The Protective Security Policy Framework (PSPF): Protecting Government Classified Information

Data security has never been a higher priority for the Australian Government than it is today — both at the federal and state levels. The ongoing threat of cyberattacks and data breaches have given rise to several security challenges that data handlers must address, including big data, data governance, data management, and ensuring sensitive data has the correct security labeling applied.

In this guide, we'll learn about the Australian Protective Security Policy Framework (PSPF) and explore how it guides government agencies in their efforts to protect people, information, and assets. We will look at Protective Markings, the type of information that requires Protective Markings, as well as the importance of appropriate data categorization, classification, and security labeling.

The Importance of the PSPF

In July 2020, former Australian Prime Minister Scott Morrison stated in a joint press release that $1.35 billion in existing defense funding would be spent over the next decade to boost the cybersecurity capabilities of the Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC), marking what was considered Australia’s largest cybersecurity investment to date.

Even with that investment, however, data breaches and cyberattacks have still proven to be hugely disruptive, and Australia has seen what feels like an ever-increasing number of such attacks. In September 2022, for example, one of Australia’s largest telecoms companies had the data of nearly 10 million of its customers — including home addresses, driver’s licenses and passport numbers — compromised in a data breach. Since then, the Australian Information Commissioner (AIC) filed a lawsuit against the carrier, and reporting suggests the court could impose fines of up to A$2.2 million per breach.

Australia’s government agencies and other government entities also represent prime targets for cybercriminals, however, as the ACSC notified entities of over 1700 occasions of potentially malicious cybersecurity activity this past fiscal year — an 83% increase from the previous year. Incidents like these have profoundly influenced regulatory change and activity, including the PSPF, which specifically regulates sensitive government information.

The PSPF sets the standard for how government entities protect their people, information, and resources. For Accountable Authorities, Chief Security Officers (CSOs), and Chief Information Security Officers (CISOs), meeting PSPF requirements is a matter of governance accountability, not just good practice. Beyond sheer accountability, however, government entities and third-party organizations that handle sensitive government information stand a far better chance of creating a comprehensive, effective, and sustainable data security program by following the guidelines laid out by the PSPF, meaning they’ll remain secure, compliant, and in control of their most sensitive data.

In 2010, the Australian Government implemented its Protective Security Policy Framework (PSPF), which was developed to assist government agencies in protecting their people, information, and assets. The PSPF articulates effective government protective security policies and supports entities in the implementation of those policies across the areas of security governance, personnel security, physical security, and information security. The Australian Department of Home Affairs updates the PSPF annually, with the most recent update being released this past July 2025, and agencies that do not adopt the mandatory requirements and apply the appropriate data protection controls can be blocked from transacting with other federal entities.

Under the regulatory framework, agencies must implement policies and procedures for the security classification and protective control of information assets (in electronic and paper-based formats), which match their value, importance, and sensitivity — known as protective markings in the context of the PSPF.

Protective Markings are often considered one of the most critical requirements mandated by the PSPF, but more broadly, government entities must also consider the three elements of the CIA triad to effectively defend against information compromise:

• Confidentiality — determining who should be able to see the information and why
• Integrity — ensuring information is only being created, amended, or deleted by the intended, authorized means and that the action is correct and valid.
• Availability — ensuring authorized persons have access to information whenever the information is needed

What Are Protective Markings?

Protective Markings are security labels that are assigned to and signify the confidentiality requirements of public sector information, usually determined via an information security value assessment. Protective markings inform the minimum level of protection to be provided throughout the information lifecycle, including during its use, storage, transmission/transfer, and disposal.

What Information Requires Protective Markings?

Any public sector information — including personal information — obtained, generated, received, or held by/for a public sector organization for an official purpose or for supporting official activities requires protective markings. This includes both hard (physical) and soft (digital) copy information, regardless of media or format.

While not all public sector information requires protective markings, other security measures may still be necessary to protect the integrity and availability of this material.

