Australian Government precinct in Canberra, illustrating the Protective Security Policy Framework.

The Protective Security Policy Framework (PSPF) is the Australian Government’s core protective security policy. It sets out what government entities must do to protect their people, information, and assets across six security domains, and it follows an annual release model under which entities self-assess the maturity of their security capabilities and report each financial year. The current version is PSPF Release 2026, issued by the Department of Home Affairs on 24/07/2025.

For security advisers, chief security officers, and the contractors and suppliers who work alongside government, the PSPF defines what good protective security looks like in a Commonwealth setting. It has moved a long way from the older model that many practitioners still picture. This page explains the framework as it stands today: the six domains it is organised around, how the maturity and annual reporting model works, who has to comply, and what changed in the most recent release.

Overview

What is the PSPF?

The PSPF is the policy framework that prescribes how Australian Government entities protect their people, information and resources, both in Australia and overseas. It is issued by the Department of Home Affairs and is the protective security counterpart to the cyber-focused Information Security Manual, with which it is closely aligned.

The framework has been substantially restructured in recent years. PSPF Release 2024 replaced the previous set of sixteen individual PSPF policies with a single consolidated release and reorganised the content around six security domains. Older guidance that describes the PSPF as a four-domain model predates this restructure and should not be relied on.

The PSPF works on an annual release cycle. Each release is reviewed against the current threat environment, and entities work to the version in force for the relevant reporting period. The current version is PSPF Release 2026.

The framework

What are the six security domains?

PSPF Release 2026 organises protective security policy into six domains. Together, they cover the governance, people, information, technology and physical measures an entity needs to manage its security risk in a coordinated way rather than in isolation.

Governance

Leadership, accountability and security planning, including the Accountable Authority and Chief Security Officer roles and annual reporting.

Risk

Identifying, assessing and managing security risk on a risk basis, including procurement, outsourcing and foreign interference risk.

Information

Protecting official information across its life cycle, including classification, handling, storage and the secure use of generative artificial intelligence.

Technology

Securing the technology estate, including internet-facing systems, a technology asset stocktake, cryptography and a Zero Trust posture.

Personnel

Screening and ongoing suitability of people who access government information and facilities, including security vetting and the need-to-know principle.

Physical

Protecting people, information and assets through facility security planning, security zones, access control and certification.

PSPF six security domains in a grid with icons, and the four-step annual maturity cycle, PSPF Release 2026.

A common point of confusion is the difference between this six-domain structure and the older four-outcome model. The domains are not a renaming exercise; the restructuring separated risk and technology into domains of their own, reflecting how much weight both now carry in the current threat environment.

Legacy policies

What happened to the old PSPF policies?

Before the restructure, the PSPF was published as 16 separate numbered policies, each covering a specific requirement such as security governance, information classification or physical security. Many practitioners still search for these by number, for example PSPF Policy 8 or PSPF Policy 10.

PSPF Release 2024 replaced those 16 individual policies with a single consolidated release organised around the six security domains. The numbered policies are no longer maintained as standalone documents, so a requirement that once sat in a specific numbered policy now sits within the relevant domain rather than on a separate policy page.

The current version is PSPF Release 2026. Entities and their suppliers should work to the consolidated six-domain structure and the requirements in the current release, rather than to the retired numbered policies. Guidance that still describes the PSPF as a set of numbered policies, or as a four-outcome model, predates the restructure and should not be relied on.

Maturity

How does the PSPF maturity model and annual reporting work?

The PSPF is not a pass-or-fail audit. Entities assess the maturity of their security capability against the framework’s requirements and report on that maturity, together with the effectiveness of their implementation, each financial year.

Maturity reporting recognises that protective security is a capability an entity builds over time rather than a fixed state. Entities rate their implementation against a four-level maturity scale, from Ad hoc through Developing and Managing to Embedded, which allows an entity and the bodies that oversee it to see where capability is strong, where it is developing, and where it needs investment.

