Why you need to care about a strange new thing called the PSPF

In February 2020, a Texas-based company called SolarWinds was subject to a massive cybersecurity attack. Russian hackers broke into SolarWinds’ systems, adding malicious code into a routine software update for the company’s popular Orion network management system.

Approximately 18,000 of SolarWind’s customers downloaded the code between March and June 2020, including staff from top US government agencies such as the Treasury, Pentagon, Department of Homeland Security and National Nuclear Security Administration.

The code created a backdoor into these agencies’ computer systems, which the hackers then used to steal classified information. While we don’t know exactly what information the hackers got their hands on, it’s clear their level of access was both deep and broad.

The SolarWinds hack was one of the largest cybersecurity breaches in recent memory. But it’s unlikely to be the last … which goes some way in explaining why the Australian government is cracking down on its protective security.

One of the main ways the government is doing this is through an initiative known as the Protective Security Policy Framework (PSPF).

But what is the PSPF and, more importantly, how does it impact you?

The PSPF explained

The PSPF is a set of security policies the government expects its departments and agencies to follow, organised around four desired outcomes covering:

• security governance

• personnel security

• information security

• physical security
  

At the heart of the PSPF sit 16 core requirements which outline what actions government entities must take to achieve the outcomes. These core requirements include:

• Ensuring only the right people have access to official information

• Having physical security measures in place to protect people, information and assets

• Safeguarding information from cyber threats

• Conducting pre-employment security checks and ongoing assessments on employees’ suitability

• Making sure sensitive and classified data has the right security labelling

• Ensuring contracted providers comply with relevant PSPF requirements

The eagle-eyed among you will have likely spotted the relevance of that last bullet point.

Why you need to care about the PSPF fast

The government knows terrorists, criminals, hackers and other bad guys are on the lookout for new ways to compromise national security. And, as the SolarWind saga clearly illustrates, one of their major vulnerabilities lies in the supply chain.

So any company that wants to bid for government contracts – or maintain existing ones – will soon need to include a PSPF plan with their proposals and contracts.

Or, to put it another way, any suppliers that fail the PSPF test will miss out on future tenders and jeopardise existing contracts. Ouch.

This means you’ve got yet another resource-intensive compliance hoop to jump through – with high stakes attached if your team do it wrong.

But there is a better way.

At Compliance Now, we can help your business establish a solid plan so you don’t miss out on any government work. Not only will this be cheaper than having your internal staff do it – but you’ll also get peace of mind knowing it’s been done by security experts.

Get your PSPF plan in place before you miss out on government tenders. Email us at hello@compliancenow.com.au to get the ball rolling.