Challenges of Protective Security Policy Framework Compliance

The Protective Security Policy Framework (PSPF) sets the standard for how government entities protect their people, information, and resources. The Australian Attorney-General’s Department (AGD) maintains and amends the framework, while Accountable Authorities and the Department of Home Affairs oversee compliance for individual entities and monitor government-wide compliance, respectively.

The Protective Security Policy Framework is just that — a framework. But even so, the consequences of non-compliance range from operational disruptions to preventable security incidents, reputational damage, and even legal liability in the wake of a breach. With that in mind, however, government entities often run into common challenges in their compliance efforts, including:

Fragmented Visibility

Inconsistent Markings & Classification

Disconnected Security Controls

Reporting & Accountability Burdens

Expanding Attack Surface

The PSPF sets out Australian Government policy across six security domains: Governance, Risk, Information Security, Technology Security, Personnel Security, and Physical Security. While sheer awareness and organizational buy-in are significant contributors to PSPF compliance, meeting specific requirements outlined by the PSPF demands solutions that enhance government entities’ visibility, policy enforcement, and reporting capabilities. Fortra’s suite of defensive security solutions gives Australian Government entities the operational capacity to enforce PSPF controls consistently, demonstrate compliance, and close the gap between policy and real-world practice.

Fortra's Solutions for PSPF Compliance

For Australian Government entities and their service providers, meeting Protective Security Policy Framework (PSPF) requirements isn’t a matter of checking boxes — it demands an active, continuously managed security program. Among the PSPF’s six security domains, the Information and Technology domains are where most entities often feel the operational pressure most acutely.

Fortra’s integrated portfolio of defensive security solutions is purpose-built to address common PSPF challenges, giving entities the capabilities needed to facilitate PSPF compliance across these domains.

Our foundational PSPF compliance solutions include:

Data Classification

Fortra Data Classification enables users to apply flexible, PSPF-relevant classification markings — from ‘Official’ to ‘Top Secret’ — across Microsoft 365, Outlook, and Windows. Persistent metadata tags travel with the data, driving downstream enforcement across DSPM, DLP, email security, and beyond.

Email Security

Fortra Email Security layers cloud email protection, DMARC management, phishing defense, and more to secure what is likely your entity's most-used communication channel. Integrated with Fortra Data Classification, it ensures classified emails are routed and handled in line with PSPF’s Email Protective Marking Standard.

Data Security Posture Management

Fortra DSPM continuously discovers and inventories sensitive data across your cloud environment, automatically applying classification labels and identifying misconfigurations, excessive access, and shadow data. In turn, your security team is granted greater visibility and granular controls, allowing them to align access controls with the PSPF’s need-to-know principle.

How Fortra’s Solutions Address PSPF Requirements

To protect people, information, and resources up to the standards of the Australian government, the PSPF mandates several precautions and ongoing security practices, many of which can be facilitated by Fortra’s integrated data security solutions:

Section 9.2 – Security Classifications

Entities must assess all official information against the Australian Government’s classification framework and assign the appropriate security classification (‘Official: Sensitive’, ‘Protected’, ‘Secret’, or ‘Top Secret’) at the lowest reasonable level, based on the potential damage its compromise would cause.

How Fortra Helps

Fortra Data Classification enables users to apply PSPF-aligned classification markings directly within Microsoft 365, Outlook, and Windows
User-guided classification prompts help personnel make accurate classification decisions at the point of content creation
Persistent classification labels ensure the correct marking travels with the document throughout its lifecycle, regardless of where it is stored or shared
Fortra DSPM automatically identifies and classifies sensitive data discovered across cloud and hybrid environments, reducing the risk of unclassified or misclassified information holdings

Section 9.2.3 – Mark Security Classification

Security classified information and relevant security caveats must be clearly marked with the applicable classification using text-based markings. Text-based markings are the PSPF-preferred method for identifying classified information, enabling both personnel and systems to recognize the level of protection required.

How Fortra Helps

Fortra Data Classification applies visible, text-based classification markings to documents and emails, including in headers, footers, and subject lines
Visual markings are rendered automatically based on the classification label selected, ensuring consistent presentation across Microsoft 365 applications
Classification markings applied by Data Classification are immediately recognizable to downstream systems, enabling automated enforcement based on marking level

Section 9.7 – Recordkeeping Metadata Standard

Entities must apply the Australian Government Recordkeeping Metadata Standard to mark information on systems that store, process, or communicate ‘Official’ or security classified information. The ‘Security Classification’ sub-property and relevant caveat properties must be applied as metadata to classified information across technology systems.

