Defence Industry Security Program (DISP)

The Defence Industry Security Program (DISP) provides an effective way for Defence and industry to work together to protect sensitive, OFFICIAL and classified Defence information and assets, as well as industry’s intellectual property. The DISP is a membership-based program that:

• Sets baseline security requirements for Industry Entities wishing to engage with Defence;
• Helps secure Defence capability, Defence industry and the supply chain;
• Requires its members to comply with Defence’s protective security policies, practices and procedures;
• Uses a tiered level of membership tailored to individual business needs;
• Supports industry to identify security risks and to understand and apply security controls across the domains of governance, personnel security, physical, and information and cyber security;
• Includes a system of reviews to ensure continued compliance;
• Enhances Defence’s ability to monitor and mitigate security risks.

The DISP is managed by the Defence Industry Security Office (DISO) within the Department of Defence and involves:

• An online website to help industry obtain entry and manage their membership https://www1.defence.gov.au/security/industry
• Support and services provided by Defence personnel to help you navigate membership, as well as access training, support, reporting and assurance services

An appropriate level of DISP membership is required:

• When working on or with classified (PROTECTED or above) information or assets
• When managing, storing or transporting Defence weapons or explosive ordnance
• When providing security services for Defence bases and facilities
• If there is a Defence business requirement for DISP membership in the contract.

If you are a foreign entity you will not qualify for DISP but your business may be recognised under a Security of Information Agreement or Arrangement (SIA).

Even if DISP membership is not a requirement now, consider whether it may be beneficial in the future and to enhance the overall security posture of your business. Further, proposed changes to the definition of Critical Infrastructure to include sectors like Defence Industry are likely to mandate some form of security obligation for all Defence sector participants. Our assessment is that this will likely include DISP requirements for the management of personnel, physical, information security and an appropriate governance framework. These changes are still in consultation and we’ll have more to say about what this means for Defence Industry in the future.

In some instances, DISP membership is mandated by the nature of work delivered to Defence or as a result of a Defence business requirement specified in a contract. For some entities, DISP membership will not be required however, membership is strongly encouraged to ensure they meet minimum security requirements to engage with Defence at a later stage or, as a demonstration of sound security practice even when handling OFFICIAL information.

The Australian Government is investing $270 billion over the next decade in Defence capability and we are building a world class Defence industry. The DISP offers substantial benefits to Defence and industry in terms of streamlining security services and protecting Defence information and assets, as well as industry’s intellectual property.

DISP benefits to industry include:

• Improved security operating environment for your business as security practices are strengthened
• Access to Defence security services that will enable you to be ‘Defence-ready’ when delivering contracts and tenders
• Ability to sponsor your own security clearances (not available for Entry Level membership)
• Greater access to international contracts as you may be able to have your security clearances recognised by international partners
• Security training and materials, including cyber training
• Advice and analysis on the latest security trends and threats to better inform your security planning and practices.

The DISP has tiered levels of membership that can be tailored to suit your organisation’s needs. These levels of membership are aligned with access to the level of information associated with security classifications:

• Entry Level = OFFICIAL/OFFICIAL: Sensitive
• Level 1 = PROTECTED
• Level 2 = SECRET
• Level 3 = TOP SECRET

A DISP member may hold different levels for different categories of security. For example, a DISP member may be Entry Level for ICT and cyber security but Level 1 for governance, personnel and physical security. Note that governance must be equivalent to the highest level of accreditation sought for the other categories.

Any Australian business can apply for DISP membership.

To successfully become a DISP member you will need to meet the eligibility and suitability requirements outlined in Control 16.1 DISP of the Defence Security Principles Framework (DSPF). These criteria cover things like the potential foreign ownership, control and influence of your organisation, how you manage your facilities, personnel and information risks and whether or not the governance framework you have in place is appropriate. You also have to provide copies of your policy documents for review by the DISP team.

