Full Report
The Australian government has intensified efforts to protect digital infrastructure across all Commonwealth entities. Two recent publications, the 2024–25 Protective Security Policy Framework (PSPF) Assessment Report and the 2025 Commonwealth Cyber Security Posture Report, offer a comprehensive snapshot of current achievements, challenges, and future priorities in government cyber resilience. The PSPF Assessment Report highlights that 92% of non-corporate Commonwealth entities (NCEs) achieved an overall rating of “Effective” compliance under the updated evidence-based reporting model. This framework moves beyond traditional checklists, focusing on measurable outcomes, tangible risk reduction, and demonstrable assurance. While information security across agencies continues to perform well, technology security, including cyber security, remains a key area for ongoing improvement, with 79% of entities reporting effective compliance in this domain. PSPF policies 13 and 14 form the backbone of this effort. Policy 13: Technology Lifecycle Management emphasizes protecting ICT systems to ensure secure and continuous service delivery, integrating principles from the Australian Signals Directorate (ASD) Information Security Manual (ISM). Policy 14: Cyber Security Strategies mandates the adoption of the Essential Eight mitigation strategies to Maturity Level 2, encouraging entities to consider higher levels where threat environments warrant. The report also shows high engagement in proactive security measures: 90% of entities maintain incident response plans, 82% have formal cybersecurity strategies, and 87% conduct annual staff cybersecurity training. The Essential Eight and Technical Cyber Hardening The 2025 Commonwealth Cyber Security Posture is the implementation of ASD’s Essential Eight mitigation strategies. These technical controls, ranging from patching applications and operating systems to multi-factor authentication, administrative privilege restriction, and secure backups, are designed to reduce the likelihood of ICT systems being compromised. In 2025, 22% of entities achieved Maturity Level 2 across all eight strategies, an improvement from 15% in 2024, though slightly below 2023’s 25%. This minor drop reflects the November 2023 update to the Essential Eight, which hardened controls in response to evolving threat tactics. Notably, strategies like multi-factor authentication and application control saw temporary reductions in compliance as agencies adjusted to higher technical standards, such as phishing-resistant MFA and updated application rules targeting “living off the land” exploits. Legacy IT systems remain a challenge, with 59% of entities reporting that these older systems impede achieving full maturity. Funding constraints and lack of replacement options are primary obstacles. Cyber Hygiene, Incident Preparedness, and Reporting Data-driven programs like ASD’s Cyber Hygiene Improvement Programs (CHIPs) track the security of internet-facing systems, assessing email protocols, encryption, and website maintenance. Between May 2024 and May 2025, improvements were noted across email domain security and active website maintenance, though effective web server encryption showed a minor dip due to better identification of previously untracked servers. Despite strong internal preparedness, reporting of incidents remains relatively low, with only 35% of entities reporting at least half of observed incidents to ASD. In the 2024–25 financial year, ASD responded to 408 reported incidents, representing a third of all events addressed nationally. Leadership, Governance, and Strategic Planning Effective cyber resilience extends beyond technical controls. Leadership and governance play a decisive role in embedding security into everyday operations. Chief Information Security Officers (CISOs) guide strategy, advise senior management, and ensure compliance with legislative and policy requirements. Survey results indicate substantial progress: 82% of entities have formal cyber strategies, 92% integrate cyber disruptions into business continuity planning, and 91% have defined improvement programs with allocated funding. Supply chain security is another priority. Seventy percent of entities now conduct risk assessments for ICT products and services, ensuring secure lifecycle management. Agencies are also beginning to prepare for post-quantum cryptography, aligning with ASD guidance to transition encryption to quantum-resistant standards by 2030. Recommendations and the Road Ahead Both the 2024–25 PSPF Assessment Report and the 2025 Commonwealth Cyber Security Posture Report reinforce that cyber resilience is a continuous, iterative process. Key recommended actions include: Fully implement the Essential Eight to at least Maturity Level 2. Strengthening incident detection, logging, and reporting. Addressing risks associated with legacy IT systems. Integrating cyber risk assessments into supply chain decisions. Preparing for post-quantum encryption transitions. Maintain ongoing staff and privileged user training programs. Stephanie Crowe, Head of ASD’s Australian Cyber Security Centre, observed that “cyber security uplift is not a one-off exercise, it’s a continuous process.” Similarly, Brendan Dowling, Deputy Secretary of Critical Infrastructure and Protective Security, emphasized the government’s commitment to positioning itself as an exemplar in secure digital operations. Conclusion Australia has improved its cyber posture, but significant gaps remain. The 2024–25 PSPF Assessment and the 2025 Commonwealth Cyber Security Posture Report show stronger Essential Eight adoption, better incident planning, and improved governance. However, inconsistent Maturity Level 2 implementation, legacy IT constraints, and underreporting of incidents continue to limit overall resilience. Advancing Australian government cybersecurity now requires closing control gaps, modernizing aging systems, strengthening logging and detection, and preparing for post-quantum encryption. Cyble supports this effort with AI-driven threat intelligence, attack surface management, and dark web monitoring to help organizations detect and mitigate risks earlier. Schedule a demo to see how Cyble can help strengthen your organization’s cyber resilience with intelligence-led, proactive defense. References: https://www.cyber.gov.au/about-us/view-all-content/news/progress-ongoing-to-improve-the-australian-governments-cyber-resilience https://www.protectivesecurity.gov.au/news/pspf-assessment-report-2024-25 https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/the-commonwealth-cyber-security-posture-in-2025 The post How the Protective Security Policy Framework Shapes Australia’s Commonwealth Cyber Security Strategy appeared first on Cyble.
