Australia’s updated Protective Security Policy Framework (PSPF) now mandates the adoption of Zero Trust principles.
Australia’s Protective Security Policy Framework (PSPF) Annual Release 2025 now formally mandates the adoption of zero trust principles to improve cybersecurity posture. Government organisations must now align their cybersecurity strategies with the Information Security Manual and the Guiding Principles to Embed a Zero Trust Culture.
In this blog, we provide actionable guidance on embedding zero trust principles into your organisation and explore how the right technologies can simplify compliance and strengthen information security.
What is PSPF? Who does it apply to?
PSPF outlines the minimum protective security standards that all Australian Government entities must implement domestically and internationally to protect Australia’s people, information and resources. This includes non-corporate Commonwealth entities, corporate Commonwealth entities, and wholly-owned Commonwealth companies.
The framework standardises the protective security policies across six crucial security domains and subcategories:
- Governance – Focuses on the security roles and responsibilities of government entities, security planning, incident management, training, and reporting.
- Risk – Covers security risk management, third-party risk management, countering foreign interference and espionage, and contingency planning.
- Information – Outlines information classifications and caveats, holdings, disposal, and sharing.
- Technology – Addresses technology lifecycle management and cybersecurity strategies and programs.
- Personnel – Requirements for pre-employment checks, resource access, security clearances, vetting processes, ongoing assessments and separation.
- Physical – Encompasses physical security measures, controls, lifecycle management, security zones, and event security.
What are the new PSPF Zero Trust requirements?
In the 2025 Annual Release published on 24 July 2025, the Technology domain introduced new Zero Trust requirements to enhance the government’s Cybersecurity Strategies, including:
- PSPF Requirement 0098 – Section 14.1 Cyber Security Strategy 0098
A cybersecurity strategy and uplift plan is developed, implemented, and maintained to manage the entity’s cybersecurity risks in accordance with the Information Security Manual and the Guiding Principles to Embed a Zero Trust Culture. - PSPF Requirement 0098 – Section 14.1.1 Zero Trust Culture
Zero Trust Culture covered by: New Protective Security Policy Framework Requirement 0213, Amendments to PSPF Requirements 0011, 0013 and 0098. This new obligation reinforces the need for an organisation-wide Zero Trust mindset, not just technical controls.
What is a Zero Trust Culture?
A ‘Zero Trust Culture’ extends beyond firewalls and identity management. It represents a strategic, holistic organisational commitment to ongoing verification, minimum access, and data-centric protection.
PSPF Requirement 0098 mandates the development, implementation, and maintenance of a cybersecurity strategy and uplift plan to manage cybersecurity risks according to the ISM and the Guiding Principles for a Zero Trust Culture. This culture must be embedded organisation-wide to address risks from a changing cyber threat landscape and expanding digital attack surfaces.
The Guiding Principles set out in the Protective Security Policy Framework provide a foundation to operationalise Zero Trust at both technical and cultural levels.
What are PSPF’s 5 Guiding Principles to Embed a Zero Trust Culture?
Principle 1 – Identify and manage cyber security risk at an enterprise level
Principle 1 emphasises enhancing the resilience of Australia’s digital landscape by integrating cybersecurity risk management at an enterprise level, rather than placing it solely under the responsibility of the CISO, especially as services become increasingly digital.
Principle 2 – Understand accountabilities and responsibilities at all levels
Principle 2 establishes clearly defined roles and responsibilities, which are essential for strong governance and accountability. It promotes a top-down commitment to cultural change and implements structured reporting pathways for sharing information on incidents, risks, and emerging trends, enabling quick responses to evolving threats.
Principle 3 – Know and understand your most critical and sensitive technology assets
Principle 3 focuses on understanding and protecting an entity’s critical and sensitive technology assets to prioritise and mitigate risks. Continuous education and training for staff at all levels is essential for effective response to cyber threats, promoting a proactive, risk-based approach instead of reactive compliance.
Principle 4 – Maintain resiliency through a comprehensive cyber strategy and uplift plans
Principle 4 underscores the importance of enhancing cybersecurity resilience through the development of a robust cyber strategy. This strategy should be based on current and anticipated threat trends, along with the risks associated with key third-party suppliers. It should align with investment plans to ensure that uplift activities are integrated with digital investments and changes in business operations.
Principle 5 – Go beyond incident planning
Principle 5 stresses an expanded approach to incident management that includes continuous improvement of an entity’s cyber posture, rather than solely focusing on preparation, containment, and eradication. It highlights that no system or user is inherently secure, underscoring the importance of continuous verification of system access.
What are the consequences of failing to comply with the new PSPF requirements?
Non-compliance with the new Protective Security Policy Framework (PSPF) requirements poses significant risks for Australian government organisations, including legal, operational, reputational, and security repercussions. Potential consequences include:
- National Security Risks: Increased vulnerability to cyber threats and potential loss of sensitive information that could threaten national security.
- Reputational Damage: Erosion of public trust and negative impacts on inter-agency collaboration.
- Regulatory and Legal Consequences: Agencies must report on their compliance with PSPF requirements annually. Failure to meet compliance requirements could result in escalation to oversight bodies, more frequent audits, and potential legal liability.
- Operational Impacts: Failure to meet required security baselines could result in system downtime and decreased productivity, disruptions to workflows and project delays, increased operational costs from necessary fixes and remediation, and the potential need for extra training and resources to address non-compliance.
Strategies for achieving PSPF compliance through zero trust technology
The principles outlined in the PSPF emphasise the critical importance of technology in both establishing and maintaining a Zero Trust culture within organisations. This approach recognises that traditional security models, which often rely on perimeter defences, are no longer sufficient in the face of evolving cyber threats.
