Understanding the PSPF Evolution: Key Policy Shifts Under the Department of Home Affairs

Understanding the PSPF Evolution: Key Policy Shifts Under the Department of Home Affairs

The Australian Government’s Protective Security Policy Framework (PSPF) has recently undergone significant updates after being moved from the Attorney-General's Department to the Department of Home Affairs in August 2023. These changes reflect a shift to a more integrated approach to security policy, modernised to meet today’s complex security demands.

Background: Transition of PSPF Responsibilities

The August 2023 Administrative Arrangements Order officially reassigned responsibility for the PSPF to the Department of Home Affairs, narrowing the Attorney-General's Department’s focus to identity and biometrics. This shift reflects the government’s intention to streamline security policy oversight, especially around high-risk facilities like Commonwealth and diplomatic sites.

Structural Shift: From Four Domains and 16 Policies to Six Core Domains

One of the most notable changes in the 2024 PSPF update is the transition from a structure based on four domains and 16 separate policies to a more integrated framework organised around six core security domains:

1. Governance: Previously a single domain, Governance now expands to encompass a holistic approach to security management, covering roles and responsibilities, security planning, training, and compliance reporting.
2. Risk Management: While risk was part of the governance framework, this new domain enhances the focus on continuous risk assessment, encompassing third-party risk management and emerging threats.
3. Information Security: Formerly a standalone domain, Information Security now consolidates policies on information classification, handling, storage, and disposal. The updated framework strengthens cybersecurity protections, particularly around sensitive and classified information, with requirements for consistent handling and marking practices across government entities.
4. Technology Security: This new domain highlights cybersecurity policies that align closely with the Australian Signals Directorate’s Information Security Manual (ISM). Technology Security integrates many of the PSPF’s existing information security policies with a heightened emphasis on cyber resilience and protection from advanced threats.
5. Personnel Security: Personnel Security remains a distinct domain but has been expanded to cover more rigorous pre-employment checks, clearance levels, and security vetting for personnel with access to classified or sensitive information. By extending personnel policies, the framework ensures the suitability and integrity of those handling government information.
6. Physical Security: The Physical Security domain has been streamlined to focus on safeguarding people, assets, and government sites with updated guidelines for security zones, secure rooms, and access controls.

This consolidation from 16 policies under four domains to six core domains provides entities with a more cohesive framework, reducing overlap and making it easier to apply security principles consistently.

Strategic Highlights of the 2024 PSPF Release

1. Annual Review and Entity Collaboration The PSPF now mandates annual reviews to adapt policies to evolving threats. Each release involves collaboration with government entities via the Government Security Committee, fostering a responsive feedback loop. For example, last year’s review led to additional requirements around cloud security and remote data management to address risks associated with remote and hybrid work.
2. Expanded Accountability & Oversight Mechanisms New roles are outlined for Accountable Authorities, Chief Security Officers (CSO), and Chief Information Security Officers (CISO): Accountable Authorities must now report on compliance with the PSPF, reinforcing consistent standards across entities. CSOs and CISOs are tasked with cohesive integration of physical and cyber security. For instance, CSOs oversee access policies for physical spaces, while CISOs handle digital access, aligning physical and cyber safeguards to minimise overlapping vulnerabilities.
3. Enhanced Risk Management and Cyber Security Emphasis The Risk Management domain formalises continuous threat monitoring and proactive incident response protocols: Cybersecurity Alignment with the Essential Eight: Government entities are required to implement strategies like multi-factor authentication and application whitelisting, particularly within departments managing sensitive information.
4. Focus on Positive Security Culture and Specialised Training Emphasis on a proactive security culture has increased, with compulsory annual security training tailored to the specific risks each entity faces: Scenario-Based Training: High-security departments now train employees on real-life scenarios, such as identifying phishing attempts and managing suspicious files, to prepare staff for day-to-day security challenges. Specialised Roles Training: Personnel in high-security roles receive targeted training, ensuring their understanding of the framework’s most stringent requirements.
5. Enhanced Third-Party and Contingency Planning Protocols New protocols extend to third-party risk management and contingency planning for emergencies: Third-Party Compliance Audits: Entities must ensure that vendors managing sensitive government data meet PSPF requirements, with regular audits to monitor third-party compliance. Comprehensive Contingency Plans: For cases of natural disasters or cyber incidents, entities now require detailed contingency planning to ensure uninterrupted service delivery.

Conclusion

The updated PSPF represents a major evolution in Australia’s approach to protective security, moving from a segmented framework of four domains and 16 policies to a streamlined six-domain structure. Under the Department of Home Affairs, the PSPF’s new structure strengthens resilience, enhances adaptability, and ensures that government entities are equipped to respond to today’s complex security landscape. This integrated approach reflects a commitment to cohesive and proactive security management, providing a unified standard that enhances the security posture across the entire government.

?