The Complete Guide to the Protective Security Policy Framework (PSPF): A Practitioner’s Manual
For the Australian defence industry, security is not one framework, one form or one person’s job. It is a connected operating system comprising policy, Defence controls, industry assurance, personnel vetting, and day-to-day security leadership. Understanding how the PSPF, DSPF, DISP, AGSVA, clearance holders, the Chief Security Officer and the Security Officer fit together is essential for tender readiness, contract eligibility and cleared workforce capability.
The Protective Security Policy Framework, or PSPF, is the Australian Government’s whole-of-government protective security framework. It sets the baseline for how Commonwealth entities protect people, information and resources. Defence operationalises that baseline through the Defence Security Principles Framework, or DSPF, which tailors security governance to Defence’s operating environment. The Defence Industry Security Program, or DISP, extends those expectations into industry. DISP is underpinned by DSPF Principle 16, Control 16.1, and provides Defence with assurance that industry partners can protect Defence people, information, and assets.
AGSVA, the Australian Government Security Vetting Agency, sits within the personnel security part of this ecosystem. AGSVA assesses security clearance applicants and helps determine whether individuals are eligible and suitable to access classified government resources. For DISP members, clearances are not merely administrative credentials; they are part of the organisation’s security capability. Clearance holders have ongoing obligations to protect classified information, report relevant changes in circumstances, maintain appropriate behaviour and cooperate with clearance assurance activities.
The Chief Security Officer, or CSO, is the senior executive accountable for the DISP entity’s security arrangements and security culture. A DISP member can only have one CSO, and that person must have the authority to implement policy, direct resources, and provide executive oversight. The Security Officer, or SO, is responsible for developing and applying the entity’s security policies and plans, and for managing the day-to-day protective security activities on behalf of the CSO. In smaller entities, the CSO and SO may be the same person; in larger entities, the SO function may be distributed across multiple people.
This is where many defence suppliers get caught. DISP maturity is not achieved by holding a membership certificate or nominating a CSO and SO. It depends on whether the organisation can evidence live security governance, accurate records, trained personnel, active clearance sponsorship, incident reporting, overseas travel management, change-in-circumstance reporting and ongoing suitability oversight. Weakness in any of these areas can affect assurance outcomes, audit readiness, contract delivery and workforce mobilisation.
WorkSec helps Australian defence organisations translate PSPF, DSPF, DISP and AGSVA obligations into practical operating frameworks and discipline. Our specialist focus is the DISP Personnel Security and Governance pillars: the people, roles, records, clearance pathways, security leadership and assurance behaviours that make DISP maturity real. For the other security domains, we work with trusted specialist partners to deliver integrated support across the full Defence security environment without losing the WorkSec focus on cleared workforce capability and governance maturity.
What Is the PSPF?
The PSPF is the Commonwealth Government’s policy framework for protecting government people, information, and assets. Originally introduced in 2010 and substantially restructured in 2024 and updated again more recently, it sets out the policies and core requirements that all non-corporate Commonwealth entities must implement, and that corporate Commonwealth entities are required to apply as a minimum standard.
For private-sector organisations, via the DSPF – Defence’s implementation of the PSPF, the PSPF is the document the Defence Industry Security Program (DISP) maps to. DISP membership is the credential that says, in effect, this Australian company has applied PSPF-equivalent controls to its security management, and the Department of Defence has assessed and accepted that assessment. That is why the PSPF matters to a defence-industry SME even though the SME is not, itself, a Commonwealth entity.
Three things to understand about the framework before getting into its structure.
It is risk-based, not checklist-based. The PSPF expects organisations to identify the security risks specific to their context, apply controls proportionate to those risks, and document the rationale. This is a deliberate design choice. Two organisations of similar size in different sectors will have different threat profiles and different appropriate controls. A formal information-security policy that perfectly matches another organisation’s policy is, in PSPF terms, a sign that no real risk assessment has been conducted.
It applies to people, information, and assets. The framework’s scope is broader than just data security. Personnel security (vetting, suitability, change-of-circumstance reporting) sits alongside information security (handling, classification, IT controls) and physical security (facility access, secure-zone management, document destruction). An organisation that has done excellent work on cyber but has nothing in place for personnel offboarding is not PSPF-compliant; it is PSPF-asymmetric.
