Skip to main content

The Administrative Arrangements Order of 3 August 2023 transferred responsibility for protective security policy, including the Protective Security Policy Framework, to the Department of Home Affairs from the Attorney-General’s Department. These Machinery of Government (MOG) changes commenced on 4 August 2023.

Policy 5: Reporting on security

  • Security governance
Publication date
Last updated


Entities must undertake an annual assessment of the maturity of their security capability and how they are implementing the PSPF core and supporting requirements. This policy sets out how to report and what information entities must include.


Annual reporting provides assurance that sound and responsible protective security practices are in place and summarises the maturity of each entity’s security capability. It also identifies security risks and vulnerabilities and the strategies in place to mitigate or manage them.

How to report

The Department of Home Affairs provides 2 options for entities to complete their annual assessment report:

  • an online reporting portal (for information classified up to PROTECTED)
  • a reporting template (for information classified higher than PROTECTED).

Maturity self-assessment model

The assessment report is based on the PSPF maturity self-assessment model.

The model provides entities with a meaningful scale to help them consider their overall security position within their specific risk environment and risk tolerances.

Under the model, entities must assess their security capability against 4 levels of maturity:

  • Maturity Level One (partial implementation)
  • Maturity Level Two (substantial implementation)
  • Maturity Level Three (full implementation)
  • Maturity Level Four (superior implementation)

What to report

In their PSPF assessment report, entities must provide:

  • rationales to support their security maturity assessment for the 16 core requirements
  • details of strategies to mitigate identified security risks
  • a summary of the security risk environment
  • key risks to people, information and assets.

Entities must also report to the relevant lead security authority and other affected entities on any significant security incidents, as they occur.

Consolidated reporting

Each year the Department of Home Affairs consolidates all reporting data into an aggregated whole-of-government PSPF assessment report for the Attorney-General.

Once the Attorney-General has considered it, the department publishes the consolidated PSPF assessment report on the protective security website.

Return to the Security governance page