The Protective Security Policy Framework (PSPF) is the Australian Government’s core protective security policy. It sets out what government entities must do to protect their people, information, and assets across six security domains, and it follows an annual release model under which entities self-assess the maturity of their security capabilities and report each financial year. The current version is PSPF Release 2026, issued by the Department of Home Affairs on 24/07/2025.
For security advisers, chief security officers, and the contractors and suppliers who work alongside government, the PSPF defines what good protective security looks like in a Commonwealth setting. It has moved a long way from the older model that many practitioners still picture. This page explains the framework as it stands today: the six domains it is organised around, how the maturity and annual reporting model works, who has to comply, and what changed in the most recent release.
Overview
What is the PSPF?
The PSPF is the policy framework that prescribes how Australian Government entities protect their people, information and resources, both in Australia and overseas. It is issued by the Department of Home Affairs and is the protective security counterpart to the cyber-focused Information Security Manual, with which it is closely aligned.
The framework has been substantially restructured in recent years. PSPF Release 2024 replaced the previous set of sixteen individual PSPF policies with a single consolidated release and reorganised the content around six security domains. Older guidance that describes the PSPF as a four-domain model predates this restructure and should not be relied on.
The PSPF works on an annual release cycle. Each release is reviewed against the current threat environment, and entities work to the version in force for the relevant reporting period. The current version is PSPF Release 2026.
The framework
What are the six security domains?
PSPF Release 2026 organises protective security policy into six domains. Together, they cover the governance, people, information, technology and physical measures an entity needs to manage its security risk in a coordinated way rather than in isolation.
Governance
Leadership, accountability and security planning, including the Accountable Authority and Chief Security Officer roles and annual reporting.
Risk
Identifying, assessing and managing security risk on a risk basis, including procurement, outsourcing and foreign interference risk.
Information
Protecting official information across its life cycle, including classification, handling, storage and the secure use of generative artificial intelligence.
Technology
Securing the technology estate, including internet-facing systems, a technology asset stocktake, cryptography and a Zero Trust posture.
Personnel
Screening and ongoing suitability of people who access government information and facilities, including security vetting and the need-to-know principle.
Physical
Protecting people, information and assets through facility security planning, security zones, access control and certification.

A common point of confusion is the difference between this six-domain structure and the older four-outcome model. The domains are not a renaming exercise; the restructuring separated risk and technology into domains of their own, reflecting how much weight both now carry in the current threat environment.
What happened to the old PSPF policies?
Before the restructure, the PSPF was published as 16 separate numbered policies, each covering a specific requirement such as security governance, information classification or physical security. Many practitioners still search for these by number, for example PSPF Policy 8 or PSPF Policy 10.
PSPF Release 2024 replaced those 16 individual policies with a single consolidated release organised around the six security domains. The numbered policies are no longer maintained as standalone documents, so a requirement that once sat in a specific numbered policy now sits within the relevant domain rather than on a separate policy page.
The current version is PSPF Release 2026. Entities and their suppliers should work to the consolidated six-domain structure and the requirements in the current release, rather than to the retired numbered policies. Guidance that still describes the PSPF as a set of numbered policies, or as a four-outcome model, predates the restructure and should not be relied on.
Maturity
How does the PSPF maturity model and annual reporting work?
The PSPF is not a pass-or-fail audit. Entities assess the maturity of their security capability against the framework’s requirements and report on that maturity, together with the effectiveness of their implementation, each financial year.
Maturity reporting recognises that protective security is a capability an entity builds over time rather than a fixed state. Entities rate their implementation against a four-level maturity scale, from Ad hoc through Developing and Managing to Embedded, which allows an entity and the bodies that oversee it to see where capability is strong, where it is developing, and where it needs investment.
For most entities, the practical implication is a continuous cycle: assess current maturity, identify the gaps that matter most, uplift capability against those gaps, then report and repeat. A framework explainer like this page is the starting point; the protective security advisory work that follows is where an entity turns a maturity rating into a plan.
Maturity is not a one-off assessment. Regular exercising and testing of security and response plans are practical ways for an entity to lift and sustain its maturity, as explained in the exercising and testing pillar.
Scope
Who must comply with the PSPF?
The PSPF applies directly to non-corporate Commonwealth entities, whose Accountable Authorities are responsible for protective security under the framework. Corporate Commonwealth entities and wholly owned Commonwealth companies may be directed to apply it or may choose to adopt it as good practice.
In practice, the framework extends beyond the entities formally bound by it. Service providers that deliver services to government, and contractors and suppliers that handle Commonwealth information or work within government environments, are routinely required to meet relevant PSPF requirements through their deeds, contracts or agreements. For a supplier, the PSPF is therefore often a condition of doing business with government rather than an optional standard.
This wider reach is why the framework matters to organisations that are not themselves Commonwealth entities. A business tendering for government work, or holding government information, needs to understand the requirements it will be asked to meet and demonstrate that it meets them. A security risk assessment aligned to the PSPF is a common first step.
Approach
How do you assess and uplift PSPF maturity?
