Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article is a key component of the Australian Government Microsoft Purview Information Protection Guide. It lists Protective Security Policy Framework (PSPF) requirements that are relevant to Microsoft Purview configurations. It also provides guidance on how Microsoft Purview and other Microsoft 365 capabilities can be configured to meet the stated requirements and provides links to sections of the guide where these capabilities are further discussed.
Protective Security Policy Framework
The Protective Security Policy Framework (PSPF) sets the Australian Government's minimum protective security standards to achieve effective and efficient secure delivery of government business, both domestically and internationally.
For more information about PSPF, see Protective Security Policy Framework.
Sections of PSPF Release 2024 that relate most closely to Microsoft Purview Information Protection configurations are:
- Section 9 - Classifications & Caveats
- Section 10 - Information Holdings
- Section 12 - Information Sharing
- Section 17 - Access to Resources
Key to understanding PSPF application to email services is the Australian Government Email Protective Marking Standard, which is referenced in this document.
PSPF includes a reporting mechanism that allows organizations to report on their level of maturity across the various PSPF policies. The intent is that this guide allows organizations with low levels of maturity to improve their PSPF maturity to 'Managing' or 'Embedded' levels with reduced effort. For more information on PSPF maturity levels, see: Protective Security Policy Framework Assessment Report 2022-23
PSPF Section 9 - Classifications & Caveats
Requirements listed here are based on PSPF Release 2024 Section 9 - Classification & Caveats (updated November 1 2024).
PSPF Section 9 details how entities correctly assess the sensitivity or security classification of their information and adopt marking, handling, storage, and disposal arrangements that guard against information compromise.
Only requirements relevant to Microsoft Purview and associated configurations are listed.
Requirement 58
The originator remains responsible for controlling the sanitization, reclassification, or declassification of official and security classified information, and approves any changes to the information’s security classification.
| Solution capability | Section |
|---|---|
| Record an auditable trail of all label related activities, including the removal or lowering of applied sensitivity labels. Record label change activities including the user who made the change and their justification for doing so. |
Label change justification Audit log |
| Report on users who are undertaking activities deemed to be risky to information security, including label downgrade and exfiltration sequences. | User-risk based approach Monitoring Sharing through Insider Risk Management |
| Automatically impose other data security controls on users who are undertaking risky activity, such as lowering of an applied security classification. | Adaptive protection |
| Apply encryption to items that restrict internal or guests ability to modify items, preserving the item and applied marking/classification. | Allocating label encryption permissions |
| Detecting items with lowered classification via protective markings and preventing their further distribution. | Blocking reclassified email |
| Prevent reclassification by declaring items as records, locking them from any further changes, including the changes the applied sensitivity label. | Preventing reclassification |
Requirement 59
The value, importance, or sensitivity of official information (intended for use as an official record) is assessed by the originator by considering the potential damage to the government, the national interest, organizations, or individuals that would arise if the information’s confidentiality were compromised.
| Solution capability | Section |
|---|---|
| Require users to identify the sensitivity of items (Files and Emails) via sensitivity labels. | Labeling client experience Mandatory labeling Sensitivity labeling PDF integration |
| Apply protective markings to locations (Sites and Teams) and apply protections to marked locations. | Sensitivity label groups and sites configuration |
| Define the sensitivity of meetings and implement associated operational controls. | Sensitivity labeling for calendar items and teams meetings |
| Require users to identify the sensitivity of Power BI workspaces via sensitivity labels. | Power BI and data integration |
| Apply labels to sensitive information residing in database systems. | Azure data governance |
| Apply email headers, which can be used to identify the sensitivity of incoming items and apply appropriate controls. | Labeling of email during transport |
Requirement 60
The security classification is set at the lowest reasonable level.
