The Attorney-General's unsurprisingly terse and decidedly unannounced
Protective Security Policy Framework 2016-17 Compliance Report states
Effective protective security is essential to the secure
delivery of government business.
Security arrangements support government entities to
identify threats and manage risks that have the potential
to:
• harm staff or the public
• compromise official information or assets, or
• interrupt progress toward meeting government
policy objectives.
The Protective Security Policy Framework (PSPF) is
administered by the Attorney-General’s Department
(AGD). It mandates 36 security requirements as detailed
at Attachment A.
The PSPF applies to non-corporate Commonwealth
entities (NCCEs) subject to the Public Governance,
Performance and Accountability Act 2013 in 2016–17.
For corporate Commonwealth entities and wholly-owned
Commonwealth companies (CCEs), the PSPF
represents better practice.
Entities are required to undertake an annual selfassessment
of their PSPF compliance, then report on
their security posture and measures taken to address
identified key risks.
Entity reporting
All NCCEs submitted a PSPF compliance report for
2016–17; this is an improvement from 2015–16 where
two NCCEs failed to report. In addition, five CCEs
reported voluntarily (down from 12 in 2015 16)
Key findings
PSPF compliance
While few (34.4%, 32 entities) NCCEs are fully compliant
with all of the PSPF, the government’s security posture is
still broadly sound. On average, NCCEs fully comply with
a significant proportion of requirements (91.2%, 33 out
of 36 – shown as “2016–17 PSPF compliance average” in
Figures 3, 4 and 5).
Key risk areas
NCCEs continue to face challenges in achieving the
PSPF’s information security requirements. Of note, only
60.2% of NCCEs reported full compliance with the
INFOSEC 4 requirement. ...
Security governance
Compliance with PSPF governance requirements was
high and remained relatively stable. On average, entities
complied with 11.9 of the 13 governance requirements
in 2015–16, increasing marginally to compliance with
12 requirements in 2016–17. ...
Information security
Information security is dynamic with challenges posed
by continuous technological advancement. Information
security arrangements are an important element of an
entity’s effective protective security regime.
Compliance with information security requirements has
been an area of ongoing concern. Despite increased
awareness of cyber security risks, and a concerted effort
over the year to promote risk mitigation measures,1
entity compliance with information security
requirements did not see significant change. In 2016–17,
average compliance remained stable at 6.0 out of 7
requirements.
Physical security
NCCEs continued to report high-level compliance against
the PSPF’s physical security requirements. On average
NCCEs complied with 6.5 out of 7 requirements, broadly
in line with the 2015–16 compliance rate of 6.6.
Of particular note:
• all entities reported full compliance with the
PHYSEC 4 requirement to ensure that physical
security measures do not breach relevant employer
occupational health and safety obligations, and
• almost all entities reported full compliance with the
PHYSEC 5 requirement to show a duty of care for the
physical safety of members of the public interacting
directly with the Australian Government.
A 5.4 percentage point decline in compliance with the
PHYSEC 7 requirement was recorded such that ten
NCCEs reported they did not have up-to-date plans
and/or procedures in place to respond to heightened
security levels in case of an emergency or increased
threat. Most of these entities reported they expect this
matter to be resolved in 2017–18.
Personnel security
In 2016–17, AGD led outreach activities on security
culture and managing the ongoing suitability of
personnel.
In line with this, there was a significant (5.4 percentage
point) improvement in entities reporting full compliance
with the PERSEC2 requirement over the year. Reported
compliance has increased from 78.5% of NCCEs in
2014–15 (82.8% in 2015–16) to 88.2% in 2016–17
Compliance against other personnel security
requirements did not see significant change. Average
compliance remained stable at 8.3 out of 9 personnel
security requirements.
Personnel security waivers
Access to classified resources is subject to personnel
successfully undergoing a vetting process and holding a
valid security clearance. Where clearance requirements
are waived, government faces increased malicious
insider risks (and may be more vulnerable to exploitation
from organised crime and interference from foreign
governments). There are two types of waivers: waivers
of the Australian citizenship requirement, and waivers of
the checkable background requirement.
Waivers of the Australian citizenship requirement
In 2016–17, there were 317 Australian Government
security clearance holders who were not Australian
citizens. Nonetheless, clearances with a citizenship
waiver still make up less than 0.2% of the 200,000+ (as
at August 2017) active clearances.
Across government, citizenship waivers at the NV1 level
saw the greatest increase over the year (47 in 2015–16,
compared with 175 in 2016–17).
Waivers of checkable background requirement
Assurance about a person’s background gives confidence
that they can be trusted to protect government
information and resources. A person is considered to
have an uncheckable background where more than
12 months (cumulative) of the security clearance
background checking period cannot be verified.
In 2016–17, there were 216 people with a security
clearance whose background could not be adequately
checked. Clearances with checkable background waivers
represent only 0.1% of all active clearances.
Historically, checkable background waivers have most
commonly been for clearances at the Positive Vetting
(PV) level. This reflects more onerous PV background
checking expectations.
In 2016–17 there were 130
additional NV1 checkable background waivers (from 7 in
2015–16, up to 137). The sizeable increases in checkable
background waivers are attributable to a single entity. ...
CCE compliance summary
Five CCEs submitted a PSPF compliance report in
2016–17 (down from 12 in 2015–16). Noting the very
small sample size, significant variations in year-to-year
reported compliance can be expected.
Two CCEs (40%) claimed full compliance with all 36
mandatory requirements, above the NCCE average of
35.5% (33 entities) but well below the 58% of CCEs
(7 of 12) reporting full compliance in 2015–16.
On average, CCEs reported full compliance with 35 of
the 36 mandatory requirements; this is a slight
improvement from the 34.4 compliance average
reported in 2015–16 (and above the 32.8 NCCE average).
CCEs reported:
• full compliance with all PERSEC requirements. There
was one citizenship waiver, held at the Baseline
level, across all five entities
• full compliance with all PHYSEC mandatory
requirements (an increase from 6.9 of 7
requirements in 2015–16)
• high rates of compliance with GOVSEC mandatory
requirements. On average, CCEs complied with 12.4
of 13 requirements (95.4%) in both 2015-16 and
2016–17 (slightly above NCCE average of 12), and
• like NCCEs, compliance was lowest in relation to
INFOSEC requirements. CCEs reported compliance
with 6.6 of 7 requirements in 2016–17 (94.3%),
compared to 6.7 out of 7 in 2015–16.