Analysis Summary
# Regulation/Compliance: Protective Security Policy Framework (PSPF) & Essential Eight
## Overview
The Protective Security Policy Framework (PSPF) defines the standards, roles, and responsibilities for the protection of Australian Government resources (people, information, and assets). The 2024–25 updates and the associated "Commonwealth Cyber Security Posture Report" transition the mandate from a checklist-based compliance model to an evidence-based, "maturity level" model focused on measurable risk reduction.
## Key Details
- **Issuing Authority:** Australian Signals Directorate (ASD) and the Attorney-General's Department.
- **Effective Date:** Active (with major technical hardening updates issued November 2023).
- **Jurisdiction:** Australian Commonwealth Government.
- **Status:** In Effect (Reporting and assessment phase).
## Requirements
### Mandatory Requirements
1. **PSPF Policy 13 (Technology Lifecycle Management):** Entities must protect ICT systems to ensure secure and continuous service delivery, integrating principles from the ASD Information Security Manual (ISM).
2. **PSPF Policy 14 (Cyber Security Strategies):** Entities **must** implement the ASD’s Essential Eight mitigation strategies reach at least **Maturity Level 2**.
3. **Incident Preparedness:** Maintenance of formal Incident Response Plans (IRPs).
4. **Governance:** Appointment of a Chief Information Security Officer (CISO) to guide strategy and legislative compliance.
5. **Supply Chain Risk Management:** Conduct risk assessments for all ICT products and services throughout their lifecycle.
### Recommended Practices
1. **Maturity Level 3:** Implementation of Essential Eight controls beyond Level 2 where threat environments warrant.
2. **Incident Reporting:** Reporting 100% of observed cyber incidents to the ASD (current reporting levels are approximately 35%).
3. **Post-Quantum Cryptography:** Transitioning encryption to quantum-resistant standards.
## Affected Organizations
- **Industries:** All Commonwealth Government entities.
- **Organization Size:** All Non-Corporate Commonwealth Entities (NCEs).
- **Geographic Scope:** Federal agencies within Australia.
## Compliance Timeline
- **November 2023:** Hardening of Essential Eight standards (introduction of phishing-resistant MFA and "living off the land" exploit rules).
- **2024–25:** Assessment period for "Effective" compliance ratings.
- **2030:** Target deadline for the transition to post-quantum cryptography standards.
## Implementation Guidance
### Assessment Phase
- **Evidence-Based Reporting:** Entities must move away from "self-attestation" to providing tangible assurance and measurable outcomes of security controls.
- **Legacy Audit:** Identify systems where "Legacy IT" constraints (reported by 59% of entities) prevent reaching Maturity Level 2.
### Implementation Phase
- **Essential Eight Uplift:** Prioritize phishing-resistant Multi-Factor Authentication (MFA) and Application Control.
- **Policy 13 Integration:** Align ICT procurement and maintenance with the ASD Information Security Manual (ISM).
### Validation Phase
- **External Assessment:** Annual PSPF Assessment Reports provided to the government.
- **Cyber Hygiene Improvement Programs (CHIPs):** Ongoing tracking of internet-facing systems (Email protocols, encryption, and DNS).
## Technical Requirements
- **Application Control:** Restricting unauthorized software execution.
- **Patching:** Rapid deployment of updates for applications and operating systems.
- **MFA:** Implementation of phishing-resistant authentication.
- **Privilege Restriction:** Limiting administrative rights based on user roles.
- **Secure Backups:** Maintaining off-site/offline backups to ensure data recovery.
## Penalties & Enforcement
- **Fines:** Not specified as a primary mechanism for Commonwealth entities.
- **Other Consequences:** Reputational damage via public reporting in the "Commonwealth Cyber Security Posture" report; increased oversight from the ASD; potential loss of authority to operate ICT systems.
- **Enforcement:** Managed via the Protective Security Policy Framework (PSPF) reporting cycles and parliamentary oversight.
## Related Standards
- **ASD Information Security Manual (ISM):** Provides the technical deep-dive for PSPF Policy 13.
- **Essential Eight Maturity Model:** The specific technical benchmark for PSPF Policy 14.
## Resources
- **Official Documentation:** [https://www.protectivesecurity.gov.au]
- **Guidance Documents:** [https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/the-commonwealth-cyber-security-posture-in-2025]
## Practical Recommendations
- **Bridge the Reporting Gap:** Increase internal transparency to ensure more than the current 35% of incidents are reported to the ASD.
- **Address Legacy IT:** Develop a funded decommissioning or "compensating control" strategy for the 59% of systems currently blocking maturity goals.
- **Continuous Training:** Maintain the current trajectory of annual staff cybersecurity training (currently at 87% engagement).