| Solution capability | Section |
|---|---|
| Provide users an opportunity to assess the value, importance, and sensitivity of items when selecting a sensitivity label. | Mandatory labeling |
| Guide users in the assessment of item sensitivity through label pop-up dialogue boxes containing label descriptions, visible during label selection. | Label description for users |
| Provides the ability to configure an organization specific Learn more link that is accessible from label selection menu and can provide users with further guidance regarding appropriate labels for types of information. | Custom help page |
| Assists users in the assessment of information holdings by detecting under-classified items and recommending reevaluation where appropriate. | Recommending labels based on sensitive content detection |
| Assists with the assessment of information by identifying sensitive data that is taken from or exists within database applications or similar platforms. | Exact Data Match Sensitive Information Types |
| Assist with the assessment of information by utilizing machine learning to identify items that would typically be regarded as sensitive. | Trainable classifiers |
| Assist users in the assessment of information holdings by recommending labels that align with markings applied by external organizations. | Recommendations based on external agency markings |
| Assist users in the assessment of information holdings by recommending labels that align with historical markings. | Recommendations based on historical markings Auto-labeling Items with historical security classifications |
| Assist users in the assessment of information holdings by recommending labels that align with markings that have been applied by non-Microsoft classification solutions. | Recommendations based on markings applied by non-Microsoft tools |
| Assisting with the assessment of information by providing visual notifications to users via DLP Policy Tip when sensitive information is detected in an item. | DLP policy tips ahead of violation |
| Identify sensitive information residing within database systems, label the information in place and allow for the label to be inherited on downstream systems. | Power BI and Azure Purview Microsoft Purview Data Map |
Requirement 61
Security classified information is clearly marked with the applicable security classification, and when relevant, security caveat, by using text-based markings, unless impractical for operational reasons.
| Solution capability | Section |
|---|---|
| Apply text-based protective markings to mark sensitive and security classified information. | Sensitivity label content marking Information marking strategies |
| Microsoft Office clients provide clear identification of an item’s sensitivity via client-based label markings. | Labeling client experience |
| Apply colour-coded markings to assist users with sensitivity identification. | Label color |
| Apply markings to locations, such as sites or Teams. These markings identify the highest level of item sensitivity that should exist at the location/container. | Data out-of-place alerting |
| Clearly identify item sensitivity to users when working in SharePoint-based directories (sites, Teams, or OneDrive). | SharePoint location and item sensitivity |
Requirement 62
The minimum protections and handling requirements are applied to protect OFFICIAL and security classified information.
| Solution capability | Section |
|---|---|
| Information stored in Microsoft 365 datacenters is encrypted at rest via BitLocker encryption. | Encryption overview |
| Require Transport Layer Security (TLS) encryption for email-based transmission of sensitive items, ensuring that they're encrypted when transferred via public networks. | Requiring TLS encryption for sensitive email transmission |
| Configure granular access control to marked locations (sites or Teams) and block users, devices, or locations who don't meet access requirements or clearance. | Unmanaged device restrictions Authentication context |
| Maintain need-to-know principles by restricting sharing, guest access, and controlling the privacy configuration of marked locations. | Sensitivity label groups and sites configuration |
| Apply DLP policies to help ensure need-to-know and restrict the distribution of items to unauthorized or uncleared internal users and external organizations. | Limiting distribution of sensitive information |
| Encrypt sensitive or security classified items, providing access control and ensuring that only authorized users have access to the contained information, regardless of the item’s location. | Sensitivity label encryption |
| Apply protections, including encryption, sharing, and DLP related controls to exports or PDFs generated from labeled source systems. | Power BI and data integration |
| Identify items marked with historical security classifications and either autoalign with modern markings or maintain the historical label along with required controls. | Recommendations based on historical markings |
Requirement 63
The Australian Government Security Caveat Standard and special handling requirements imposed by the controlling authority are applied to protect security caveated information.
| Solution capability | Section |
|---|---|
| Mark caveated information and associated Dissemination Limiting Markers (DLMs) or classification via sensitivity label structure. | Required sensitivity label taxonomy |
| Mark caveats on associated items via text. | Sensitivity label content marking Subject-based markings |
| Record all incoming and outgoing material transfer. | Audit log |
| Apply Caveat distribution and/or access restrictions. | Limiting distribution of sensitive information Sensitivity label encryption |
Requirement 64
Security caveats are clearly marked as text and only appear in conjunction with a security classification of PROTECTED or higher.
| Solution capability | Section |
|---|---|
| Mark caveated information and associated Dissemination Limiting Markers (DLMs) or classification via sensitivity label structure. | Required sensitivity label taxonomy |
| Mark caveats on associated items via text. | Sensitivity label content marking Subject-based markings |
Requirement 66
Accountable material is handled in accordance with any special handling requirements imposed by the originator and security caveat owner detailed in the Australian Government Security Caveat Standard.
