In response to recommendations in the 2015 Independent Review of Whole-of-Government Internal Regulation (Belcher Red Tape Review), to reduce compliance burden and to support entities to better engage with risk, the Attorney-General introduced a revised Protective Security Policy Framework (PSPF) on 1 October 2018.

The revised PSPF is underpinned by the Public Governance, Performance and Accountability Act 2013 (PGPA Act) requirements to govern an entity in a manner that is ‘not inconsistent’ with Australian Government policies and promote the proper use and management of public resources. Application of the PSPF is required by the 97 non-corporate Commonwealth entities (NCEs) and represents better practice for the 71 corporate Commonwealth entities and 18 wholly owned Commonwealth companies.

Physical security arrangements underpin secure delivery of government business through the protection of people, information and physical assets. As Australian Government policy, the PSPF applies to all NCEs subject to the PGPA Act, with accountable authorities responsible for physical security arrangements within their own organisations.

As the policy owner, the Attorney-General’s Department (AGD) has responsibility for monitoring and reporting whether the PSPF meets its intended outcomes. AGD undertakes its role through the provision of general, high-level guidance to entities on the PSPF. AGD also collects and reports entities’ annual self-assessments and information on significant security incidents.

Key findings:

• The administration of the revised PSPF by selected entities was largely effective. Advice to government by AGD as policy owner is limited as it is reliant on self-reporting from entities. The risk of optimism bias in entity self-assessment reporting has not been addressed by AGD as part of its administration of the PSPF. The selected entities have not met all core requirements at their self-assessed maturity levels in safeguarding people, information and assets.
• AGD’s administrative arrangements to support the revised PSPF were largely effective. AGD’s advice to government about the progress of the framework was limited as AGD relied on self-assessment information, which the ANAO has found can be overstated or inaccurate, to accurately reflect the maturity of implementation of revised PSPF requirements. As policy owner, AGD did not monitor compliance with mandatory requirements.