agilient-logo-white
MENU

How to Run a PSPF Maturity Assessment: A Practical Guide

Modern Australian Government office precinct in Canberra, illustrating a PSPF maturity assessment

A PSPF maturity assessment is how a Commonwealth entity works out how well its protective security actually meets the Protective Security Policy Framework, and where it needs to improve. The PSPF is not a pass-or-fail audit. Entities self-assess the maturity of their security capability against the framework and report on it each financial year, so the assessment is the foundation of that reporting and of any uplift that follows.

Key takeaways

  • The PSPF is administered by the Department of Home Affairs. The current version is PSPF Release 2025, issued on 24/07/2025.
  • It is organised around six security domains: governance, risk, information, technology, personnel and physical.
  • Entities rate implementation against a four-level maturity scale: Ad hoc, Developing, Managing and Embedded.
  • Maturity is self-assessed and reported each financial year, then uplifted in a continuous cycle.
  • A maturity assessment turns the framework into a prioritised, evidence-based uplift plan.

What is a PSPF maturity assessment?

A PSPF maturity assessment reviews an entity’s protective security against the requirements of the framework, rates the maturity of each area, and identifies the gaps that matter most. Because the PSPF treats security as a capability built over time rather than a fixed state, the assessment measures how embedded and effective the controls are, not merely whether a policy exists on paper.1

Who must comply with the PSPF?

The PSPF applies to non-corporate Commonwealth entities, and many corporate Commonwealth entities and contracted service providers are required or expected to align with it through their funding agreements or contracts. For the security advisers, chief security officers, and suppliers who work alongside government, the PSPF defines what good protective security looks like in a Commonwealth setting.

The six security domains

PSPF Release 2025 organises protective security policy into six domains that are assessed together rather than in isolation:

  • Governance: leadership, accountability and security planning, including the Accountable Authority and Chief Security Officer roles and annual reporting.
  • Risk: identifying, assessing and managing security risk, including procurement, outsourcing and foreign interference risk.
  • Information: protecting official information across its life cycle.
  • Technology: securing technology and systems that hold or process official information.
  • Personnel: ensuring the suitability of people with access to people, information and assets.
  • Physical: protecting people, information and assets in physical environments.

The four-level maturity scale

Entities rate implementation against a four-level scale, from Ad hoc, through Developing and Managing, to Embedded. The scale lets an entity and the bodies that oversee it see where capability is strong, where it is still developing, and where it needs investment.

How to run a PSPF maturity assessment, step by step

1. Confirm scope and obligations

Establish which requirements apply to the entity, the systems and sites in scope, and the reporting obligations for the year. Governance sits first because the Accountable Authority and Chief Security Officer set the tone for the whole assessment.

2. Gather evidence against each domain

For each of the six domains, collect the policies, procedures, records and system configurations that show how the requirement is met in practice. Evidence of operation matters more than the existence of a document.

3. Rate maturity honestly

Rate each area against the Ad hoc to Embedded scale, supported by the evidence. A defensible, slightly conservative rating is more useful than an optimistic one, because it directs investment to real gaps.

4. Identify and prioritise gaps

Compare current maturity against the target for the entity’s risk profile, and rank the gaps by risk. Anchor this to a sound security risk assessment, since the risk domain underpins the others.

5. Build the uplift plan and report

Set out the gaps as a sequenced uplift plan, from quick procedural fixes to longer capability builds, and prepare the annual report on maturity and implementation effectiveness. The practical pattern is a continuous cycle: assess, identify the gaps that matter most, uplift, then report and repeat.

What changed in PSPF Release 2025?

The framework now follows an annual release model, with the version issued by the Department of Home Affairs and entities self-assessing and reporting each financial year. It has moved well away from the older numbered-policy and four-outcome structure that many practitioners still picture, toward the six-domain, maturity-based model described above. For a fuller explanation, see Agilient’s PSPF practical guide.

How Agilient can assist

Agilient is an independent protective security consultancy that helps Commonwealth entities and their suppliers assess PSPF maturity, prioritise gaps and plan a realistic uplift. Because the PSPF is self-assessed and reported by the entity, Agilient’s role is to bring method, evidence and an external perspective to that assessment, not to certify it. Agilient’s consultants hold security licences in each state where it operates and work across government and the suppliers that serve it.

To discuss your obligations, explore protective security consulting or book a short briefing.

Frequently asked questions

Is the PSPF a pass-or-fail audit?

No. Entities self-assess the maturity of their security capability and report on it each financial year. The aim is to build capability over time, not to pass a one-off test.

How often must entities report against the PSPF?

Each financial year. Entities report their maturity and the effectiveness of their implementation across the six domains.

What are the PSPF maturity levels?

Implementation is rated on a four-level scale: Ad hoc, Developing, Managing and Embedded.

Who is accountable for PSPF compliance?

The Accountable Authority holds overall accountability, supported by the Chief Security Officer and the security governance arrangements set out in the governance domain.

Can a contractor or supplier be required to meet the PSPF?

Yes. Suppliers and contracted service providers are frequently required to align with relevant PSPF requirements through their contracts, particularly where they handle official information or access government facilities.

References

  1. Department of Home Affairs, Protective Security Policy Framework (PSPF Release 2025), protectivesecurity.gov.au
Picture of Mark Bezzina

Mark Bezzina

Blog Categories

Agilient News Updates 1
Business Continuity & Resilience 8
Counter-Terrorism & Public Safety 47
Crisis & Emergency Management 9
Cyber Security & Data Privacy 169
Physical & Protective Security 36
Risk Management & Compliance 51

Recent Posts

Where the Essential Eight Sits in Your Security and Governance Posture
How the ISM Fits the PSPF and Your Security Risk Posture
How to Run a PSPF Maturity Assessment: A Practical Guide
How to Assess Building Security: A Step-by-Step Guide for Australian Facilities
The Security Risk Assessment Process: A Step-by-Step Guide for Australian Organisations