| Solution capability | Section |
|---|---|
| Configure sensitivity labels that can be applied to accountable material to better identify and protect the contained information. | Accountable material |
| Prevent the unauthorized distribution of accountable material. | Preventing inappropriate distribution of security classified information |
| Apply encryption to items so that they can only be accessed by authorized users. | Sensitivity label encryption |
| Identify and report on the location of accountable material across a Microsoft 365 environment. | Content Explorer |
Requirement 67
The Australian Government Email Protective Marking Standard is applied to protect OFFICIAL and security classified information exchanged by email in and between Australian Government entities, including other authorized parties.
| Solution capability | Section |
|---|---|
| Apply protective markings to emails so that they can be interpreted by receiving Government organizations | Email marking strategies using Microsoft Purview for Australian Government |
| Apply protective markings via email metadata (x-headers). | Applying x-protective-marking headers via DLP policy |
| Apply protective markings via email subject. | Applying subject-based email markings |
| Maintain classifications by applying corresponding sensitivity labels to security classified email on receipt. | Labeling of email during transport. |
Requirement 68
The Australian Government Recordkeeping Metadata Standard’s 'Security Classification' property (and where relevant, the 'Security Caveat' property) is applied to protectively mark information on technology systems that store, process, or communicate security classified information.
| Solution capability | Section |
|---|---|
| Index Security Classification and Security Caveat and Dissemination Limiting Marker properties via SharePoint search, aligning with AGRkMS requirements. | Managing classification and caveat metadata |
| Apply X-Protective-Marking x-headers to meet email metadata requirements as per PSPF Policy 8 Annex F. | Applying x-protective-marking headers via DLP policy |
| Apply metadata to database columns containing sensitive information in connected database systems. | Power BI and data integration |
Requirement 69
Apply the Australian Government Recordkeeping Metadata Standard’s 'Rights' property where the entity wishes to categorize information content by the type of restrictions on access.
| Solution capability | Section |
|---|---|
| Implement extra metadata properties to facilitate the appropriate management and use of sensitive records, or records with particular access and use restrictions. | Rights property |
Requirement 70
Security classified discussions and dissemination of security classified information are only held in approved locations.
| Solution capability | Section |
|---|---|
| Apply protective markings to Teams meeting invitations and Outlook calendar items. Apply controls to calendar items, such as encryption of meeting attachments. |
Labeling of calendar items |
| Apply protective markings to Teams meetings and configure advanced controls to protect classified conversations, including advanced encryption techniques and meeting watermarks. End-to-end encryption of Teams conversations, providing users with assurance that sensitive or security classified discussions can't be intercepted. |
Teams Premium label configuration |
PSPF Section 10 - Information Holdings
Requirements listed here are based on PSPF Release 2024 Section 10 - Information Holdings (updated November 1 2024).
Only requirements relevant to Microsoft Purview and associated configurations are listed.
Requirement 71
Entity implements operational controls for its information holdings that are proportional to their value, importance, and sensitivity.
| Solution capability | Section |
|---|---|
| Prevent the inappropriate distribution of security classified information by using Data Loss Prevention (DLP) policies based on sensitivity labels. | Protecting classified information |
| Prevent the inappropriate distribution of sensitive information by using Data Loss Prevention (DLP) policies targeting sensitive content. | Protecting sensitive information |
| Provide visual markings on individual items that reflect the security classification applied to information within the item. | Sensitivity label content marking |
| Provide visual markings that reflect the highest level of sensitivity that should exist within a location (site or team). | Sharepoint location and item sensitivity |
| Configure location privacy settings based on the sensitivity applied to the location. | Label privacy settings |
| Enable or disable guest access to a location and to items within a location based on the locations applied label. | Guest access configuration |
| Control Microsoft 365 sharing configuration for a SharePoint based location (site or Team) depending on the label applied to the location. | Label sharing configuration |
| Provide user notification and alerting for highly sensitive items located in lower sensitivity locations. | Data out of place alerting |
| Configure other requirements for access to highly sensitive locations (sites or Teams). For example, from unmanaged devices, unsafe devices, or unknown locations. | Conditional access Authentication context Protecting classified information Adaptive protection |
| Encrypt highly sensitive items to prevent access by unauthorized users, regardless of an item’s location. | Sensitivity label encryption |
| Configure access and usage restrictions for groups of internal users or guests. | Allocating label encryption permissions |
| Restrict the movement of security classified items and/or their contained information to locations where access or further distribution of their enclosed information can't be controlled. | Preventing download or print of security classified items Preventing upload of security classified items to unmanaged locations |
PSPF Section 12 - Information Sharing
Requirement 75
Access to security classified information or resources is only provided to people outside the entity with the appropriate security clearance (where required) and a need-to-know, and is transferred in accordance with the Minimum Protections and Handling Requirements.
