The Protective Security Policy Framework sets the baseline for how Australian Government entities protect their people, information and assets, and each annual release moves that baseline. PSPF Release 2026 took effect in July 2026, and for the many private organisations that supply, partner with, or hold information on behalf of government, the practical question is the same one entities are asking: what has changed, and what should be done about it.
Key takeaways
- PSPF Release 2026 is the current version of the framework, organised across six security domains: governance, risk, information, technology, personnel and physical.
- The requirements are mandatory for non-corporate Commonwealth entities and flow through to suppliers and contractors through contracts, deeds and panel agreements.
- A new mandatory requirement, effective 1 July 2026, obliges entities to hold a policy that prohibits personnel from publicising their security clearance, or information alluding to their access to classified material, online.
- The technology domain continues to expand, with new requirements on the Commonwealth Technology Standard, a post-quantum cryptography transition plan, and centralised risk sharing.
- Entities and their suppliers should run a gap analysis against the six domains, review contracts and reporting readiness, and update their personnel-security policies.
What is PSPF Release 2026?
The PSPF is Australian Government policy, administered by the Department of Home Affairs, that prescribes what entities must do to protect their people, information and resources at home and overseas.¹ It is reviewed each year against the current threat environment, and each cycle ends with an annual release. Release 2026 is the latest.
The framework is structured across six security domains: governance, risk, information, technology, personnel and physical. At its apex sit six principles that set a risk-based, proactive tone, which then flow into the domains, into 25 focus areas, and into more than 200 mandatory requirements beneath them.²
Compliance is mandatory for non-corporate Commonwealth entities under the Public Governance, Performance and Accountability Act 2013. Corporate Commonwealth entities and wholly-owned Commonwealth companies are expected to treat the framework as better practice, and state and territory agencies apply it when holding Commonwealth classified material. Critically for the private sector, service providers of every kind, from cloud hosts to facilities managers to consultancies, must implement the relevant controls wherever a contract, deed, panel head-agreement or direction requires it.³ In practice, that reaches most organisations that handle Commonwealth information. Agilient’s protective security and PSPF consulting work is built around exactly this population of entities and suppliers.
How the framework reached its current shape
Release 2026 is best understood as the continuation of a multi-year modernisation, not a standalone event.
The November 2024 release was the structural turning point. It expanded the framework from four domains to six, adding dedicated risk and technology domains, and reorganised the requirements into a larger set of focus areas.³ The July 2025 release then put technology at the centre, embedding a Zero Trust Culture, lifting gateway security, requiring a stocktake of internet-facing systems, and drawing the Australian Signals Directorate deeper into everyday protective security. It also sharpened governance, with expanded reporting of foreign ownership, control or influence risks and more frequent reporting by chief information security officers.³ Release 2026 carries that trajectory forward, with most requirements retained and a focused set of additions and changes.
What is new in Release 2026
Most of the framework was retained, but a set of new and modified requirements commenced on 1 July 2026. The changes that matter most for entities and their suppliers are these.²
- Online disclosure of security clearances. A new mandatory requirement obliges every entity to establish a policy that prohibits personnel from publicising their security clearance, or information that indicates or alludes to their access to security classified material, on online platforms. The companion requirement that personnel not publicise their clearance information was also strengthened. This is examined in detail below.
- Security awareness training on foreign interference. Awareness training must now explicitly cover foreign interference, espionage, and the cultivation and exploitation of personnel by foreign powers.
- A technology uplift. Several technology requirements were added or modified. Entities must apply the Commonwealth Technology Standard when authorising systems to operate up to SECRET, develop and maintain a post-quantum cryptography transition plan in addition to supporting approved post-quantum algorithms on newly procured equipment, and establish a policy for sharing product and service risk assessments to a centralised risk-sharing capability. Hosting and gateway requirements were also aligned to the updated Hosting Certification Framework and Gateway Security Standard.
- The standalone TikTok requirements were retired. The specific TikTok controls have been ceased, with the risk now managed through the broader technology-lifecycle requirements.
- Personnel and physical refinements. The eligibility-waiver provisions for citizenship and checkable background were refined, a security risk assessment is now required where personnel work in another government entity’s facilities, and accreditation of Sensitive Compartmented Information Facilities was aligned to the National SCIF Accreditation Program.
For the complete requirement-by-requirement detail, entities should work from the official PSPF Release 2026 list of requirements.
The clearance-disclosure change every organisation should note
The change with the widest reach beyond government sits across the risk and personnel domains. From 1 July 2026, entities must hold a specific policy that prohibits personnel from publicising, on online platforms, their security clearance or any information that indicates or alludes to their access to security classified information or resources. It is a mandatory, reportable requirement, not merely guidance.²
The reasoning is straightforward. Clearance holders are attractive targets for foreign intelligence services and other hostile actors, and a clearance stated openly on a website, a professional profile or a social platform makes targeting easier. The requirement sits within the framework’s work on countering foreign interference and espionage, and it is supported by whole-of-government advice on the online disclosure of security clearance and national security information.¹
The practical effect extends past government. Cleared individuals and the organisations that employ them, including consultancies and contractors, should review their public footprint, company websites, staff biographies, tender responses and personal social media, and remove statements that name or allude to individual clearances. It is a small change to make and a meaningful reduction in exposure. Agilient has applied the same discipline to its own public material.