To meet the DISP criteria you will need to demonstrate that you have:

• Appointed a Chief Security Officer and Security Officer (these can be the same person) and ensure the Security Officer is appropriately trained by Defence
• Implemented an appropriate governance framework including a full suite of policies and procedures to manage your personnel, physical and information risks
• Created a series of registers that demonstrate that you are managing the requirements of your chosen DISP level
• Developed an understanding of the activities you need to complete across a year in order to remain compliant
• Created a mechanism to ensure your Board (or equivalent) has reviewed and endorsed the Annual Security Report (ASR) before returning it to Defence each year
• Ensured your facilities are accredited to the appropriate level and have a mechanism in place to ensure this accreditation remains in place
• Implemented an internal assurance program that is risk based and ensures you continue to meet your DISP eligibility criteria
• Developed mechanisms to effectively manage the overseas travel of your staff that have security clearances including a defensive security brief before they travel, a debrief after they return and a mechanism to report any security concerns to ASIO
• Implemented mechanisms to manage security incidents from reporting to close-out to ensure they are managed in accordance with Defence reporting requirements.

Although there is no direct cost associated with DISP membership, there may be costs associated with implementing and maintaining security measures to meet initial and ongoing DISP requirements. These might include, for example, facility certification and accreditation, personnel security clearances and physical security measures. Organisations should consider these costs in relation to the level of DISP membership required prior to lodging their DISP membership application. Some businesses may find their existing security practices are well advanced for membership without additional costs and others may need to address a gap in requirements. Businesses should consider these costs in relation to the level of DISP membership required prior to lodging their DISP membership application.

Some of the costs to consider are:

• The appointment of a CSO and SO. It may be that you have to create a new position in your workforce and fill it with a suitably qualified and experienced person. Suitably qualified and experienced security staff can cost over $100k in salary and other expenses
• Development of policies, procedures, plans and forms. Regardless of the DISP level you choose there are a number of documents that need to be prepared and implemented in your organisation. These include documents that demonstrate to Defence that you are managing your personnel, physical, information and cyber risks appropriately. These documents need to be detailed and in the case of physical security for example, you will need to describe how you will manage your facilities including who can access which areas, who can approve an access card, who approves changes to your access requirements (when staff change roles for example) and which classified items can be stored in which parts of your facilities. Developing these documents can take several weeks to prepare if you choose to complete them yourself and will draw on the time and experience of a number of staff in your organisation which can quickly add up
• Security clearances. The Australian Government Security Vetting Service (AGSVA) provides all security clearances for DISP members. There is a cost associated with each clearance and the prices range from approximately $1000 to almost $16000. Current costs can be found here
• ICT/cyber security costs. Even at Entry Level there are costs associated with cyber security. Defence expects DISP members to have implemented the Australian Cyber Security Centre Top 4 cyber security controls. Details of these can be found here. Top 4 implementation costs depend upon the complexity of your ICT system and even a rough price is difficult to provide without some sort of analysis of your systems.
• Facility works/upgrades. You may need to upgrade your facilities in order to meet the requirements of your desired DISP membership level. If you are managing classified material this will certainly be the case. Like ICT costs, facilities costs are difficult to estimate without some sort of analysis of your facilities and operations. Getting accurate advice here is key to reducing over-capitalising
• A method of managing your compliance requirements. Spreadsheets won’t cut it for this (believe me I’ve worked in some large companies that think they can). Regardless of DISP level you need to manage your compliance requirements in a coherent system that provides an audit trail. Spreadsheets are not designed for this without significant modification (which requires specialist skills).

So while there is no fee charged for DISP membership there are costs that need to be incurred by your company if you wish to be a DISP member (even at entry level). While these may seem expensive it should be considered not as a cost to your business but as the implementation of a best practice risk management program for your business. This will enable sustained business if designed and implemented properly.

Familiarise yourself with ‘Principle 16 and Control 16.1 – Defence Industry Security Program’ of the DSPF here. Decide which membership levels are most appropriate for the type of work your business provides.

To get further clarity on the appropriate DISP membership level, consider engaging with the Defence contract manager (if you have a current contract with Defence) or the DISP team. If you are supplying through one of the large Prime contractors, speak to their Australian Industry Content representatives or review the contract they have provided. This will detail their expectations with respect to DISP membership and level.

