What the PSPF does
The PSPF establishes a baseline of security controls and requirements for Australian Government entities and their contractors. It defines four security domains – Governance, Information, Personnel, and Physical – each with associated policies and guidance. These policies dictate how organisations should manage risk, protect information, and ensure the security of their assets. Achieving PSPF compliance demonstrates a commitment to security best practice and is often a prerequisite for working with the Federal Government. The Australian Government Security Vetting Agency (AGSVA) manages security clearances required under the PSPF.
PSPF in Australian tenants today
For AU mid-market organisations regularly engaging with the Federal Government, the PSPF acts as the primary security framework. The ACSC Essential Eight controls and the Information Security Manual (ISM) are frequently implemented as practical mechanisms to satisfy PSPF requirements. Organisations must understand how their existing security posture aligns with, and supports, the broader PSPF objectives. Failure to adhere to PSPF principles can result in contract breaches and potential penalties, particularly relevant given the increased scrutiny under APRA CPS 234 and the Notifiable Data Breach scheme. Alignment with the Australian Voluntary AI Safety Standard is also increasingly important for those deploying AI solutions under the PSPF.