Technology, artificial intelligence and threat-driven directions
The technology domain remains the most active, and Release 2026 continues that pattern with the Commonwealth Technology Standard, the post-quantum cryptography transition plan, and centralised risk sharing noted above. These sit alongside the earlier moves on Zero Trust, gateway security and technology asset management, and reinforce that protective security is no longer a physical-and-paper discipline with technology bolted on.
The framework also operates a directions mechanism, under which the Secretary of the Department of Home Affairs can direct entities to act on a specific, present risk. Directions can be issued at any point in the year rather than waiting for the annual release, and recent directions have addressed named vulnerabilities and products.¹ For any organisation aligning to the PSPF, this means treating the framework as a live obligation, not a document reviewed once and filed.
A note on scope. The technology domain references the Information Security Manual and the Essential Eight, which many organisations ask about. These sit within the broader PSPF governance picture. Agilient’s role here is governance and advisory, framing how these controls fit an entity’s overall protective security and risk posture, rather than performing technical cyber assessments or certifications.
What it means for suppliers and contractors
For a supplier, the immediate risk is commercial. As government implements the wider cyber security uplift, conformance with current PSPF requirements increasingly shapes tender success, contract continuity and risk exposure.³ A gap against the latest release is no longer just a compliance matter; it can decide whether an organisation stays eligible to win and keep government work.
The reach is also broad. Because the obligations flow through contracts, deeds and panel arrangements, an organisation does not need to be a government agency to be bound by parts of the framework. It only needs to handle government information or provide a service where the controls have been passed down.
What to do now
- Run a gap analysis against all six domains, not only the technology controls, and sequence remediation by risk, dependency and budget.
- Review your personnel-security arrangements, and put in place the required policy on the online disclosure of clearance information. Audit websites, biographies and social profiles for statements that identify individual clearances, and remove them.
- Check your contracts, deeds and panel agreements to confirm which PSPF controls have flowed down to you, and map those to your current posture.
- Confirm your reporting and evidence are ready for the annual maturity self-assessment, so that compliance can be demonstrated rather than asserted. A structured security risk assessment is the natural starting point for most of this work.

How Agilient can assist
Agilient advises Australian Government entities and the suppliers that serve them on protective security and the PSPF, in the governance and advisory lane. That includes PSPF gap analysis, maturity assessment and roadmaps, security planning, security risk assessment, and the supporting work across critical infrastructure and the SOCI Act, business continuity and resilience.
Agilient is independent and vendor-neutral, is appointed to several Australian Government security and advisory panels, and is a member of the Defence Industry Security Program. Its consultants have delivered protective security work in classified Australian Government environments, and Agilient’s founder led national standards development in security, risk and resilience. That combination is why government and regulated buyers engage Agilient to translate a framework change like Release 2026 into a clear, prioritised plan.
Book a short briefing with an Agilient consultant
Frequently asked questions
What is PSPF Release 2026?
PSPF Release 2026 is the current annual release of the Australian Government’s Protective Security Policy Framework, administered by the Department of Home Affairs and effective from July 2026. It sets mandatory protective security requirements across six domains: governance, risk, information, technology, personnel and physical.
Does the PSPF apply to private companies?
The PSPF is mandatory for non-corporate Commonwealth entities, but its requirements commonly flow to private organisations through contracts, deeds and panel agreements. A supplier that handles Commonwealth information or provides a service to government may be required to implement relevant PSPF controls.
What changed for security clearances in PSPF Release 2026?
From 1 July 2026, entities must hold a policy that prohibits personnel from publicising their security clearance, or information that alludes to their access to classified material, on online platforms. This reduces the ability of hostile actors to identify and target clearance holders, and it applies in practice to the suppliers and individuals who work with government.
What are the main new requirements in Release 2026?
The notable additions include the online clearance-disclosure policy, new foreign-interference content in security awareness training, and a technology uplift covering the Commonwealth Technology Standard for systems up to SECRET, a post-quantum cryptography transition plan, and centralised risk sharing. The standalone TikTok requirements were retired.
How should an organisation prepare for PSPF Release 2026?
Run a gap analysis across all six domains, review contracts to confirm which controls apply, update personnel-security policies including online disclosure of clearances, and confirm that reporting and evidence are ready for the annual maturity self-assessment.
References
- Department of Home Affairs, Protective Security Policy Framework — Release 2026 and PSPF news, protectivesecurity.gov.au
- Department of Home Affairs, PSPF Release 2026 — List of Requirements and PSPF on a page (including the new online clearance-disclosure requirement), protectivesecurity.gov.au
- King & Wood Mallesons, The Protective Security Policy Framework has been updated: what’s new, mallesons.com
