Policy amendments – multiple policies

The following Protective Security Policy Framework (PSPF) policy amendments were approved by the Government Security Committee on 23 August 2023.

1. PSPF policy 2: Management structures and responsibilities

PSPF policy 2: Management structures and responsibilities has been amended to:

  • require Chief Security Officers (CSOs) hold a minimum Negative Vetting Level 1 security clearance, and
  • mandate the appointment of a Chief Information Security Officer (CISO) to be responsible for cyber security leadership in the entity.

The requirement to appoint a CISO is not expected to impose additional burden on entities as the CSO is currently required to oversee cyber security.

The requirement for a CISO to have appropriate capability and experience and a minimum Negative Vetting Level 1 security clearance is framed in a manner which recognises that what is appropriate will vary proportionate to the size and nature of an entity’s cyber security arrangements. The CISO does not have to be appointed at the SES level – the role is best performed by an officer with the appropriate combination of experience, technical skills and other skills such as business acumen, leadership, communications and relationship building.

The policy updates also detail arrangements for entities that rely on another government entity for cyber security.

2. PSPF policy 5: Reporting on security

PSPF policy 5: Reporting on security has been amended to improve reporting of significant security incidents and introduce guidance to support decision-making.

A special edition CSO Newsletter on these changes will shortly be distributed to non-corporate Commonwealth entities.

3. PSPF policy 8: Classification system

PSPF policy 8 has been renamed PSPF policy 8: Classification system and amended to change the OFFICIAL: Sensitive Dissemination Limiting Marker (DLM) to a security classification.

The change will not:

  • trigger changes to the Email Protective Marking System (EPMS), as OFFICIAL: Sensitive is already treated as a security classification within the EPMS
  • change the access to information security clearance requirements for OFFICIAL: Sensitive, as employment screening for entity personnel remains sufficient
  • change minimum protections and handling requirements for OFFICIAL: Sensitive detailed in Annexes A-C of PSPF policy 8, and
  • require changes to the Australian Government Security Caveat Guidelines, as caveats that allow use with OFFICIAL: Sensitive are already indicated.

Annex F: Australian Government Email Protective Marking Standard of PSPF policy 8 has also been amended to reflect these changes.

4. PSPF policy 11: Robust ICT systems

PSPF policy 11: Robust ICT systems has been amended to give effect to the changes in PSPF policy 8 and rename ‘OFFICIAL systems’ to ‘OFFICIAL: Sensitive systems’.

This change will be reflected in September 2023 release of the Australian Signals Directorate’s Information Security Manual.

5. PSPF policy 16: Entity facilities

PSPF policy 16: Entity facilities has been amended to:

  • remove references to the now defunct Type 1 security alarm systems, and
  • align Table 2 with PSPF policy 8 that prohibits use of SECRET information or devices in Zone 2 spaces.

Entities were required to replace Type 1 security alarm systems with Type 1A security alarm systems in certified and accredited security zones by 1 August 2021.

Implementation timeframe

These changes will commence immediately and entities will be required to report against these new obligations in the 2023-24 PSPF reporting period.

PSPF on a page has been amended to reflect these changes.