The Rise of Zero Trust in Cybersecurity
Notably, the concept of zero trust is not a recent development; it gained significant traction with the U.S. Department of Defense’s release of its comprehensive Zero Trust strategy in October 2022. This strategy outlines a robust framework aimed at enhancing security by adopting a mindset where no user or system is inherently trusted, regardless of their location within or outside the organisational firewall.
Core Principles of Zero Trust
As a result, zero trust has emerged as the de facto global standard for cybersecurity, influencing best practices across various sectors. Organisations worldwide are increasingly implementing Zero Trust principles to enhance their defensive posture against a diverse array of cyber threats, ensuring a more resilient and adaptive security environment.
At its core, zero trust follows one guiding principle—trust nothing, verify everything. Zero trust technologies enable strict access controls for networks, users, and data.
Importance of Data-centric Protection in Zero Trust
There is no one-size-fits-all solution, or magic bullet, for achieving zero trust. A layered defence in depth approach is essential, with multiple layers of complementary security controls to protect both the systems and data. If one layer of security is compromised, the other layers will still provide protection.
Traditional network security and Identity and Access Management (IAM) solutions primarily focus on controlling access to networks, systems, and applications. Adding a data-centric solution extends zero trust principles directly to the data layer. By enforcing strict access controls, continuous verification, and contextual policies at the data level, data-centric technologies ensure that sensitive information remains protected regardless of where it resides or who attempts to access it.
This is particularly important because data is often the most valuable and targeted asset within an organisation, and it is increasingly distributed across cloud environments, endpoints, and third-party systems.
Technologies Supporting Data-Centric Zero Trust
This data-centric approach is the foundation of a variety of security methodologies, including:
As we delve deeper into the mechanisms that enable a robust data-centric zero trust framework, it is essential to explore the role of Attribute-Based Access Control (ABAC) in effectively managing access rights through dynamic policy enforcement.
ABAC: Enforcing Zero Trust Across Data, Users, and Systems
An Introduction to ABAC
ABAC is a data-centric security approach built on zero trust principles. At its foundation, ABAC uses flexible or dynamic policies that adjust security based on attributes and conditions when an access request is made. ABAC policies dynamically evaluate a wide set of user, data and environmental attributes to determine a user’s access rights, including who they are, where they are, what they’re accessing, and when. These policy-based decisions are made in real-time, each and every time a user requests access to a document.
Flexible, Fine-Grained Attribute-based Policies
With ABAC’s flexible fine-grained policies, access decisions can be based on any combination of attributes or factors such as:
- User security clearance
- Data sensitivity level
- Network type
- Location (office, home, airport, country, etc.)
- Time of access
- Document classification
- Role
- Briefing level
- Custom business rules
- Etc.
Precise Control Over Data Access, Usage & Sharing
Beyond simply approving or denying access if the conditions are met, ABAC can also be used to control what users can do with the data if access is granted. For example, should an authorised user be able to edit a file or only access a read-only version of the file? Should access rights change if they are using a public network? Can they share the data? If so, with whom? ABAC polices can apply real-time controls to restrict how a file can be used and shared by an authorised user based on the context of the request.
For example, a user may successfully authenticate their identity but could still be denied access to a specific file if their network, such as a public Wi-Fi, does not meet the policy requirements for the file’s sensitivity. Alternatively, they could be granted access to a read-only version of the file watermarked with their name, date, time and IP address.
Enhanced Security Through Real-Time Zero Trust Access Controls
This nuanced approach to access control is critical to meet the principles of Zero Trust, as it emphasises the need for stringent verification processes before granting any level of access. By implementing such precise restrictions, organisations can ensure that only authorised individuals with the appropriate permissions can view sensitive data, provided they meet the right conditions.
This level of granularity not only enhances data protection but also fosters a secure and compliant environment for internal and third-party collaboration and file sharing. ABAC enables a data-centric zero trust approach that prioritises information safeguards while also facilitating necessary access for users who meet all specified criteria.
Tools to support Zero Trust and PSPF compliance
archTIS offers a suite of dynamic, ABAC-enabled security solutions tailored to meet Protective Security Policy Framework (PSPF), Essential Eight, DISP, SLACIP, and global standards such as ITAR, CMMC, and NIST.
-
Microsoft 365 environments
If you’re using M365 or GCC High for collaboration and document management, NC Protect adds ABAC enforcement and dynamic security controls across M365 applications, including SharePoint Online, Exchange and Office. Learn more.
-
SharePoint Server and File Shares
If you’re using SharePoint Server on-premises, Windows File Shares and Nutanix Files, NC Protect allows you to add dynamic ABAC policies and unique security controls to secure collaboration. Learn more.
-
Accredited SaaS Applications for Secure Document Sharing
Kojensi SaaS enables secure, accredited up to PROTECTED collaboration in the cloud across agencies, defence, and industry using ABAC policies. No infrastructure required. Instant secure sharing for sensitive data. Learn more.
-
On-Premises Secure Document Sharing
Kojensi on-premises supports high-security document collaboration, up to and including classified levels. Perfect for environments needing on-prem security with flexible ABAC enforcement. Learn more.
-
Structured Data Management
archTIS Trusted Data Integration (TDI) solves the problem of how to integrate, secure and govern sensitive and classified structured data at scale and speed. Learn more
Get Started on Your Zero Trust Journey
Meeting the Protective Security Policy Framework’s Zero Trust mandate doesn’t have to be daunting. With the right strategy, policy framework, and technology, your agency can achieve compliance, reduce risk, and protect its most valuable data assets.
Contact archTIS to learn how our ABAC-based solutions can help your organisation embed a Zero Trust Culture and meet evolving regulatory obligations.
