Skip to main content

The Administrative Arrangements Order of 3 August 2023 transferred responsibility for protective security policy, including the Protective Security Policy Framework, from the Attorney-General's Department to the Department of Home Affairs. These Machinery of Government (MOG) changes began on 4 August 2023.

The PSPF Reporting Portal will transfer to the Department of Home Affairs on 11 June 2024. Before 11 June 2024, all entities and users must set up new authentication credentials through VANguard. You can get more information by contacting the Government Protective Security Policy section at or the PSPF hotline on 02 5127 9999.

Physical security

The policies under this outcome outline physical security, control, and building construction measures to safeguard government resources and minimise or remove security risk.

The 2 core requirements in these policies, and the accompanying supporting requirements, set out what entities must do to achieve the physical security outcome.


Each entity provides a safe and secure physical environment for their people, information and assets.

Core requirement

Each entity must implement physical security measures that minimise or remove the risk of:

  1. harm to people, and
  2. information and physical asset resources being made inoperable or inaccessible, or being accessed, used or removed without proper authorisation.

Key topics

  • Identifying resources
  • Identifying the physical security measures required to protect entity resources
  • Measures to protect entity information and assets
  • Measures for the protection of sensitive and classified discussions
  • Measures for the protection of ICT equipment
  • Protection of resources against loss of power supply
  • Disposal of physical assets
  • Working away from the office

Read Policy 15: Physical security for entity resources

Core requirement

Each entity must:

  1. ensure it fully integrates protective security in the process of planning, selecting, designing and modifying its facilities for the protection of people, information and physical assets
  2. in areas where sensitive or security classified information and assets are used, transmitted, stored or discussed, certify its facility’s physical security zones in accordance with the applicable ASIO Technical notes, and
  3. accredit its security zones.

Key topics

  • Planning
  • Site selection
  • Designing and modifying facilities
  • Security Zones
  • Security zone individual control elements
  • Security zone certification and accreditation
  • ICT facilities
  • SCEC-tested equipment and selecting commercial equipment guidelines

Read Policy 16: Entity facilities