Eligibility and suitability

Any Australian entity can apply for Defence Industry Security Program (DISP) membership.

Industry entities who wish to apply for DISP membership are required to meet several eligibility criteria that are defined in the Defence Security Principles Framework (DSPF) Principle 16 Control 16.1. It provides principles, controls and instructions to support entities to understand and manage security risks when engaging with Defence.

Eligibility

An entity must:

  • Be registered as a legal business entity in Australia with an Australian Business Number (ABN).
  • Be financially solvent.
  • Have a Director or senior executive able to obtain:
  • Have a staff member able to obtain:
  • Establish and maintain security standards for their requested level of membership.
  • Establish the entity’s risk of foreign ownership, control or influence (FOCI). A FOCI assessment examines the extent of control the entity is under from a foreign entity or entities. FOCI analysis is aligned with the The Treasury's Foreign Investment and Review Board. It provides information to Defence contracting areas to support their security risk management activities and make informed decisions when assessing security risks associated with the procurement of goods and services.
  • Submit a FOCI declaration form as part of the DISP application process, and when there are potential or actual changes in FOCI status. Information includes, but is not limited to:
    • foreign Directors
    • foreign Board members
    • foreign shareholders
    • foreign revenue streams
    • agreements with foreign persons
    • foreign investments.

All information obtained is held in accordance with legislative requirements under the Privacy Act 1988 and the Freedom of Information Act 1982.

DISP also considers the following when assessing eligibility:

  • Any risks arising from an entity’s previous or current commercial activities with any listed terrorist organisation or entity linked to any listed terrorist organisations (as listed under the Criminal Code Act 1995 (Cth)), or to persons for mercenary, terrorist or other criminal activity.
  • Any relationships with regimes subject to Australian sanctions laws including the United Nations Security Council sanctions regimes and Australian autonomous sanctions regimes.
  • Any relationship with persons or entities on the Department of Foreign Affairs and Trade Consolidated List.

Suitability

If an entity meets the eligibility criteria they can apply for DISP membership. Once an application is received by DISP an assessment to confirm eligibility and determine suitability is conducted.

Suitability is assessed against the DISP Suitability Matrix found at Annex B of Control 16.1 in the DSPF.

Applicants self-nominate the membership level they need to meet their business needs. The entity’s suitability is assessed against the level of membership it applies for. Appropriate justification is required to support higher levels of membership.

Mandatory membership

DISP membership is mandatory for entities who:

  • work on classified information or assets (i.e. PROTECTED and above)
  • supply, maintain, store or transport weapons or explosive ordnance
  • provide security services for Defence bases or facilities
  • need to hold DISP membership as a condition of a Defence contract.

The only exceptions are when an entity is:

  • working on classified information or assets, but they will be doing so only within Defence facilities or using Defence networks
  • recognised under an applicable Security of Information Agreement or Arrangement (SIA).

Chief Security Officer

The CSO is responsible for security arrangements and championing the security culture of the entity. The CSO can delegate the day-to-day management of protective security to SOs.

The CSO must meet the eligibility requirements and any change in the CSO must be advised to DISP.

More detail on the role and responsibilities of the CSO can be found in Control 16.1 of the DSPF.

Security Officer

The SO is responsible for developing and implementing the entity’s security policies and plans and acts on behalf of the CSO. The CSO and SO can be the same person.

The SO must meet the eligibility requirements and any change in the SO must be advised to DISP.

More detail on the role and responsibilities of the SO can be found in Control 16.1 of the DSPF.

ICT requirements

Depending on operating and contractual needs, there are 4 cyber security standards to choose from when applying for entry level DISP membership:

  1. Australian Cyber Security Center Essential Eight Maturity Model, specifically application control, patch applications, restrict administrative privileges and patch operating systems.
  2. International Organization for Standardization ISO/IEC 27001 and ISO/IEC 27002 standards.
  3. US Department of Commerce National Institute of Standards and Technology NIST SP 800-171 standard (note DISP membership does not provide accreditation against this standard).
  4. UK Ministry of Defence Def Stan 05-138 standard (note DISP membership does not provide accreditation against this standard).

To find more information on cyber security, use the Cyber Security Assessment Tool, fact sheet and the eligibility section in Control 16.1 of the DSPF.

Which Cyber Standard is Right for My Business Fact Sheet (PDF, 129.07 KB)

Subcontractors

DISP members may use subcontractors to fulfil duties associated with Defence related work, and are responsible for ensuring that subcontractors are aware of DISP requirements. Entities working on Defence projects via a subcontracting arrangement are subject to the same eligibility criteria when determining if DISP membership is required.

If an entity is currently engaged or planning to engage in Defence classified work via a subcontracting arrangement, they are required to hold DISP membership to the appropriate levels for that contract or project.