How Fortra Helps

Fortra Data Classification embeds persistent, machine-readable metadata within classified documents and emails
Metadata tags applied by Data Classification are consistently stored within the document’s header record, enabling downstream systems to read and act on classification information reliably
Fortra DLP leverages Data Classification metadata to enforce security policies, converting classification labels into active policy controls across endpoints, networks, and cloud environments

Section 9.6 – Email Protective Marking Standard

Entities must apply the Email Protective Marking Standard to outbound email communications, ensuring emails carrying classified information are visually marked and handled appropriately. Inbound emails from external organizations must also be marked, and email systems should be capable of recognizing classification markings to route and protect messages accordingly.

How Fortra Helps

Fortra Data Classification automatically applies PSPF-compliant protective markings to outbound emails in Outlook, including visual markings in the subject line and email body
Fortra Email Security integrates with Data Classification to ensure classified emails are routed, filtered, and handled in line with the Email Protective Marking Standard
Inbound email marking and classification-aware filtering help entities manage the risk of receiving or inadvertently forwarding improperly marked information from external organizations
DMARC management and email threat protection prevent impersonation and phishing attacks targeting classified communications channels

Section 10.1 – Aggregated Information Holdings

Entities must assess whether aggregated information holdings require a higher security classification than their individual components. Operational controls must be applied to information holdings proportional to their value, importance, and sensitivity, including where information has been aggregated or integrated to form a new holding.

How Fortra Helps

Fortra DSPM discovers and inventories sensitive data across cloud and hybrid environments, including aggregated information holdings
Continuous monitoring surfaces misconfigurations and excessive access permissions that could increase the risk exposure of aggregated holdings
Classification labels applied by Fortra Data Classification persist as data moves and/or is consolidated, maintaining accurate sensitivity markings even as information aggregates across systems

Section 10.2 – Information Asset Registers

Entities are required to maintain accurate and up-to-date records of information holdings that document where sensitive data is stored, its classification level, and who has access to it (i.e., asset registers). Asset registers support accountability, audit readiness, and the ongoing management of information security risk.

How Fortra Helps

Fortra DSPM’s automated data discovery capabilities outline data location, sensitivity classification, access permissions, and risk indicators, creating the foundation for an accurate and continuously updated information asset register
Data Classification metadata enriches asset register data, reflecting their sensitivity level at any point in their lifecycle

Section 14.1.1 – Zero Trust Culture

Entities must develop, implement, and maintain a cybersecurity strategy and uplift plan in accordance with the ISM and ASD’s Guiding Principles to embed a “Zero Trust Culture.” No user, device, or application can be implicitly trusted, and access to sensitive systems and information must be continuously verified and enforced on a least-privilege basis.

How Fortra Helps

Fortra DSPM continuously monitors data access patterns and flags excessive permissions or anomalous access behavior, providing the ongoing visibility required to sustain a zero-trust posture
Fortra ZTNA enforces identity-verified, least-privilege access to private applications, preventing unauthorized access internal and lateral network movement
Fortra CASB applies granular access controls to cloud applications, ensuring only authorized personnel can access sensitive information in line with zero-trust principles
Fortra DLP and SWG extend policy enforcement to endpoints and web traffic, blocking unauthorized users from exfiltrating sensitive data

Section 3.5 – Security Awareness Training

The PSPF requires entities to deliver ongoing security awareness training to all personnel, including contracted service providers. Training programs must inform personnel of their protective security responsibilities, brief them on access privileges and prohibitions, and ensure those with specific security duties receive appropriate and up-to-date instruction.

How Fortra Helps

Fortra Human Risk Management delivers targeted, role-based security awareness training that covers phishing recognition, secure information handling, and PSPF-aligned protective security responsibilities
Simulated phishing campaigns test employee readiness and identify individuals who require additional training, enabling a measurable and evidence-based approach to workforce security uplift
Training results and completion records provide the documented evidence entities need to demonstrate compliance in annual reporting

Featured Resource

The Protective Security Policy Framework - Protecting Government Classified Information

READ THE GUIDE

Fortra Closes the Gap Between PSPF Requirements and Real-World Practice

Whether you’re conducting a gap assessment, preparing for annual PSPF reporting, or building a zero-trust architecture from the ground up, Fortra’s experts and integrated solutions are here to help. Talk to a Fortra expert today.

