Australia - Security Maturity: A New Protective Security Policy Framework.

Legal News & Analysis - Asia Pacific - Australia - Regulatory & Compliance - Cybersecurity

18 October, 2018


16 Core Requirements for government entities


What you need to know


  • A new version of the Australian Government Protective Security Policy Framework (PSPF) has been released
  • The new PSPF sets out 16 Core Requirements that support four key security "outcomes": governance,  information security, personnel security and physical security 
  • Non-corporate Commonwealth entities must comply with the Core Requirements
  • Corporate Commonwealth entities are encouraged to comply with the Core Requirements as a "best practice" initiative
  • The PSPF sets out "Supporting Requirements" and guidance that promote a standardised approach to security risk management across government


What you need to do


  • Read the new PSPF and consider your obligations under the Core Requirements
  • Read the Supporting Requirements and guidance for assistance in implementing the Core Requirements 
  • Review your policies, procedures and templates and consider whether any changes are necessary to implement the Core Requirements 
  • Seek advice on how best to implement the Core Requirements in your agreements with service providers


The Framework


Reforms to the Australian Government Protective Security Policy Framework (PSPF) went live this week, signalling a shift from a compliance model to a principles-based approach. The new PSPF contains 16 "Core Requirements" that have been designed to support protective security through governance, information security, personnel security and physical security. 


The PSPF is the principal policy document for Australian Government protective security and is considered critical to maintaining the security necessary for effective government operations and outcomes. Compliance with the PSPF is mandatory for non-corporate Commonwealth entities ("relevant entities") and recommended as "best practice" for corporate Commonwealth entities. The PSPF may also be extended to non-government organisations under contracts with government entities for the provision of goods or services. 




The 2015 Independent Review of Whole-of-Government Internal Regulation (Review) identified the PSPF as an opportunity for reform and red tape reduction. The Review considered whether the policy struck the right balance between risk management and administrative burden. 


Prior to the reforms, the PSPF comprised a compliance approach, framed by risk management principles. The Review identified that the compliance approach created a challenging administrative environment while failing to support relevant entities to effectively engage with risk. The Review recommended that the PSPF shift towards a "principles based approach".




The new PSPF consists of four "outcomes" that support protective security across government. The Core Requirements articulate what relevant entities must do to achieve the protective security outcomes. The Core Requirements are supplemented by "Supporting Requirements" and guidance, which are intended to support a standardised approach to security risk management across government. 




The seven Core Requirements relating to security governance focus on the structural and cultural factors that support protective security. 


Under the Public Governance, Performance and Accountability Act 2013, the "accountable authority" of a non-corporate Commonwealth entity must govern their entity in a way that is not inconsistent with the policies of the Australian Government, which include the requirements of the PSPF.


The PSPF sets out the role and responsibilities of accountable authorities in respect of the security of their entities. This includes appointing a Chief Security Officer to bear responsibility for security across the entity. Relevant entities must also comply with Core Requirements in relation to security planning, security maturity monitoring and reporting. 


Core Requirement 6 states that "Each entity is accountable for the security risks arising from procuring goods and services, and must ensure contracted providers comply with relevant PSPF requirements." This aligns with and supports paragraphs 8.2 and 8.3 of the Commonwealth Procurement Rules which compel relevant entities to identify and manage procurement security risk in accordance with the PSPF.


Information Security


The four Core Requirements relating to information security aim to maintain the confidentiality, integrity and availability of information assets owned by the Australian Government, or entrusted to the Australian government by third parties, within Australia. 


The Core Requirements compel relevant entities to assess the sensitivity and security classification of its information assets and implement appropriate controls relevant to the value, importance and sensitivity of that information. The controls may include security clearance requirements for accessing parties and system controls. Relevant entities are required to mitigate common and emerging cyber threats by implementing the "Strategies to Mitigate Cyber Security Incidents" set out in the Information Security Manual. 


Core Requirement 11 provides that entities must have in place security measures during all stages of ICT systems development. This includes certifying and accrediting ICT systems in accordance with the Information Security Manual when implemented into the operational environment.


Personnel Security


The three Core Requirements relating to personnel security require relevant entities to ensure that their employees and contractors meet an appropriate standard of integrity and honesty. The Core Requirements relate to eligibility and suitability of personnel from the commencement of an engagement, throughout the engagement and upon separation. 


Physical Security


The two Core Requirements relating to physical security aim to ensure a safe and secure physical environment for people, information and assets. The Core Requirements put the onus on entities to control the risk of harm by designing, modifying, monitoring and accrediting facilities and security zones. 


Relevant entities are encouraged to implement the requirements and security measures in the PSPF in a way that is proportionate and relevant to their unique security risk environments.

Ashurst Logo

For further information, please contact:


Angela Summersby, Partner, Ashurst