It is enforced through reporting and audit, not direct supervision. The Department of Home Affairs collects annual PSPF maturity reports from Commonwealth entities. For private-sector DISP members, the DISP team assess maturity through Annual Security Reports, OSA and DDA. The framework is not enforced by an inspector turning up unannounced; it is enforced through the trail of decisions and documents your security function leaves behind.
PSPF Structure: The Four Core Requirements
The 2024 update reorganised the PSPF into four core requirement domains. Each domain carries policies, requirements, and supporting guidance. The structure below reflects the framework as it stands at the time of writing, and operators should always check the Protective Security Policy Framework site for the current published versions before making compliance decisions.
Domain 1: Security Governance
Security governance is the requirement that the organisation manages security as a discipline, not as an afterthought. The core elements are accountability (who owns security at the executive level), risk management (how security risks are identified and treated), security planning (the policies, procedures, and documents that translate accountability into action), and reporting (what security information flows up to leadership and out to the regulator).
For a Defence industry SME, the governance domain is usually the first place a DISP audit looks. The questions an assessor asks are practical. Who is your Chief Security Officer or accountable security executive? When was your security risk assessment last refreshed? Where is your incident-reporting procedure documented? What evidence shows that security risks are being treated in proportion to their likelihood and impact?
For example, a Managing Director knows the security posture, but it lives in their head rather than in a documented procedure. Fixing this is straightforward: write the things down, version-control them, review them annually, and treat the documents as living instruments rather than one-off compliance artefacts.
The discipline test for governance documents is the assessment principle introduced earlier: would this document hold up if it ended up in a DISP deep dive audit? If the answer is no, the document is not doing its job. The bar is not perfection. The bar is that the document represents how the organisation actually operates, not how it would like to operate in theory.
Domain 2: Information Security
Information security covers how the organisation handles classified and security-sensitive information. The PSPF defines information security marking ranges (OFFICIAL, OFFICIAL: Sensitive, PROTECTED, SECRET, TOP SECRET), and the controls that apply to handling, storage, transmission, and destruction at each level.
For defence-industry SMEs, information security usually breaks into three workstreams. ICT security covers the systems that store and process the information (networks, endpoints, cloud services, mobile devices). The Australian Cyber Security Centre’s Essential Eight maturity model provides the practical control set, with maturity level 2 being the minimum baseline for DISP members. Document handling covers how physical and electronic documents move within the organisation and across organisational boundaries. Information labelling covers how classification markings are applied, both visually on documents and in metadata on electronic systems.
In information security, the most common SME failure pattern is the cloud storage shortcut: a free or low-tier cloud service used to share documents that should never have left an accredited environment. Fixing this starts before the contract does. Identify which information classes you will be handling, which systems are accredited to handle them, and which workflows route information through unaccredited channels. That last bucket is where compliance breaks.
A practical aside on security awareness: many DISP- member organisations supplement their formal policies with simple reminder artefacts that operate at the level of the cleared workforce’s daily attention. WorkSec provides a suite of practical security education assets, including branded awareness posters, to help organisations reinforce secure behaviours across their workforce and clients as part of its efforts to assist in ensuring security is front and centre of everyday business activities. The artefacts are not the security control. The discipline they reinforce is.
Domain 3: Personnel Security
Personnel security is where the PSPF and a cleared workforce meet. The domain covers the suitability assessment that produces a security clearance (Baseline, NV1, NV2, PV/TS-PA), the change-of-circumstance and overseas travel reporting obligations every cleared individual carries, the manager’s responsibilities to monitor and report security concerns, and the offboarding obligations that apply when a cleared individual leaves.
Workforce screening under personnel security operates in accordance with the published AS 4811:2022 workforce-screening standard and the AGSVA vetting regime. AS 4811:2022 sets out the minimum criteria for pre-employment screening checks: identity, right to work, qualification verification, employment history, criminal record checking, and adverse information. For DISP-accredited employers, AS 4811:2022 is the standard that frames the screening work conducted before AGSVA sponsorship is initiated and the ongoing personnel-suitability picture across the cleared workforce.
For a defence-industry SME, personnel security is where DISP audits find the most surface for findings. Five questions an assessor will commonly ask:
- How many cleared personnel do you currently sponsor or hold clearances for? Is the number consistent with AGSVA’s records?