Official & Unofficial Information

In contrast, unofficial information — any information that has no relation to official activities, such as personal correspondence — does not need to undergo a security value assessment. ‘Unofficial’ information has no bearing on official functions and, as such, need not have a protective marking applied. Whilst ‘Unofficial’ is not recognized as a formal protective marking, it is used for email marking purposes in some organizations’ email systems. That said, it is helpful to mark an unofficial document as ‘Unofficial’ or similar, so that the document’s recipient knows that the author has considered the content and made a choice of classification. An unclassified document should be treated as ‘unknown.’

Similarly, information marked as 'Official' (non-sensitive) is also not considered a protective marking, but indicates a routine level of protection should be applied to the corresponding information. The application of an 'Official' label isn't mandatory, but it signals that (1) the material has undergone an information assessment and (2) that the information may cause minor harm/damage to government operations, organizations, and/or individuals.

The Email Protective Marking Standard

With the rapid growth of email, especially for inter-agency communications within the Australian government, a strong security case was made for a standardized and readable marking scheme for email. To meet this need, the Email Protective Marking Standard (EPMS) was created as part of the PSPF. The EPMS has since been updated several times, with incremental updates to the marking standards.

Four Levels of Security Classification

With the above in mind, all security-classified information and its metadata, including emails, must carry a mandatory protective marking — i.e., a security classification. These mandatory security classifications carry implications for how information is stored, handled, accessed, and disposed, but more broadly, they indicate the following: 

The Security Caveat Standard

Security caveats are a unique type of protective marking that indicate when specific public sector information carries additional requirements on top of those identified by a protective marking, further restricting access to the material. Caveats cannot be applied to ‘Unofficial,’ ‘Official,’ or ‘Official: Sensitive’ material; but they're required for 'Protected' and 'Top Secret' classifications and can include codewords and special handling instructions. 

The levels of applicable caveats vary, but typically include the following:

• Commonwealth — most found on information relating to material that could impact the national interest (Inc. national security). Caveats at a Commonwealth level must be used in conjunction with a security classification.
• Specific to a government — these are authorized caveats to be used with a government only and must be used in conjunction with a security classification.
• Organization/agency specific — these are for internal application and use only. They should be removed from the information before transfer or transmission outside the organization.

The consistent use of protective markings and adoption of appropriate security measures enhance the government’s ability to conduct business securely and effectively.

Protective markings act as an important visual indicator to anyone accessing or using the material, informing them of the minimum security obligations that must accompany public sector information. They also offer an easily identifiable way for information users and systems (such as a downstream email gateway) to identify and manage the handling and control of information at different levels.

Information Management Markers (IMMs)

Information Management Markers (IMMs) have been designed to reflect ‘rights properties’ for certain content and can inform users and systems of access restrictions. While IMMs are not mandatory, they are metadata indicators that provide a standard set of terms ensuring common understanding and consistency in situations when the access or disclosure of information is to be limited:

• the disclosure of the material is limited or prohibited by legislation,
• special handling of the material is required; and,
• dissemination of the material needs to be controlled.

Depending on the content, some information may require multiple IMMs. In these instances, organizations using IMMs should apply all required and appropriate markers.

With new updates coming into the scheme annually, government agencies must have the right solutions in place to ease adoption. It is essential, therefore, that the organization can effectively manage data, streamline operations, and proactively respond to regulatory change.

Prioritize Deep Visibility And Control Of Critical Data

In any data protection strategy, content scanning capabilities are critical to reducing the likelihood of a data loss incident and maintaining regulatory compliance. Content scanning has the most significant impact when combined with predictable, meaningful metadata that properly classifies and labels data.

A robust, multi-level classification solution should deliver the flexibility to accommodate both security classifications and caveats, lending increased control over the distribution of classified data. Furthermore, classification tools with the right blend of automated and user-applied classification support can significantly increase end-user awareness when handling data. Visual markings should be customizable and include headers, footers, watermarks, and title pages.

This level of granularity is important to ensure the correct security classification is assigned to sensitive information, but that granularity should not come at the expense of a positive, streamlined user experience. For example, an ideal solution would not require the user to remember exactly what ‘Official: Sensitive’ is, and would instead prompt the user when applying a classification to specific information. A robust, user-friendly solution should deliver enhanced user engagement and accountability, improved security awareness, and reduced data security risk across a given organization.