For most entities, the practical implication is a continuous cycle: assess current maturity, identify the gaps that matter most, uplift capability against those gaps, then report and repeat. A framework explainer like this page is the starting point; the protective security advisory work that follows is where an entity turns a maturity rating into a plan.

Maturity is not a one-off assessment. Regular exercising and testing of security and response plans are practical ways for an entity to lift and sustain its maturity, as explained in the exercising and testing pillar.

Scope

Who must comply with the PSPF?

The PSPF applies directly to non-corporate Commonwealth entities, whose Accountable Authorities are responsible for protective security under the framework. Corporate Commonwealth entities and wholly owned Commonwealth companies may be directed to apply it or may choose to adopt it as good practice.

In practice, the framework extends beyond the entities formally bound by it. Service providers that deliver services to government, and contractors and suppliers that handle Commonwealth information or work within government environments, are routinely required to meet relevant PSPF requirements through their deeds, contracts or agreements. For a supplier, the PSPF is therefore often a condition of doing business with government rather than an optional standard.

This wider reach is why the framework matters to organisations that are not themselves Commonwealth entities. A business tendering for government work, or holding government information, needs to understand the requirements it will be asked to meet and demonstrate that it meets them. A security risk assessment aligned to the PSPF is a common first step.

Approach

How do you assess and uplift PSPF maturity?

Improving PSPF maturity follows a consistent path, whatever an entity’s starting point.

1

Establish the baseline

Assess current capabilities across all six domains and identify gaps.

2

Prioritise risk

Rank the gaps by the security risk they represent.

3

Plan the uplift

Sequence the work, with owners, timeframes and measures.

4

Develop the documents

Put the policies, plans and procedures in place as evidence.

5

Report and sustain

Feed the annual report and keep improving maturity.

Entities that handle critical infrastructure should read their PSPF obligations alongside the Critical Infrastructure Risk Management Program requirements, since the two regimes overlap in practice and a single risk-management approach can serve both.

Considering a PSPF maturity assessment?

Agilient works with Commonwealth entities and their suppliers to assess current PSPF maturity, prioritise the gaps that matter most, and plan a practical uplift.
Book a PSPF gap or maturity assessmentor contact the Agilient team

What is new

What changed in recent PSPF releases?

The current release, PSPF Release 2026, took effect on 01/07/2026. It builds on PSPF Release 2025, which the Department of Home Affairs issued on 24/07/2025 as part of Tranche 2 of the Commonwealth Uplift Reforms and which made significant changes across personnel and information security, particularly regarding innovative technologies. The notable changes across these releases include the following.

  • A Zero Trust direction (Release 2025). Entities are expected to maintain a cyber security strategy and uplift plan aligned with the Information Security Manual and the principles for embedding a Zero Trust culture, covered in the cyber security pillar.
  • A technology asset stocktake (Release 2025). Entities must create and maintain a Technology Asset Stocktake and a Technology Security Risk Management Plan covering their internet-facing systems and services.
  • New content on artificial intelligence. Release 2025 introduced whole-of-government advice on the use of OFFICIAL information with generative artificial intelligence, and Release 2026 adds advice on cyber security readiness in the frontier AI era together with requirements governing access to generative AI products.
  • Post-quantum cryptography (Release 2026). Approved post-quantum cryptographic algorithms are expected for newly procured cryptographic equipment and software.
  • New security standards (Release 2025). The release authorises two new Australian Government security standards: Gateway Security and Systems of Government Significance.
  • Expanded foreign ownership, control or influence (FOCI) reporting (Release 2025). In the governance domain, entities are expected to identify and manage FOCI risk during procurement, report it to the Department of Home Affairs, and include it in annual reporting.
  • Online disclosure of security clearance information (Release 2026). Building on PSPF Direction 003-2025 and Policy Advisory 002-2025, Release 2026 makes this a mandatory requirement (requirement 220, with a strengthened requirement 50), effective 01/07/2026. It prohibits entities and clearance holders from publicly disclosing that a person holds a security clearance, or its level. In practice, affected organisations must ensure that public-facing material, such as websites, staff biographies and tender collateral, does not state that the organisation or its people hold security clearances.