Improving PSPF maturity follows a consistent path, whatever an entity’s starting point.
Establish the baseline
Assess current capabilities across all six domains and identify gaps.
Prioritise risk
Rank the gaps by the security risk they represent.
Plan the uplift
Sequence the work, with owners, timeframes and measures.
Develop the documents
Put the policies, plans and procedures in place as evidence.
Report and sustain
Feed the annual report and keep improving maturity.
Entities that handle critical infrastructure should read their PSPF obligations alongside the Critical Infrastructure Risk Management Program requirements, since the two regimes overlap in practice and a single risk-management approach can serve both.
Considering a PSPF maturity assessment?
Agilient works with Commonwealth entities and their suppliers to assess current PSPF maturity, prioritise the gaps that matter most, and plan a practical uplift.
Book a PSPF gap or maturity assessmentor contact the Agilient team
What is new
What changed in recent PSPF releases?
The current release, PSPF Release 2026, took effect on 01/07/2026. It builds on PSPF Release 2025, which the Department of Home Affairs issued on 24/07/2025 as part of Tranche 2 of the Commonwealth Uplift Reforms and which made significant changes across personnel and information security, particularly regarding innovative technologies. The notable changes across these releases include the following.
- A Zero Trust direction (Release 2025). Entities are expected to maintain a cyber security strategy and uplift plan aligned with the Information Security Manual and the principles for embedding a Zero Trust culture, covered in the cyber security pillar.
- A technology asset stocktake (Release 2025). Entities must create and maintain a Technology Asset Stocktake and a Technology Security Risk Management Plan covering their internet-facing systems and services.
- New content on artificial intelligence. Release 2025 introduced whole-of-government advice on the use of OFFICIAL information with generative artificial intelligence, and Release 2026 adds advice on cyber security readiness in the frontier AI era together with requirements governing access to generative AI products.
- Post-quantum cryptography (Release 2026). Approved post-quantum cryptographic algorithms are expected for newly procured cryptographic equipment and software.
- New security standards (Release 2025). The release authorises two new Australian Government security standards: Gateway Security and Systems of Government Significance.
- Expanded foreign ownership, control or influence (FOCI) reporting (Release 2025). In the governance domain, entities are expected to identify and manage FOCI risk during procurement, report it to the Department of Home Affairs, and include it in annual reporting.
- Online disclosure of security clearance information (Release 2026). Building on PSPF Direction 003-2025 and Policy Advisory 002-2025, Release 2026 makes this a mandatory requirement (requirement 220, with a strengthened requirement 50), effective 01/07/2026. It prohibits entities and clearance holders from publicly disclosing that a person holds a security clearance, or its level. In practice, affected organisations must ensure that public-facing material, such as websites, staff biographies and tender collateral, does not state that the organisation or its people hold security clearances.
The direction of travel is clear. Each annual release tightens the framework around the contemporary threat environment, and the 2025 changes place particular weight on visibility of technology assets, the security of new technologies, and a Zero Trust posture.
How we help
How Agilient supports PSPF compliance
Agilient helps government entities, and the contractors and suppliers who work with them, understand and meet their PSPF obligations. The support is practical and independent, and is grounded in the same six-domain structure the framework uses.
Gap and maturity assessments
Rate your capability across the six domains against PSPF Release 2026. An independent security audit can then verify those controls against the framework.
Uplift roadmaps
A sequenced plan that tackles the gaps on a risk basis.
Policy and procedure development
The documents the framework expects are intended to evidence the capability.
Governance and risk advisory
Support for the Accountable Authority and Chief Security Officer functions.
Annual reporting support
Help prepare and lodge your annual PSPF report.
Interim or virtual security adviser
Experienced support without a permanent appointment.
As an independent and vendor-neutral consultancy, Agilient advises on what an entity needs rather than on products it sells, and works across Sydney, Melbourne, Brisbane, Adelaide and Canberra.
Talk to Agilient about your PSPF obligations
Whether you are a Commonwealth entity uplifting your maturity or a supplier meeting PSPF requirements under contract, Agilient can help you find the most practical place to start.
Book a PSPF gap or maturity assessmentor book a short briefing
FAQs
Frequently asked questions
What is the PSPF?
What are the six PSPF security domains?
What is the current version of the PSPF?
Who has to comply with the PSPF?
How is PSPF compliance measured?
What changed in recent PSPF releases?
What happened to the old PSPF policy numbers?

References
- Department of Home Affairs, About PSPF, protectivesecurity.gov.au
- Department of Home Affairs, PSPF Release 2026 and Tranche 2 of the Commonwealth Uplift Policy is live, protectivesecurity.gov.au
- Department of Home Affairs, PSPF Annual Release 2026, protectivesecurity.gov.au
- Department of Home Affairs, PSPF Policy Advisory 001-2025 — OFFICIAL Information Use with Generative Artificial Intelligence, protectivesecurity.gov.au
- Department of Home Affairs, PSPF Release 2026 — Summary of Changes, protectivesecurity.gov.au