| Solution capability | Sections |
|---|---|
| Restrict access to locations that contain sensitive or classified information to only users that are authorized. | Authentication context |
| Integrate sensitivity labeling and DLP. Policies can be constructed to prevent the sharing (via email or share action) of items with certain markings with unauthorized users. | Preventing email distribution of classified information to unauthorized organizations Preventing email distribution of classified information to unauthorized users Preventing sharing of security classified information |
| Provide DLP policy tips, which warn users against sharing information ahead of policy violation, reducing the likelihood of information disclosure due to situations like mistaken identity. | DLP policy tips ahead of violation |
| Monitor, alert and/or block attempts to share or email labeled items to users who don't have appropriate security clearance. | DLP event management |
| Configure Privacy options for sites or Teams based on a location’s marking. This helps to prevent open access to locations for users who don't have need-to-know and puts Team or location owners in control of access to these locations. It also helps to meet Supporting Requirement 2 by not automatically providing access based on status, rank, or convenience. | Label privacy settings |
| Configure Sharing Restrictions for a site or Team, which ensures that items in marked locations can only be shared with internal users. | Label sharing configuration |
| Use label encryption to control access to labeled content, ensuring that only authorized users have the ability to access it. | Enabling label encryption |
| Alert on security classified or marked information from being moved to lower sensitivity locations where they're more easily accessed by unauthorized users. | Data out-of-place alerting |
Requirement 76
The Memorandum of Understanding between the Commonwealth, States, and Territories is applied when sharing information with state and territory government agencies.
| Solution capability | Sections |
|---|---|
| State government agencies that hold or access Australian Government security classified information apply the relevant protective security measures contained in the PSPF to that information | Australian State Government requirements to Microsoft Purview capability mapping |
| Ensure that information is labeled and protected in situations where state and federal security classification syntax doesn't align. | Labels for organizations with differing label taxonomies |
| Protect information classified with an Australian Government security classification. | Preventing inappropriate distribution of security classified information |
| Ensuring that information marked with an Australian Government security classification is protected via Data Loss Prevention regardless of the applied sensitivity label. | Controlling email of marked information |
Requirement 77
An agreement or arrangement, such as a contract or deed, that establishes handling requirements and protections, is in place before security classified information or resources are disclosed or shared with a person or organization outside of government.
| Solution capability | Sections |
|---|---|
| Configure Terms of Use as part of a Conditional Access policy, so that guests are required to agree to terms before access to items is permitted. This complements written agreements between organizations. | Microsoft Entra Business to Business (B2B) configuration is out of scope of this guide1. The concepts are introduced under conditional access. |
| Implement restrictions to prevent the sharing of not only security marked or classified information, but also other types of sensitive information with external organizations. Exceptions can be applied to these policies so that sharing is allowed to an approved list of organizations for which formal agreements are established. | Limiting distribution of sensitive information |
| Configure encryption to restrict access to information (files or email) to guests except for users or organizations for which permissions are configured. | Sensitivity label encryption |
| Configure guest access to permit collaboration activities (including sharing, coedit, chat, and Teams membership) only with approved organizations that formal agreements exist with. | Microsoft Entra B2B configuration is out of scope of this guide1. The concepts or restricting guest access to labeled items are introduced under guest access configuration |
| Audit guest access and membership, prompting resource owners to remove guests when no longer required and recommending removal when resources aren't being accessed. | Microsoft Entra B2B configuration is out of scope of this guide1, 2. |
Note
1 For more information about Microsoft Entra B2B configuration, see Microsoft Cloud Settings for B2B collaboration.
2 For more information on access reviews, see access reviews
PSPF Section 17 - Access to resources
Requirement 129
Access to official information is facilitated for entity personnel and other relevant stakeholders.