- Ensuring that your Annual Security Awareness training records being 100% complete.
- What is your offboarding procedure for a cleared individual leaving the organisation? Show us the most recent example.
- How do you assess the ongoing suitability of cleared personnel between revalidations?
- What is your insider-threat program, and what evidence shows it is operational?
For personnel security, the most common failure pattern is reactive rather than proactive practice. An organisation knows its cleared personnel need to report a change of circumstances when one occurs, but has no proactive process to detect unreported changes. Fixing this is regular outreach where each cleared individual confirms (in writing, to the security officer) that no reportable changes have occurred since the last review. This produces both a real surveillance function and the paper trail an assessor needs to see.
If you are unfamiliar with how clearances are granted and maintained under the framework, the AGSVA security vetting overview explains the vetting agency’s role, and the NV1 sponsorship guide walks through the most common clearance pathway.
Domain 4: Physical Security
Physical security covers facilities, secure zones, and the protection of people and information through physical means. The framework defines zone types from Zone 1 (uncleared public access areas) through Zone 5 (zones suitable for the discussion and storage of TOP SECRET material). Each zone type carries specific construction, access-control, and audit-trail requirements.
The cleared workforce reach in this domain is wider than most SMEs initially expect. The default mental picture is that classified work happens in a small subset of roles, and the rest of the facility is essentially open. The zoning regime does not work that way. Anyone working inside a zoned facility may need a clearance, regardless of role. The cafe staff serving coffee inside a Commonwealth facility, the cleaners servicing the office overnight, the carpenters fitting out meeting rooms, the electricians wiring secure spaces, the air-conditioning contractors maintaining the systems: when the work happens inside a zoned facility, the cleared-workforce requirement reaches into those roles. The principle is not that the person needs access to classified information specifically. The principle is that the person is in proximity to people discussing it and to environments where classification markings appear on walls, screens, and documents.
The older model of escorting uncleared trades through a cleared facility one at a time is fading, for practical reasons. A cleared employee escorting a tradesperson around a facility is being prevented from performing their duties. As Defence-industry SMEs in regional hubs (the Granite Belt, Hunter Valley, Tasmania, Far North Queensland) scale, the operating reality has shifted toward cleared trades, cleared facilities staff, and cleared services contractors. The workforce-screening picture under AS 4811:2022, paired with appropriate clearance levels, is what makes this scaled cleared-workforce model actually work.
For most defence-industry SMEs, physical security work concentrates on three areas. Facility classification: which areas of the office or workshop are unclassified, which are classified to a specific zone, and where are the boundaries marked? Access control: who can enter which zones, under what authentication, and what records are kept of access? Mobile and remote work: how do you manage cleared work that occurs outside the accredited facility, particularly for hybrid-working employees and on-site contractor work?
The most common SME failure pattern is the informal Zone 2: a meeting room used to discuss classifed material on an ad hoc basis, without the construction or audit-trail requirements that a Zone 2 facility actually needs. The fix is honest scoping: either accredit the room to the level the discussions require, or move the discussions to a properly accredited facility.
PSPF vs DSPF: Key Differences
The relationship between the PSPF and the Defence Security Principles Framework (DSPF) is among the most consistently misunderstood aspects of the framework landscape. The simplest way to hold it: PSPF is the Commonwealth-wide policy; DSPF is the Defence-specific implementation of that policy with additional Defence-specific requirements layered on top.
| Aspect | PSPF | DSPF |
|---|---|---|
| Scope | Commonwealth-wide policy framework | Department of Defence specific |
| Owner | Department of Home Affairs | Department of Defence |
| Application | All non-corporate Commonwealth entities | Defence personnel + Defence industry contractors |
| Industry programme | DISP maps to PSPF | DISP is administered under DSPF |
| Information environment | Whole-of-government classified handling | Defence-information specific requirements |
| Vetting authority | AGSVA (under PSPF personnel-security control)and ASIO now too for TS-PA (replacing AGSVA PV) | Same; AGSVA serves Defence and the Commonwealth, and ASIO now too for TS-PA (replacing AGSVA PV) |
For a defence-industry SME, the practical implication is straightforward. The PSPF is the framework you must demonstrate equivalent controls against (to gain DISP membership). The DSPF is the additional Defence-specific layer that your cleared people, and your information handling must respect when working on Defence projects. You cannot achieve DSPF compliance without first being PSPF-aligned; the DSPF assumes the PSPF is in place underneath.
