Protective Security Policy Framework (PSPF): a practical guide

Overview

What is the PSPF?

The PSPF is the policy framework that prescribes how Australian Government entities protect their people, information and resources, both in Australia and overseas. It is issued by the Department of Home Affairs and is the protective security counterpart to the cyber-focused Information Security Manual, with which it is closely aligned.

The framework has been substantially restructured in recent years. PSPF Release 2024 replaced the previous set of sixteen individual PSPF policies with a single consolidated release and reorganised the content around six security domains. Older guidance that describes the PSPF as a four-domain model predates this restructure and should not be relied on.

The PSPF works on an annual release cycle. Each release is reviewed against the current threat environment, and entities work to the version in force for the relevant reporting period. The current version is PSPF Release 2025.

The framework

What are the six security domains?

PSPF Release 2025 organises protective security policy into six domains. Together, they cover the governance, people, information, technology and physical measures an entity needs to manage its security risk in a coordinated way rather than in isolation.

A common point of confusion is the difference between this six-domain structure and the older four-outcome model. The domains are not a renaming exercise; the restructuring separated risk and technology into domains of their own, reflecting how much weight both now carry in the current threat environment.

Maturity

How does the PSPF maturity model and annual reporting work?

The PSPF is not a pass-or-fail audit. Entities assess the maturity of their security capability against the framework’s requirements and report on that maturity, together with the effectiveness of their implementation, each financial year.

Maturity reporting recognises that protective security is a capability an entity builds over time rather than a fixed state. Entities rate their implementation against a four-level maturity scale, from Ad hoc through Developing and Managing to Embedded, which allows an entity and the bodies that oversee it to see where capability is strong, where it is developing, and where it needs investment.

For most entities, the practical implication is a continuous cycle: assess current maturity, identify the gaps that matter most, uplift capability against those gaps, then report and repeat. A framework explainer like this page is the starting point; the protective security advisory work that follows is where an entity turns a maturity rating into a plan.

Maturity is not a one-off assessment. Regular exercising and testing of security and response plans are practical ways for an entity to lift and sustain its maturity, as explained in the exercising and testing pillar.

Scope

Who must comply with the PSPF?

The PSPF applies directly to non-corporate Commonwealth entities, whose Accountable Authorities are responsible for protective security under the framework. Corporate Commonwealth entities and wholly owned Commonwealth companies may be directed to apply it or may choose to adopt it as good practice.

In practice, the framework extends beyond the entities formally bound by it. Service providers that deliver services to government, and contractors and suppliers that handle Commonwealth information or work within government environments, are routinely required to meet relevant PSPF requirements through their deeds, contracts or agreements. For a supplier, the PSPF is therefore often a condition of doing business with government rather than an optional standard.

This wider reach is why the framework matters to organisations that are not themselves Commonwealth entities. A business tendering for government work, or holding government information, needs to understand the requirements it will be asked to meet and demonstrate that it meets them. A security risk assessment aligned to the PSPF is a common first step.

Approach

How do you assess and uplift PSPF maturity?

Improving PSPF maturity follows a consistent path, whatever an entity’s starting point.

Entities that handle critical infrastructure should read their PSPF obligations alongside the Critical Infrastructure Risk Management Program requirements, since the two regimes overlap in practice and a single risk-management approach can serve both.

What is new

What changed in PSPF Release 2025?

PSPF Release 2025 was issued by the Department of Home Affairs on 24/07/2025 as part of Tranche 2 of the Commonwealth Uplift Reforms. It introduced policy changes across personnel and information security, particularly regarding innovative technologies. The notable changes include the following.

• A Zero Trust direction. Entities are expected to maintain a cyber security strategy and uplift plan aligned with the Information Security Manual and the principles for embedding a Zero Trust culture, covered in the cyber security pillar.
• A technology asset stocktake. Entities must create and maintain a Technology Asset Stocktake and a Technology Security Risk Management Plan covering their internet-facing systems and services.
• New content on artificial intelligence. Release 2025 is accompanied by whole-of-government advice on the use of OFFICIAL information with generative artificial intelligence.
• Post-quantum cryptography. Approved post-quantum cryptographic algorithms are expected for newly procured cryptographic equipment and software.
• New security standards. The release authorises two new Australian Government security standards: Gateway Security and Systems of Government Significance.
• Expanded foreign ownership, control or influence (FOCI) reporting. In the governance domain, entities are expected to identify and manage FOCI risk during procurement, report it to the Department of Home Affairs, and include it in annual reporting.

The direction of travel is clear. Each annual release tightens the framework around the contemporary threat environment, and the 2025 changes place particular weight on visibility of technology assets, the security of new technologies, and a Zero Trust posture.

How we help

How Agilient supports PSPF compliance

Agilient helps government entities, and the contractors and suppliers who work with them, understand and meet their PSPF obligations. The support is practical and independent, and is grounded in the same six-domain structure the framework uses.

As an independent and vendor-neutral consultancy, Agilient advises on what an entity needs rather than on products it sells, and works across Sydney, Melbourne, Brisbane, Adelaide and Canberra.