REQUEST A DEMO

FAQ

Who is required to comply with the PSPF?

The PSPF applies to all non-corporate Commonwealth entities and corporate Commonwealth entities listed under the Public Governance, Performance and Accountability Act 2013 (PGPA Act). It also applies to service providers that deliver services to Australian Government entities under relevant deeds or agreements.

Accountable Authorities are ultimately responsible for their entity’s compliance posture. CSOs own protective security across the entire entity (often both digital and physical), while CISOs take specific responsibility for the entity’s cybersecurity strategy, ISM implementation, and the Essential Eight. In practice, this means that compliance with the PSPF’s information and technology domains requires tools that security teams can deploy, configure, and report on.

How does PSPF align with other frameworks like the ISM and Essential Eight?

The PSPF, ISM, and Essential Eight are complementary and mutually reinforcing. The PSPF sets the policy requirements; the ISM provides the technical controls that operationalize them; and the Essential Eight defines the eight highest-priority mitigation strategies that entities must implement. PSPF Release 2025 explicitly mandates that entities implement the Essential Eight to Maturity Level Two and align their cybersecurity strategy with both the ISM and ASD’s Guiding Principles to embed a zero trust culture.

What is the role of zero trust in PSPF Release 2025?

Zero trust is a significant focus of the 2025 update. PSPF Release 2025 requires entities to embed a zero trust culture through a set of guiding principles, meaning that zero trust is now an organizational requirement as opposed to a technology architecture choice. The principle that no user, device, or application should be implicitly trusted must be reflected in an entity’s access controls, ongoing monitoring practices, and greater cybersecurity strategy.

How do organizations conduct a PSPF gap assessment or readiness review?

A PSPF gap assessment typically involves mapping an entity’s current security controls against PSPF requirements across each of the six security domains, identifying areas where controls are absent, insufficient, or not yet implemented, and prioritizing remediation based on risk. Entities often engage an IRAP-accredited assessor for independent assurance. From a technology standpoint, solutions like Fortra DSPM and Vulnerability Management can surface visibility gaps and configuration weaknesses that a gap assessment would flag, giving security teams a head start before a formal review.

What does phased PSPF implementation look like?

Because the PSPF spans six security domains and dozens of individual requirements, most entities approach implementation in phases rather than attempting to address everything at once, particularly when starting from the ground up. A common approach is to begin with the information and technology/ICT domains, where the operational impact of gaps is most immediately felt, before moving to governance, personnel, and physical security programs. Within the technology domain, foundational capabilities like visibility (via DSPM) and data classification are often deployed first, followed by enforcement-layer solutions like DLP, CASB, and ZTNA as the security program matures.

Is Fortra a recognized PSPF vendor?

Fortra’s solutions are actively used by Australian Government entities and their service providers to meet PSPF obligations across the information and technology/ICT security domains. Fortra Data Classification already has a track record in Australian government environments, and Fortra’s broader defensive security portfolio is designed to address the controls that the PSPF and its companion frameworks require.

Protective Security Policy Framework (PSPF) Compliance

Challenges of Protective Security Policy Framework Compliance

Fragmented Visibility

Inconsistent Markings & Classification

Disconnected Security Controls

Reporting & Accountability Burdens

Expanding Attack Surface

Fortra's Solutions for PSPF Compliance

Data Classification

Email Security

Data Security Posture Management

How Fortra’s Solutions Address PSPF Requirements

Section 9.2 – Security Classifications

How Fortra Helps

Section 9.2.3 – Mark Security Classification

How Fortra Helps

Section 9.7 – Recordkeeping Metadata Standard

How Fortra Helps

Section 9.6 – Email Protective Marking Standard

How Fortra Helps

Section 10.1 – Aggregated Information Holdings

How Fortra Helps

Section 10.2 – Information Asset Registers

How Fortra Helps

Section 14.1.1 – Zero Trust Culture

How Fortra Helps

Section 3.5 – Security Awareness Training

How Fortra Helps

Featured Resource

The Protective Security Policy Framework - Protecting Government Classified Information

Fortra Closes the Gap Between PSPF Requirements and Real-World Practice

FAQ

Privacy Policy

Cookie Policy

Terms of Service

Accessibility

Fortra AI Use

Impressum