A useful working metaphor: PSPF is the foundation slab; DSPF is the additional structural reinforcement Defence requires for the building it lets you put on that slab. The picture is also still moving. The DSPF has been in active transition since 2023, with parts of it being progressively realigned to sit more cleanly under PSPF cover; operators with active DSPF-tied controls should expect the framework documentation to keep evolving and should check the Defence-published current version annually as it is updated every year, rather than assuming the 2024 picture is static.
PSPF Requirements for Defence Industry Organisations
DISP, the Defence Industry Security Program, is the Commonwealth’s mechanism for translating PSPF requirements into industry-applicable controls. DISP membership is offered at four levels. The levels are across the four domains (Governance, Personnel, Physical & Cyber/Information). A DISP member can be at different levels for each (though governance must match the highest level).
The relationship between PSPF and DISP works like this. To achieve and hold DISP membership, an organisation must implement security controls equivalent to the relevant parts of the PSPF, scoped to the organisation’s size and the type of Defence work it does. The Department of Defence’s DISP team assesses equivalence at application and during periodic audits. Equivalence does not require identical wording or procedures, but it does require that the organisation can demonstrate that the four PSPF domains are addressed at the maturity level required by the DISP level.
For a typical defence-industry SME pursuing DISP Entry or Level 1, the practical work usually concentrates in six core areas.
A formal security risk assessment. A documented, organisation-specific security risk assessment that identifies the threats, vulnerabilities, and controls relevant to the business and its operating environment. This is the foundation document that the rest of the security management system hangs from. It should be reviewed at least annually, reflect current operations, and be formally endorsed by the accountable executive. Assessors will expect to see a clear linkage between identified risks and the controls implemented across policy, systems, and day-to-day security practices.
A security policy and procedure framework. A tailored set of security policies and procedures covering the four PSPF domains. The key point is not the existence of documents, but their alignment to how the organisation actually operates. Templates are a valid starting point, but they must be adapted to reflect real workflows, systems, and responsibilities. Assessors will commonly test this by comparing policy statements to observed practice, so consistency between documented intent and operational reality is critical.
A security governance register (SGR). A centralised security governance register that consolidates the core evidence artefacts required to support DISP membership. Rather than maintaining separate disconnected records, the SGR provides a structured view of security governance across the business. This typically includes DSAP or required security-assessed positions, security incidents, personnel travel and contact reporting, training records, inspections, and governance oversight activities. The register does not need to be complex, but it does need to be current, complete, and demonstrably used in ongoing security management.
Personnel security governance. A structured approach to managing personnel security obligations across the workforce. This includes identifying roles that require access to classified information through a DSAP or equivalent mechanism, ensuring appropriate screening and clearance arrangements are in place, and maintaining oversight of clearance-holder obligations. Organisations are expected to actively support personnel in meeting their responsibilities, including reporting changes in personal circumstances and complying with briefing and training requirements. The emphasis is on ongoing governance, not just point-in-time compliance.
Security operations and incident reporting. Defined, communicated, and exercised processes for managing security events and personnel security obligations in practice. This includes security incident reporting, travel reporting and briefings, contact reporting, and insider-risk awareness. Processes should be known to cleared staff and supported by clear guidance and escalation pathways. Evidence of use is important—assessors will look for records demonstrating that incidents are captured, actions are tracked, and learnings are fed back into the security function.
Cyber security uplift and control environment. Evidence that the organisation’s ICT environment meets an appropriate cyber security standard for the level of DISP membership being sought. This typically involves alignment to a recognised framework such as the Essential Eight, ISO 27001, or an equivalent standard. Where gaps exist, a documented uplift plan should be in place, with controls implemented and demonstrable. The focus is not on perfection, but on having a clear, risk-informed approach to managing cybersecurity within the context of the organisation’s broader security obligations.
The DISP application process scopes these in proportion to the membership level sought. An SME pursuing Entry-level membership does not need the Same level of security controls as a DISP Member. The judgement on what is proportional is usually best made with a DISP-accredited specialist sponsor or consultant who has been through the audit process recently – noting that levels are commensurate with the classifitication of information accessed/held.