The direction of travel is clear. Each annual release tightens the framework around the contemporary threat environment, and the 2025 changes place particular weight on visibility of technology assets, the security of new technologies, and a Zero Trust posture.

How we help

How Agilient supports PSPF compliance

Agilient helps government entities, and the contractors and suppliers who work with them, understand and meet their PSPF obligations. The support is practical and independent, and is grounded in the same six-domain structure the framework uses.

 

Gap and maturity assessments

Rate your capability across the six domains against PSPF Release 2026. An independent security audit can then verify those controls against the framework.

 

Uplift roadmaps

A sequenced plan that tackles the gaps on a risk basis.

 

Policy and procedure development

The documents the framework expects are intended to evidence the capability.

 

Governance and risk advisory

Support for the Accountable Authority and Chief Security Officer functions.

 

Annual reporting support

Help prepare and lodge your annual PSPF report.

 

Interim or virtual security adviser

Experienced support without a permanent appointment.

As an independent and vendor-neutral consultancy, Agilient advises on what an entity needs rather than on products it sells, and works across Sydney, Melbourne, Brisbane, Adelaide and Canberra.

Talk to Agilient about your PSPF obligations

Whether you are a Commonwealth entity uplifting your maturity or a supplier meeting PSPF requirements under contract, Agilient can help you find the most practical place to start.

Book a PSPF gap or maturity assessmentor book a short briefing

FAQs

Frequently asked questions

What is the PSPF?
The Protective Security Policy Framework is the Australian Government’s core protective security policy. It sets out what government entities must do to protect their people, information and resources across six security domains, and runs on an annual release model under which entities self-assess and report on the maturity of their security capability each financial year.
What are the six PSPF security domains?
PSPF Release 2026 organises protective security policy into six domains: governance, risk, information, technology, personnel and physical. This replaced the older four-outcome model, separating risk and technology into their own domains.
What is the current version of the PSPF?
The current version is PSPF Release 2026, issued by the Department of Home Affairs on 24/07/2025 as part of Tranche 2 of the Commonwealth Uplift Reforms. PSPF Release 2024 had replaced the previous sixteen separate PSPF policies.
Who has to comply with the PSPF?
The PSPF applies directly to non-corporate Commonwealth entities. It also reaches service providers, contractors and suppliers that handle Commonwealth information or work in government environments, who are commonly required to meet relevant PSPF requirements through their contracts and agreements.
How is PSPF compliance measured?
The PSPF uses a maturity model rather than a pass-or-fail audit. Entities assess the maturity of their security capability across the six domains on a four-level scale from Ad hoc to Embedded, and report that maturity, along with the effectiveness of their implementation, each financial year.
What changed in recent PSPF releases?
Release 2026 introduced a Zero Trust direction, a technology asset stocktake of internet-facing systems, new advice on the use of OFFICIAL information with generative AI, expectations around post-quantum cryptography, expanded foreign ownership, control or influence reporting, and authority for two new security standards covering Gateway Security and Systems of Government Significance.
What happened to the old PSPF policy numbers?
The PSPF was previously published as 16 separate numbered policies. PSPF Release 2024 consolidated them into a single release organised around the six security domains, and the numbered policies are no longer maintained as standalone documents. Requirements that once sat in a numbered policy now sit within the relevant domain. The current version is PSPF Release 2026.
Australian city at dusk, representing organisations managing protective security obligations.

References

  1. Department of Home Affairs, About PSPF, protectivesecurity.gov.au
  2. Department of Home Affairs, PSPF Release 2026 and Tranche 2 of the Commonwealth Uplift Policy is live, protectivesecurity.gov.au
  3. Department of Home Affairs, PSPF Annual Release 2026, protectivesecurity.gov.au
  4. Department of Home Affairs, PSPF Policy Advisory 001-2025 — OFFICIAL Information Use with Generative Artificial Intelligence, protectivesecurity.gov.au
  5. Department of Home Affairs, PSPF Release 2026 — Summary of Changes, protectivesecurity.gov.au