Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Non-corporate Commonwealth entities have until 31 October to remove all products and services on the government’s Deny List.
The Australian government’s Department of Home Affairs has released an update to its Protective Security Policy Framework (PSPF) that will require non-corporate Commonwealth entities to remove certain applications and web services by the end of October.
In addition, those same entities will be required to implement policies “to consider sharing risk assessments through the Department of Home Affairs Centralised Risk Sharing Capability” from 2 February 2026.
“After considering threat and risk analysis, I have determined that further guidance is required to respond to the growing use of products, applications and web services within Australian government entities that pose an unacceptable level of security risk to Australian government networks and data arising from threats of foreign interference, espionage and sabotage,” Stephanie Foster, secretary of the Department of Home Affairs, said in the 22 October PSPF Direction 004-2025.
The problematic applications and services that are to be removed are listed in the Deny List of the Commonwealth Technology Standard. Any additions made to this list in the future must also be addressed and either removed or prevented from being installed going forward.
Exemptions, however, may be made for “legitimate business reasons”, such as when a given application is necessary for regulatory functions, including those related to national security and law enforcement entities.
Sarah Sloan, senior director APAC government strategy at data observability firm Splunk, welcomed the move as “a significant advancement in technology governance and the security of Australia’s public sector”.
“This Direction affirms the government’s commitment to adopting secure and verifiable technologies, building digital ecosystems resilient to threats such as foreign interference, espionage, and sabotage,” Sloan said.
It also highlights the critical importance of selecting products that have undergone independent assessment through the Australian government’s Information Security Registered Assessors Program (IRAP), ensuring alignment with the rigorous security standards set by the Australian Signals Directorate.
“The introduction of shared risk assessments represents a positive and pragmatic shift, reducing duplication, promoting regulatory harmonisation, and enabling agencies to focus on managing genuine risks more effectively. We commend this proactive approach and look forward to ongoing collaboration to further strengthen the resilience of Australia’s government infrastructure,” Sloan said.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