You will also need to build your evidence that demonstrates that you meet the specified requirements for: Governance; Personnel security; Physical security; and ICT and cyber security. You will need to additionally:

1. Fill out the following forms available here:
   1. DISP application form and save to your computer
   2. DISP foreign ownership, control and influence declaration form and save to your computer
2. Email your completed forms to [email protected]

Timeframes for processing DISP membership vary based on the required level of membership, current level of security maturity and requirements and dependencies on internal Defence resources. Defence will process DISP applications in the following order, based on whether your business:

1. Has a contract with Defence to support an ongoing Defence operation
2. Has a contract with Defence
3. Is involved in the shipbuilding supply chain
4. Is planning to tender for a Defence opportunity, or in negotiations for a Defence opportunity
5. Is applying for DISP with no existing relationship with Defence and no immediate tender opportunities.

1. Nominate a Chief Security Officer (CSO) and have them appropriately security cleared.
2. Nominate a Security Officer (SO) and have them appropriately security cleared.
3. Complete a business security risk assessment.
4. Ensure that you have current security policies and plans in place that ensure you meet your DSPF (and where applicable PSPF) obligations including:
   1. That your business screens all employees in accordance with AS 4811-2006. This includes:
      1. An identity check requiring 100 points of ID
      2. Address history checks for a minimum of five years
      3. Character reference checks
      4. A national police check not exceeding one year
      5. An Australian Securities and Investments Commission (ASIC) check (where relevant)
      6. Checks on all declared experience and qualifications
      7. Social media assessment
      8. Maintaining screening records of all employees. You might also want to consider:
         1. Eligibility to work in Australia
         2. Employment history checks including Defence related work
         3. Residential history checks
         4. Referee checks
         5. Personal employment contracts
         6. Non-disclosure agreements
         7. Non-compete clauses.
   2. Identification of the facilities you intend to use for your Defence-related work. Records you need for facilities are:
      1. An audit of your keys every six months
      2. Records of your security containers (safes) used to manage classified material
      3. Maintenance records of your alarm systems
      4. Records of security guard patrols (if applicable)
      5. Accreditation certificates issued by Defence Security Division.
      6. Identification of the appropriate cyber security framework you are implementing (ASCS Top 4, NIST 800-171, DEFSTAN 05-138 or ISO 27001) including demonstration that the requirements of your chosen framework have been implemented.
5. Implement a security risk register (or other system of risk oversight and management)
6. Report on Foreign Ownership, Control and Influence status as it changes in your organisation
7. Administer an annual security awareness program to your staff
8. Maintain an Insider Threat program.

For DISP Level 1-3 you must meet all the Entry Level requirements above as well as:

1. Have a mechanism in place to manage security briefings and debriefings for your security cleared staff
2. Have one SO cleared to at least NV1
3. Have policies, plans and procedures that demonstrate you can manage classified material up to PROTECTED, SECRET or TOP SECRET (depending upon your DISP level).

AS4811 is the Australian standard for workforce screening. Workforce screening applies to security cleared and non-security cleared personnel, contractors and others who will have access to Australian Government resources. AS4811 mandates that you conduct specific checks on all employees (regardless of role) before they are employed. These include proof of identify and the ability to legally work in Australia.

All of the requirements you had to meet in order to obtain DISP membership have to be maintained across the year. Some of these include:

• Undertake regular security training of staff including induction training for new staff
• Respond and report any security incidents as soon as possible and maintain an accurate register of incidents and responses
• Report any substantial changes as soon as possible, including changes in Foreign Ownership, Control and Influence (FOCI) status
• Conduct ongoing employment screening and suitability check
• Submit an Annual Security Report (ASR)

The ASR is a declaration of your DISP compliance or otherwise to Defence each year in an annual security report. This report needs to be completed by your SO/CSO and approved/endorsed by your Board (or equivalent) prior to submission.

If you are not compliant you will need to undertake remediation action to ensure your compliance gets back on track. If you declare that you are compliant and Defence subsequently finds that you are not, your DISP membership will almost certainly be reviewed and may be terminated.

Maintaining your compliance is just as important as getting membership in the first place and if you don’t have a system to manage everything listed above, annual compliance will be hard to achieve.