The most common SME failure pattern in DISP audits is the binder of templates: a folder full of generic policies that have never been read by the people they apply to. Auditor’s notice. The fix is to write less but write it more specifically. A three-page security policy that genuinely describes how your organisation operates is worth far more than a thirty-page template that does not.
How WorkSec Helps with PSPF Compliance
WorkSec is a DISP-member at level 3 governance and personnel Australian provider of personnel security governance services. We work with defence-industry SMEs, contractors, and individual specialists who need to align their security management with the PSPF, achieve or maintain DISP membership, and sponsor cleared personnel under the framework.
The following services outlined below are where the PSPF intersects directly with the work we do.
Personnel security governance and advisory. We work with DISP members to establish and maintain fit-for-purpose personnel security governance, including clearance-holder oversight, workforce suitability management, and alignment with PSPF personnel-security obligations.
Personnel security and clearance sponsorship. For organisations that need cleared staff before holding DISP membership, or for individual contractors who need clearance to compete for cleared work, we sponsor the clearance under our DISP accreditation. The clearance is held under our sponsorship; the candidate works on the contracts that require it. This is the Sponsorship-as-a-Service model, a practical bridge that enables cleared work within SMEs that do not yet hold DISP themselves. See security clearance sponsorship for the structure of the engagement.
Ongoing security management support. Through-life personnel security governance. PSPF compliance is not a one-off project. We support DISP members across the full lifecycle of cleared personnel, including security awareness training and briefings (including overseas travel), clearance maintenance, change-of-circumstance management, security incident reporting, and assistance with clearance-holder obligations to maintain a compliant and well-governed workforce.he model is a fractional security function: the organisation gets the operational benefit of a security officer without carrying the full headcount cost.
Cleared workforce enablement. We enable organisations to access and operate a cleared workforce through structured sponsorship, onboarding support, and ongoing personnel security governance aligned to DISP requirements.
PSPF Frequently Asked Questions
Does my business need to be PSPF compliant to work with the government?
If you are a private-sector organisation, you are not directly subject to the PSPF in the way a Commonwealth entity is. However, if you are supplying Defence or another Commonwealth agency with services that involve handling classified or security-sensitive information, you will be required to demonstrate equivalent controls. For Defence work, this normally means DISP membership at a level appropriate to the work. For non-Defence Commonwealth work, the agency will set the security requirements through the contract.
How often does the PSPF require us to report on security maturity?
The annual PSPF maturity reporting cycle applies to Commonwealth entities. For DISP members, the reporting and audit obligations are set by the DISP team and are tied to membership level. DISP members should expect periodic audits and reviews proportionate to their level, plus ongoing reporting of significant security incidents.
What is the difference between an unclassified and a protected network under the PSPF?
OFFICIAL: Sensitive information can be handled on standard business-grade IT environments with appropriate cyber hygiene (the E8 ML2 is the minimum standard. PROTECTED information requires an environment accredited to handle PROTECTED-classified material, including specific controls on access, audit trails, and physical security. The practical effect is that PROTECTED-tier work usually cannot occur Without IRAP certification on standard commercial cloud services without a formally accredited overlay.
How does AS 4811:2022 fit alongside the PSPF and AGSVA?
AS 4811:2022 is the Australian Standard for workforce screening. It sets the pre-employment and ongoing screening criteria that operate alongside AGSVA clearance sponsorship. The PSPF personnel-security domain requires that cleared organisations apply appropriate workforce screening; AS 4811:2022 is the standard most assessors expect to see implemented. AGSVA performs the clearance vetting; AS 4811:2022 covers the rest of the workforce-suitability picture.
Can we hold a security clearance without DISP membership?
For an individual to hold a clearance, a sponsor with the appropriate authority is required. That sponsor must be either a Commonwealth agency or an organisation holding DISP membership at the level that authorises the sponsorship. An individual contractor or sole trader can hold a clearance under the sponsorship of a DISP-member specialist provider such as WorkSec without their own organisation holding DISP. For a small business intending to win cleared contracts in its own name, however, DISP membership is the practical path forward.
Ready to scope your PSPF alignment, DISP readiness, or personnel security needs? Reach WorkSec through the security clearance sponsorship and DISP membership pages. We respond to scoping enquiries within one business day.