| Solution capability | Section |
|---|---|
| Restrict sharing, privacy and/or guest access based on the sensitivity label applied to a Team or SharePoint location. | Sensitivity label groups and sites configuration |
| Restrict sharing or caution users when they attempt to share labeled content with unauthorized internal or external groups. | Preventing inappropriate distribution of security classified information Limiting distribution of sensitive information |
| Prevent delivery of labeled emails or email attachments to unauthorized recipients. | Preventing email distribution of classified information to unauthorized organizations Preventing email distribution of classified information to unauthorized users |
| Restrict the upload of labeled content to nonapproved cloud services or locations where it can be further distributed or accessed by unauthorized users. | Preventing the upload of security classified items to unmanaged locations |
| Prevent access to labeled items (files or emails) by unauthorized users in situations where they have been shared inappropriately. | Sensitivity label encryption |
| Prevent labeled items from being uploaded to nonapproved cloud services. Prevent them from being printed, copied to USB, transferred via Bluetooth or unallowed app. | Preventing sharing of security classified information Preventing the download or printing of security classified items |
Requirement 130
Appropriate access to official information is enabled, including controlling access (including remote access) to supporting technology systems, networks, infrastructure, devices, and applications.
| Solution capability | Sections |
|---|---|
| Allows the use of Conditional Access (CA) to restrict access to the Microsoft 365 application to approved users, devices, and locations, only when appropriate authentication requirements are met. | Conditional access |
| Provide granular access control to sensitive or security classified labeled locations. | Authentication context |
| Assess user authentication and authorization at time of access to encrypted items (files or email). | Sensitivity label encryption |
Requirement 131
Access to security classified information or resources is only given to entity personnel with a need-to-know that information.
| Solution capability | Sections |
|---|---|
| Utilize initiative specific sensitivity labels with encryption enabled to prevent those without need-to-know from accessing security classified information | Azure Rights Management encryption Enabling label encryption |
| Utilize Azure Rights Management encryption with options allowing users to apply custom permissions, ensuring that only those that they specify can access encrypted items. | Let users decide |
| Restrict sharing by Team members, ensuring that Owners are responsible for any information sharing activities. | Other sharing scenarios |
Requirement 132
Personnel requiring ongoing access to security classified information or resources are security cleared to the appropriate level.
| Solution capability | Sections |
|---|---|
| Configure DLP policies to prevent the distribution of security classified information to users who aren't cleared to the appropriate level. | Preventing email distribution of classified information to unauthorized organizations |
| Limit access to locations containing security classified (or caveated) information to individuals who are cleared to the appropriate level. | Authentication context |
| Help prevent security classified or marked information from being moved to lower sensitivity locations where they're easily accessed by unauthorized users. | Data out-of-place alerting |
| Configure encryption to ensure users who leave the organization no longer have access to sensitive material. | Sensitivity label encryption |
Requirement 133
Personnel requiring access to caveated information meet any clearance and suitability requirements imposed by the originator and caveat controlling authority.
| Solution capability | Sections |
|---|---|
| Encrypt items and implement permissions so that only authorized external users who have had their clearance status assessed, can gain access to items. | External user access to encrypted items |
| Ensure that only appropriately cleared users within your organization are able to receive security classified information. | Preventing email distribution of classified information to unauthorized users |
Requirement 134
A unique user identification, authentication, and authorization practice is implemented on each occasion where system access is granted, to manage access to systems holding security classified information.
| Solution capability | Sections |
|---|---|
| Configure Conditional Access (CA) policies to require user identification, authentication, including other 'modern authentication' factors, such as MFA, managed device or known location, before granting access to services. | Conditional access |
| Apply other conditional access requirements to users when they access locations, which are marked with certain labels. | Authentication context |
| Configure label encryption, which confirms identity, authentication and authorization each time an encrypted item is accessed by a user. | Sensitivity label encryption |