Skip to main content

The Administrative Arrangements Order of 3 August 2023 transferred responsibility for protective security policy, including the Protective Security Policy Framework, from the Attorney-General's Department to the Department of Home Affairs. These Machinery of Government (MOG) changes began on 4 August 2023.

The PSPF Reporting Portal will transfer to the Department of Home Affairs on 11 June 2024. Before 11 June 2024, all entities and users must set up new authentication credentials through VANguard. You can get more information by contacting the Government Protective Security Policy section at or the PSPF hotline on 02 5127 9999.

Policy 6: Security governance for contracted goods and service providers

  • Security governance
Publication date
Last updated


This policy guides how to assess and manage security risks when procuring goods and services. It supports the Commonwealth Procurement Rules that govern how entities procure goods and services.


When entities procure goods and services, they should consider quality security outcomes as a key factor in determining value for money. It is important that entities balance the effort to assess and manage the procurement risks against the scale, scope and risk of the procurement. This will reduce the likelihood of additional financial and non-financial costs to government.

As part of the procurement, entities must also identify and document the security risks to their people, information and assets, as well as the strategies in place to mitigate them.

When developing procurement documents (such as requests for tender and subsequent contracts), entities must include relevant security provisions and appropriate protections. To achieve this, we encourage entities to include terms and conditions in their procurement documents.

We encourage entities to perform ongoing assessments to evaluate whether a contract service provider is complying with contract conditions. For example, to regularly inspect premises that store Australian Government information or assets, or monitor an ongoing accreditation program. It can help to identify a contract manager who is responsible for monitoring and reviewing risk for each contract.

Timely and thorough reporting of any incidents is important throughout the life of the contract. This allows entities to investigate and, if necessary, to adjust security procedures and contract conditions to mitigate security risks. It also allows entities to implement additional safeguards to avoid further security incidents.

When a contract is completed or terminated, entities must apply appropriate security arrangements. This helps to safeguard government resources and limit the potential compromise of sensitive or classified resources.

Return to the Security governance page