Australian government entities have achieved strong protective security compliance results in 2024-25, but critical gaps in technology and cyber maturity remain unresolved, two landmark reports show.

The Department of Home Affairs' Protective Security Policy Framework (PSPF) Assessment Report 2024-25 and the Australian Signals Directorate's (ASD) Commonwealth Cyber Security Posture paint a detailed picture of where Australian government security stands - and where it falls short.

The PSPF report covers 100 Non-Corporate Commonwealth Entities (NCEs) reporting under a new compliance-based model introduced in November 2024.

The ASD report is the sixth annual cyber security posture report tabled before Parliament.

The PSPF Assessment Report found 92 per cent of entities achieved an overall "Effective compliance" rating. No entity recorded an overall "Low compliance" result.

However, the Technology domain - covering ICT lifecycle management, cyber security strategies and programs - was the clear weak point. Just 79 per cent of entities achieved Effective compliance in Technology, the lowest of all six security domains. Seventeen per cent reported Moderate compliance and four per cent Low compliance.

The report notes the Technology domain result "is consistent with previous reporting periods," suggesting this gap is structural rather than incidental.

By contrast, the Information domain - covering classification, information holdings, disposal and sharing - recorded the highest Effective compliance rate at 96 per cent.

PSPF Directions: Mandatory Actions Completed

Five mandatory PSPF Directions were issued during 2024-25, covering Foreign Ownership Control or Influence (FOCI) risks, technology asset stocktakes, ASD cyber security partnership engagement, and the prohibition of DeepSeek and Kaspersky products on government systems.

All entities reported full compliance with all five Directions.

The prohibition on DeepSeek products, covered under Direction 001-2025, follows growing international concern about Chinese-developed AI applications accessing government systems and data. Several allied governments including the United States, United Kingdom and European Union institutions moved to restrict or ban DeepSeek on government devices in early 2025.

The ban on Kaspersky Lab products under Direction 002-2025 reflects longstanding concerns about Russian-linked software within critical government infrastructure.

Top Security Risks Identified

The top five security risks identified by entities in 2024-25 were: compromise or unauthorised disclosure (58 per cent); trusted or malicious insider (58 per cent); cyber security emerging threats (55 per cent); funding, resources or capability limitations (49 per cent); and cyber security attack (43 per cent).

Governance Risk and Compliance Managers will note that insider threat - both trusted and malicious - ranked equal first alongside data compromise.

The report states: "These identified threats are consistent with previous reporting periods."

Essential Eight Maturity Remains a Challenge

The ASD Cyber Security Posture report highlights that achieving Essential Eight Maturity Level 2 - mandated for all NCEs since 1 July 2022 - remains elusive for most entities.

In 2024-25, just 22 per cent of all government entities achieved Maturity Level 2 or higher across all eight mitigation strategies. This was up from 15 per cent in 2024, but still well below the 25 per cent recorded in 2023.

The report explains the 2023 decline was caused by ASD hardening the Maturity Level 2 controls in November 2023. Key changes included stricter phishing-resistant multi-factor authentication (MFA) requirements, updated application control rules and a revised approach to data backup prioritisation based on business criticality.

The report identifies the most problematic strategy: MFA reached Maturity Level 2 in only 34 per cent of entities in FY2024-25, though this is up from 23 per cent the prior year.

Restrict Microsoft Office macros was the strongest performer at 81 per cent.

Legacy IT: Persistent Barrier to Uplift

Legacy IT continues to impede cyber security improvements across government. In 2025, 59 per cent of entities said legacy technology impacted their ability to implement the Essential Eight - down from 71 per cent in 2024, but still representing the majority.

Entities reported insufficient dedicated funding (34 per cent) and lack of a viable replacement (30 per cent) as the most significant reasons for continued legacy IT use.

Despite entities reporting more incidents internally - with 62 per cent reporting at least 80 per cent of incidents to senior executives - external reporting to ASD remains low.

Only 35 per cent of entities reported at least half of observed cyber security incidents to ASD in 2024-25. This is up from 32 per cent in 2023-24 but well below what ASD considers adequate.

The report notes: "Any degradation in the quantity or quality of information reported to ASD reduces our capacity to support the entity to mitigate the impacts of cyber compromise."

ASD responded to 408 cyber security incidents from government entities in 2024-25, representing 33 per cent of all incidents responded to nationally.

Leadership and planning indicators showed improvement. Eighty-two per cent of entities had a documented cyber security strategy in 2025, up from 75 per cent in 2024.

Cyber security training improved significantly, with 87 per cent of entities providing annual training to their full workforce, up from 78 per cent in 2024.

However, privileged user training - critical for IT administrators and system owners - declined to 45 per cent in 2025, down from 51 per cent in 2024.

Supply chain risk assessments also declined, with 70 per cent of entities performing them in 2025, down from 74 per cent in 2024. This is a concern for procurement managers and enterprise architects responsible for vendor risk management.

Post-Quantum Cryptography: A New Priority

The ASD report flags an emerging compliance obligation for IT and security teams. All organisations are encouraged to begin transitioning to post-quantum cryptography by 2030. ASD released new cryptography guidelines in September 2025.

The report warns: "CRQC will render common public-key encryption protocols insecure. This means communications, information and data once thought secure, could be at a greater risk of compromise."

A new PSPF Assurance Capability introduced under the 2023-2030 Australian Cyber Security Strategy will pilot verification of entity self-assessments against the 2024-25 results. This is designed to address what the report calls "optimism bias commonly associated with self-assessment."

The PSPF Assessment Report is available at www.protectivesecurity.gov.au. The Commonwealth Cyber Security Posture in 2025 is available at www.cyber.gov.au.