value, importance and sensitivity.

Key topics

  • Official information
  • Sensitive and security classified information
  • Caveats and accountable material
  • Information management markers
  • Minimum protections for sensitive and security classified information
  • Disposal of sensitive and security classified information
  • Emergencies, breaches or security violations involving security classified information
  • Minimum protections and handling requirements for sensitive and security classified information

Read Policy 8: Classification system

Core requirement

Each entity must enable appropriate access to official information. This includes:

  1. sharing information within the entity, as well as with other relevant stakeholders
  2. ensuring that those who access sensitive or security classified information have an appropriate security clearance and need to know that information
  3. controlling access (including remote access) to supporting ICT systems, networks, infrastructure, devices and applications.

Key topics

  • Internal and external information sharing
  • The need-to-know principle
  • Personnel security requirements for access to sensitive and security classified resources
  • Temporary access to classified resources
  • ICT access controls

Read Policy 9: Access to information

Core requirements

Each entity must mitigate common cyber threats by:

  1. implementing the following mitigation strategies from the Strategies to Mitigate Cyber Security Incidents:
    1. application control
    2. patch applications
    3. configure Microsoft Office macro settings
    4. user application hardening
    5. restrict administrative privileges
    6. patch operating systems
    7. multi-factor authentication
    8. regular backups
  2. considering which of the remaining mitigation strategies from the Strategies to Mitigate Cyber Security Incidents need to be implemented to achieve an acceptable level of residual risk for their entity.

Key topics

  • Achieving PSPF maturity with the mandated mitigation strategies
  • Implementing the Essential Eight and other strategies to mitigate cyber security incidents
  • Cyber security responsibilities when transacting online with the public

Read Policy 10: Safeguarding data from cyber threats

Core requirement

Each entity must assess ensure the secure operation of their ICT systems to safeguard information and the continuous delivery of government business by applying the Australian Government Information Security Manual's cyber security principles during all stages of the lifecycle of each system.

Key topics

  • Ensuring secure ICT systems at all stages of their lifecycle
  • Authorising ICT systems to operate
  • Secure internet gateways

Read Policy 11: Robust ICT systems