PSPF 001-2024: Safeguarding GovTech from Foreign Influence

In 2024, the Australian government introduced PSPF Direction 001-2024 in recognition of the potential threats posed by Foreign Ownership, Control, or Influence (FOCI) on technology assets and GovTech (government technology operations). As part of the Protective Security Policy Framework (PSPF), PSPF 001-2024 is a crucial step in evaluating and mitigating cyber risks associated with foreign interference in the procurement and maintenance of technology assets.

This direction aims to enhance national security and strengthen the integrity of Australia's digital governance by safeguarding critical GovTech assets from foreign influence. This blog provides a detailed look at PSPF 001-2024, including key components and strategies organizations can follow to streamline implementation.

What is PSPF Direction 001-2024?

PSPF Direction 001-2024 is part of a series of mandatory directions issued in 2024 under the Protective Security Policy Framework (PSPF) by the Secretary of the Department of Home Affairs in Australia. This particular direction focuses on managing the risks associated with Foreign Ownership, Control, or Influence (FOCI) in technology assets used by Australian Government entities. 

PSPF 001-2024 requires these entities to identify indicators of FOCI risk during the procurement and maintenance of technology assets and to act on and report these risks effectively. Indicators of FCOI risk include substantial foreign ownership, foreign leadership roles, dependency on foreign funding or suppliers, obligations to foreign laws, and foreign access to sensitive data. Identifying these factors is critical for mitigating associated risks.

The Direction aims to ensure that technology procurements are secure and free from undue foreign influence that could compromise Australia's national interests. It comes in response to growing concerns about foreign interference and vulnerabilities in government supply chains, including a specific incident in which surveillance devices linked to the Chinese government were found in government buildings.​

Key components of PSPF 001-2024

PSPF 001-2024 focuses on several areas to safeguard Australian government entities from potential risks related to foreign involvement in their technology assets. Key components of the direction include:

• Risk identification: Entities must identify potential risks of Foreign Ownership, Control, or Influence (FOCI) in relation to the procurement and maintenance of technology assets.
• Risk management: Entities are required to develop and implement strategies to manage and mitigate the identified risks effectively.
• Reporting requirements: Entities have specific obligations to report on FOCI risk management, including regular status updates.
• Compliance and oversight: Entities must adhere to the directive and are subject to oversight to ensure compliance.
• Training and awareness: The directive highlights the importance of training programs to make procurement and asset management staff aware of FOCI risks and management procedures.

These components are designed to enhance the security framework surrounding technology assets within government entities. Each component addresses the potential for foreign interference that could impact national security.

Additional PSPF directions

The Secretary of the Department of Home Affairs published PSPF 001-2024 alongside two other mandatory directions. These directions address a security risk to the Commonwealth, and all responsible authorities of each entity must comply with any issued directive. Additional PSPF directions include:

• Technology Asset Stocktake, PSPF Direction 002-2024: Requires Australian Government entities to identify and actively manage the risks associated with vulnerable GovTech they manage, including those they manage for other entities.
• Supporting Visibility of the Cyber Threat, PSPF Direction 003- 2024: Requires Australian Government entities using threat intelligence sharing platforms to share cyber threat information with the Australian Signals Directorate

These three additions follow an earlier direction, PSPF 001-2023, which restricted the use of the TikTok application on government devices in Australia. The Australian Government made this decision due to concerns about the app's security risks, such as extensive data collection and potential exposure to unauthorized directives from foreign governments.

Who must comply with PSPF 001-2024?

PSPF Direction 001-2024 must be complied with by a specific set of Australian government entities involved in managing technology assets and handling classified information. Each organization must ensure that its procurement and maintenance of technology assets comply with PSPF Direction 001-2024 to mitigate risks associated with foreign influence and ensure the security and integrity of its operations.

Organizations typically required to adhere to these types of directions include:

• Federal government departments: All major departments and federal agencies that handle GovTech procurement and maintenance
• Government agencies: Central and subsidiary agencies that deal with technology infrastructure
• Statutory bodies: Government-owned corporations and statutory authorities that use technology assets in their operations
• Defence and intelligence services: Entities with significant technology assets that could potentially be impacted by foreign ownership or control
• Public service enterprises: Organizations that manage significant information technology systems on behalf of the government and critical infrastructure

Penalties for non-compliance

The penalties for non-compliance with the Protective Security Policy Framework (PSPF) are not explicitly prescribed in terms of specific fines or punitive measures. The PSPF focuses more on ensuring that entities have the proper measures to protect people, sensitive information, and assets from security threats and less on penalizing non-compliance.

The framework emphasizes accountability, with the accountable authority within each entity bearing the responsibility for achieving and maintaining compliance. Detailed enforcement actions are typically directed to the Attorney-General’s Department or the Department of Home Affairs, which oversees the implementation of the framework.

5 steps to comply with PSPF 001-2024

Complying with PSPF 001-2024 strengthens national security and enhances organizational integrity in technology procurement and maintenance. Below are five steps to fortify your organization against potential foreign threats while maintaining robust security protocols.

1. Identify FOCI risks

The first step to comply with PSPF 001-2024 involves thoroughly identifying FOCI risks in the procurement and maintenance of technology assets. Organizations need to conduct comprehensive audits of all GovTech suppliers and vendors, delving into their ownership structures to determine the level of foreign involvement. These assessments should go beyond simple ownership to include affiliations that could potentially exert control or influence.

Utilizing risk assessment tools can help in dynamic analysis, rating potential FOCI threats based on criteria such as technology providers' country of origin, historical compliance records, and political connections. This identification phase should be an ongoing process, with entities regularly revising their risk assessments to adapt to new threats as technological and geopolitical landscapes evolve.

2. Develop risk management strategies

Once potential FOCI risks have been identified, the next step is to create effective management strategies. This process involves establishing specific control measures customized to mitigate the identified risks, such as implementing access controls and authentication, encrypting sensitive data, and segregating critical systems from those managed by potentially compromised entities.

Furthermore, organizations need to develop comprehensive incident response plans that are ready to be activated if a risk materializes. These plans should address potential scenarios of foreign compromise and outline clear steps for containment and remediation. These strategies should not be static; continual improvement based on regular risk evaluations and audit findings is crucial to remain effective against evolving foreign threats.

3. Implement reporting mechanisms

Establish robust reporting mechanisms to ensure transparency and ongoing monitoring. Organizations should set up a regular reporting framework to keep all relevant stakeholders and required parties informed about the current FOCI risk landscape and the effectiveness of the management strategies in place.

Using real-time dashboards can provide stakeholders with a continuous view of FOCI risks, which can enhance decision-making processes. It is also crucial to maintain detailed records of any changes in risk profiles or management approaches. These records are essential for regulatory compliance and can offer valuable insights during audits.

4. Review and update procurement policies

The procurement policies of an organization play a crucial role in preventing FOCI risks from materializing. It is important to regularly review these security plans to ensure that they adequately reflect the current risk environment and include strict measures to mitigate potential foreign influences. This review may involve updating the supplier selection process to include thorough checks for foreign ownership and influence as standard criteria.

Additionally, the terms and conditions of contracts with suppliers should be revised to allow for regular audits, impose strict reporting requirements, and enable termination in the event of a breach related to foreign influence. Ensuring that these policies are up-to-date and rigorously enforced is essential for maintaining the integrity of the organization’s technology assets against foreign threats.

5. Maintain documents and compliance materials

It is essential for organizations to maintain thorough documentation and compliance materials. This documentation involves systematically recording all processes related to risk assessment, mitigation strategies, and audit outcomes within a centralized document management system. This system ensures secure storage and easy access and should include secure version control to comply with relevant regulatory requirements.

Organizations should also keep detailed records of compliance training, policy changes, and control measure implementation. Regular reviews and updates of these information security practices are necessary to keep up with regulatory changes and improve the organization's ability to manage and verify compliance against foreign influences. This practice helps to strengthen operational integrity and trustworthiness in national security risk management.

Enhance your organization’s risk management with UpGuard

Boost your organization's risk management processes with UpGuard's powerful tools for identifying and mitigating cybersecurity threats. UpGuard’s comprehensive cybersecurity management tools make monitoring your cybersecurity posture and vendors simple—all in one centralized dashboard.

UpGuard Breach Risk illuminates your organization’s external attack surface, allowing you to discover and remediate risks ten times faster with continuous monitoring capabilities. Additional features include:

• Real-time scanning: Don’t accept an incomplete or lagging picture of your attack surface. Protect your domains, IP, and external assets with real-time scans.
• Instant alerts: Be alerted the moment a vulnerability is detected. Receive notifications where your team works, whether Jira, Service Now, or another platform like Slack.
• Detect stolen credentials: Know when your data or credentials are circulating online or at risk of unauthorized access. UpGuard combines proprietary sources and dark web scanning to spot leaked data faster.

UpGuard Vendor Risk provides complete visibility of your third-party risk, helping you identify vendor risks sooner and complete risk assessments twice as fast. Additional Vendor Risk features include:

• Constant vendor monitoring: Get alerted whenever the security posture of a third or fourth party in your supply chain changes. Continuous monitoring ensures you’re always the first to know.
• 360° risk assessments: See your vendor risks from all angles. Automated scanning, evidence analysis, and insights from industry questionnaires (NIST, GDPR, ISO 27001) give you the complete picture of your service providers.
• ‍End-to-end workflows: Forget spreadsheets and stale data. Transform your processes with a single platform for identifying and managing risk mitigation.

‍