Applying the Protective Security Policy Framework

Entities that must follow the PSPF

The Directive on the Security of Government Business establishes the Protective Security Policy Framework (PSPF) as Australian Government policy.

This means that non-corporate Commonwealth entities that are subject to the Public Governance, Performance and Accountability Act 2013 must apply the PSPF (to the extent consistent with legislation).

The PSPF represents better practice for corporate Commonwealth entities and wholly-owned Commonwealth companies under the PGPA Act.

Non-government organisations that access security classified information may need to enter into a deed or agreement to apply relevant parts of the PSPF to that information.

State and territory government agencies that hold or access Australian Government security classified information apply the PSPF to that information, consistent with arrangements agreed between the Commonwealth, states and territories.

How entities apply PSPF

Entities apply the PSPF using a security risk management approach. This allows them to apply the PSPF in a way that best suits their individual security goals and objectives, their specific risk and threat environment, as well as their risk tolerance and security capability.

Find out more

The Department of Home Affairs supports entities to implement the PSPF.

For more information or support, you can: