Cyber Security advisory for federal agencies
PSPF, ISM, and Essential Eight compliance delivered by AGSVA-cleared consultants with hands-on Commonwealth experience. Meet your compliance obligations with confidence.
The complexity of government compliance
Australian federal agencies navigate a challenging compliance landscape. Strategic Cyber is built to simplify it.
PSPF maturity reporting burden
Annual PSPF maturity assessments require rigorous evidence collection and reporting. Demonstrating your maturity level involves coordination across teams and documentation that must stand up to external scrutiny.
ISM control complexity at scale
The Information Security Manual spans hundreds of controls across multiple domains. Implementing, tracking, and demonstrating compliance across your agency requires a systematic approach and sustained effort.
Essential Eight mandate pressure
Essential Eight is now a baseline requirement for Commonwealth agencies. Achieving and maintaining maturity across your distributed environment — with legacy systems, diverse teams, and competing priorities — requires dedicated focus.
Governance and coordination challenges
Maintaining compliance across distributed departments and agencies requires clear governance, consistent communication, and ongoing assurance. Compliance drift happens fast when coordination breaks down.
How we help federal agencies
We combine deep government experience with practical advisory to reduce compliance complexity and build sustainable cyber maturity.
ISM Alignment Assessment
Control-level gap assessment with remediation roadmap aligned to your agency's risk appetite.
PSPF Advisory & Maturity Reporting
Annual maturity assessments, evidence gathering, and board-ready reporting for PSPF compliance.
Essential Eight Assessment & Uplift
Gap analysis and implementation support to achieve and maintain E8 maturity across your agency.
Cyber Risk Advisory
Security risk assessments, governance frameworks, and board-level reporting aligned to ISM and PSPF.
vCISO / Embedded Advisory
Fractional cyber leadership, governance oversight, and compliance coordination for your agency.
IRAP Assessment
ASD-aligned security assessment for systems and platforms handling classified data.
Expertise tailored to government complexity
Federal agencies need a partner who understands ISM, PSPF, and government operating context — deeply and practically.
Canberra-based, government proximity
We're headquartered in Braddon, in the heart of Australia's government sector. This proximity means we understand the context, the pace, and the players. We're embedded in the Commonwealth environment, not outside it.
AGSVA-cleared consultants
Our entire team holds current AGSVA security clearances. We've worked within Commonwealth agencies, understand the security culture, and know what compliance means in practice — not just in theory.
Deep government compliance knowledge
We understand ISM inside and out — not just the controls, but how to implement them in real Commonwealth environments. Same for PSPF reporting, Essential Eight in distributed agencies, and IRAP assessments for government systems.
In-house IRAP assessor
Our in-house IRAP assessor is ASD-accredited. If your agency operates systems requiring IRAP assessment, you have assessment capability on your team — no external hunting required.
The compliance landscape
Common questions from government agencies
How do PSPF, ISM, and Essential Eight fit together?
They stack. PSPF is the "what" — the policy framework covering governance, personnel, physical, and information security expected of Commonwealth entities. ISM is the "how" — the technical control baseline that operationalises the information security parts of PSPF. Essential Eight is a key subset of ISM controls focused on the highest-impact mitigations. We help you understand how they interact and implement all three cohesively.
What does PSPF maturity reporting involve?
PSPF maturity is assessed across five domains: Personnel, Physical, ICT, Governance, and Administration. Each year, agencies must demonstrate their maturity level with evidence across all domains. We help you gather evidence, structure your response, and prepare board-ready reporting that shows your actual maturity and identifies improvement areas.
Can you support IRAP assessments for our systems?
Yes. Our in-house IRAP assessor is ASD-accredited. If your agency operates systems handling classified or sensitive Commonwealth data, we can conduct IRAP assessments and provide the independent assurance required for accreditation. We also help with remediation and readiness preparation leading up to assessment.
How do you work with distributed agency teams?
Commonwealth agencies often have compliance responsibilities across multiple locations and teams. We work with your governance structure, coordinate with relevant stakeholders, and help establish repeatable processes for compliance across the enterprise. Our vCISO service is particularly valuable for coordinating security across distributed teams.
Do you have experience with government procurement and compliance?
Yes. Our team has hands-on experience with Commonwealth procurement processes, funding requirements, and compliance obligations under Defence contracts and government supplier arrangements. We understand how procurement and security align, and can help your agency meet compliance obligations tied to supplier relationships and grant requirements.