The Protective Security Policy Framework (PSPF) July 2025 release entails updated requirements and strengthened compliance obligations for Australian Government departments and agencies. As a foundational policy for protecting classified information and supporting national security, the PSPF sets the standard for robust, proactive security practices across the Australian Government. Let’s take a look at what the latest PSPF release entails for government organisations and the managed service providers (MSPs) that support them — and how you can streamline audit readiness with AI-powered, government-ready solutions from 6clicks. Dive in below:
Spanning key areas such as governance, personnel, physical security, and more, the PSPF defines policies and prescribes measures for Australian Government entities for protecting people, information, and assets. It was originally introduced in 2010, replacing the older Protective Security Manual (PSM), and re-launched in October 2018 with the most recent update prior to the 2025 release issued in December 2024.
Who does it apply to?
Australian Government departments and agencies, Australian Public Service (APS) employees, and third-party service providers and contractors handling government information or assets are all in scope of PSPF and must comply with its requirements.
What are the key components of PSPF?
The PSPF contains:
Principles – High-level objectives designed to guide the thinking, practices, and decision-making across government
Policies – Mandatory requirements that government entities must implement to meet minimum protective security standards
Domains – Critical areas of security around which principles and policies are organised
By complying with the PSPF, government organisations and their supply chain strengthen their security posture and take a consistent, whole-of-government approach to managing security risks.
One of the major updates in the 2025 PSPF release is the expansion of security domains, broadened from four to six core areas:
Governance: Encompasses the protective security roles and responsibilities within government entities, ensuring security governance through audits, security planning, incident management, and annual security reporting to Ministers, the Department of Home Affairs, and the Australian Signals Directorate (ASD).
Risk management: Establishing a security risk management process, managing risks arising from procurement and outsourcing, countering foreign interference and espionage, business continuity planning, and implementing alternative mitigation controls for PSPF non-compliance under exceptional circumstances.
Information security: Covers minimum protections and handling requirements for OFFICIAL: Sensitive and security classified information, security caveated information, and accountable material, maintaining secure information asset registers, and information disposal and sharing policies.
Technology security: Focuses on securing the life cycle of information and operational technology systems, implementing cybersecurity strategies such as zero trust and the Essential Eight, and using Protective Domain Name System (PDNS) services and IRAP-assessed cloud providers.
Personnel security: Ensuring the security eligibility of all personnel through pre-employment screening and security vetting, limiting access to information and systems on a need-to-know basis, conducting minimum personnel security checks aligned to clearance levels, and ongoing suitability assessments.
Physical security: Developing a facility security plan based on site selection factors, security zone design, certification, and accreditation, implementing access control mechanisms like identity cards and security alarm systems, and using SCEC-approved security equipment, containers, and rooms.
The latest PSPF release also introduces and strengthens requirements in several critical areas:
Reporting obligations – Government entities must disclose significant security incidents, incorporate lessons learned from incidents in reports, and assess foreign ownership, control, or influence (FOCI) risks during procurement.
Zero Trust Culture – A new section in the PSPF, it requires government entities to develop, implement, and maintain a cybersecurity strategy and uplift plan aligned with the Information Security Manual (ISM) and the Guiding Principles to Embed a Zero Trust Culture, including continuous education and training.
Cyber Security Partnership Program – The PSPF 2025 release has made it a requirement for government entities to engage in the ASD’s Cyber Security Partnership Program, which aims to enhance cyber resilience across Australia through the coordinated sharing of information, skills, and capabilities.
Systems of Government Significance – Referencing the Australian Government Systems of Government Significance (SoGS) Standard, the PSPF now includes mandatory cybersecurity obligations for protecting the nation’s most critical digital services and supporting systems.
These changes signal a significant shift in how the Australian Government approaches protective security; embedding stronger accountability, resilience, and cyber readiness.
Meeting the updated PSPF requirements can be complex, but 6clicks simplifies the process with advanced automation and AI capabilities so you can reduce manual effort, improve accuracy, and demonstrate compliance more efficiently. It consolidates risk, compliance, and audit activities into a single platform and allows government agencies and MSPs to manage regulated entities or clients within a federated environment, centralising control while enabling local operational autonomy.
6clicks itself is ISO/IEC 27001–certified and IRAP-assessed against the March 2025 ISM at the OFFICIAL: Sensitive level to provide the assurance government entities require. It also delivers sovereign, secure hosting options, including public, dedicated, and private environments designed specifically for the Australian Government to meet strict data residency and security requirements.
Here’s how agencies and MSPs can prepare for PSPF 2025 using 6clicks:
With 6clicks, government organisations and MSPs can complete traditionally manual tasks such as compliance mapping and gap analysis within seconds. Use Hailey AI to automatically map existing controls against the new 2025 PSPF release to identify compliance gaps and current alignment. Hailey also supports cross-mapping with frameworks such as the ISM, the Essential Eight, and international standards like ISO/IEC 27001, providing a single view of compliance across multiple obligations. With official frameworks, pre-built control sets, and ready-to-use compliance content in the 6clicks Content Library, agencies and MSPs can fast-track setup and implementation.
Ensure end-to-end risk management with capabilities such as automated risk scoring, built-in task assignment, and control implementation and testing. Streamline third-party oversight with automated vendor security reviews and bulk workflows, and identify risks and issues directly from assessments using Hailey. This helps agencies and MSPs manage enterprise-wide risk, enhance supply chain security, and ensure consistent application of PSPF-aligned controls.
Leverage 6clicks’ custom registers to create PSPF-specific registers, including information asset registers, security incident registers, and personnel security registers. Implement detailed access permissions to ensure adequate protection of classified information and meet the record-keeping, accountability, and reporting requirements of the framework.
Use 6clicks’ built-in audit and assessment functionality to conduct question-based or requirement-based audits against the PSPF, ISM, and Essential Eight. With Hailey AI, agencies can generate audit responses automatically by drawing from prior assessments and uploaded documents, dramatically reducing the time needed to prepare and validate compliance. This not only accelerates audit readiness but also supports technology system authorisations, providing evidence that controls for IT and OT systems are implemented and operating effectively in line with requirements.
With an all-in-one GRC platform like 6clicks, agencies and MSPs can maintain a single source of truth and easily generate audit reports, control documentation, and compliance evidence. Using the 6clicks Trust Portal, they can securely share selected compliance artefacts with oversight bodies and stakeholders, building confidence in their PSPF compliance posture or that of their clients.
The PSPF 2025 release represents a major step forward in government security, expanding domains, fostering a zero-trust culture, and strengthening requirements for reporting, collaboration, and the protection of critical systems. For agencies and MSPs, this means a higher bar for assurance, consistency, and resilience.
By leveraging AI-powered automation and a sovereign, government-ready platform like 6clicks, organisations can:
Identify and close compliance gaps faster with automated mapping across PSPF, ISM, and Essential Eight
Strengthen enterprise and third-party risk management with automated workflows and Hailey AI insights
Maintain PSPF-aligned registers for assets, incidents, and personnel with proper access controls
Accelerate audits and technology system authorisations with automated evidence and AI-generated responses
Centralise evidence and build trust with oversight bodies and stakeholders through the 6clicks Trust Portal
The bottom line: PSPF 2025 requires smarter, faster, and more defensible compliance. 6clicks provides the automation, security tooling, and sovereign hosting needed to meet these expectations while reducing manual effort and complexity.