For further information, contact the relevant Defence Contract Manager.

Foreign entities

An overseas entity cannot be a DISP member. However, foreign entities can still pursue opportunities to work with Defence on Australian classified contracts if certain conditions are met including:

  • The country from where the foreign entity originates must be party to a Security of Information Agreement or Arrangement (SIA) with Australia.
  • If a SIA is in place, the foreign entity's security practices and clearances need to be verified. Foreign entity security practice verification is achieved through recognition of a Facility Security Clearance at the government-to-government level.

For more information contact facility.securityclearances@defence.gov.au.

Reporting security incidents

It is obligatory that all security incidents are reported. Information from all security reports are collated and analysed to build insights and identify any patterns.

For information on how to report a security incident go to Make a security report page.

Membership levels and

There are 4 levels of DISP membership:

  1. Entry level
  2. Level 1
  3. Level 2
  4. Level 3

The 4 membership levels align with the Australian Government security classifications that determine the level of information an entity is accredited to handle.

  • Entry level = OFFICIAL and OFFICIAL: Sensitive
  • Level 1 = PROTECTED
  • Level 2 = SECRET
  • Level 3 = TOP SECRET

Security domains

Membership levels are across 4 security domains. These security domains provide the foundation to help safeguard the entity and integrity of Defence’s information assets and people.

  1. Security governance
  2. Personnel security
  3. Physical security
  4. ICT and cyber security

Security domain requirements for DISP entities are outlined in DSPF Control 16.1 and in the Working Securely with Defence Guide.

Working Securely with Defence - Full guide (PDF, 5.79 MB)

Security governance domain

Security governance is accountability, responsibility, and suitable plans, processes and people in place to make sure the entity is secure.

It is having appropriate practices across physical security, personnel security, information and cyber security. This includes appropriate security education and training, and security incident response and reporting.

Security governance reflects an entity’s ability to safeguard people, information and assets. There are a number of specific documents required to support the entity’s DISP application.

The ongoing security governance obligations for DISP membership also include regular reporting documents that are required to be self-managed and submitted for ongoing membership management.

Personnel security domain

Personnel security is about ensuring an entity’s employees and contractors are suitable to access government information and assets, and meet an appropriate standard of security competence, integrity and honesty.

Employment screening applies to security cleared and non-security cleared personnel, contractors and others who will have access to Australian Government resources.

DISP members need to meet Australian Standard for Workforce Screening AS 4811:2022 standard.

For more detailed information regarding clearance requirements and certification see the Australian Government Security Vetting Agency site.

Physical security domain

Physical security is the protection of people, property, and physical assets from actions and events that could result in damage or loss.

A secure physical environment helps to prevent or mitigate threats or attacks against Defence facilities, personnel and security protected information and assets. Physical security establishes the environment threat actors must work in, and is a building block of effective insider threat management and cyber security.

Physical security measures and procedures are continuously evolving as new threats emerge.

DISP membership requirements for physical security will depend on the level of security classification required for the receipt, handling, storage and destruction of information or physical assets that are being held at your facilities.

For more detailed technical information regarding zone requirements and certification of zone facilities see Australian Security Intelligence Organisation website.

ICT and cyber security domain

ICT and cyber security involves the identification of, protection from, and remediation of security incidents or attacks on ICT systems and digital networks. Understanding the risk of a cyber incident and measures that can be put in place will help improve security outcomes.

To meet the ICT and cyber security DISP membership requirements, an entity will need to:

For more detailed technical information regarding ICT and cyber security requirements see the Australian Cyber Security Centre Information Security Manual.

Identifying membership level

When applying for membership the entity needs to identify the level of membership required for each of the security domains.

    SECURITY DOMAINS
Security governance Personnel security Physical security ICT and cyber security
MEMBERSHIP LEVEL Entry level OFFICIAL and OFFICIAL: Sensitive OFFICIAL and OFFICIAL: Sensitive OFFICIAL and OFFICIAL: Sensitive OFFICIAL and OFFICIAL: Sensitive
Level 1 PROTECTED PROTECTED (Baseline) PROTECTED PROTECTED
Level 2 SECRET SECRET (Negative vetting 1 SECRET SECRET
Level 3 TOP SECRET TOP SECRET (Negative vetting 2 TOP SECRET TOP SECRET

DISP membership is based on a profile that is built to suit the requirements of the entity and work with Defence.

Entities self-nominate the membership level they require, which can vary based on demonstrated business requirements.

There are 2 ways to determine required membership levels:

  1. A specific level of DISP membership as a requirement of a current or upcoming Defence contract or project.
  2. Determining requirements of membership levels in each of the security domains depending on the type of goods or services and organisational need.

In the absence of a contract, the entity must demonstrate a business need for DISP membership levels. There are a few ways to demonstrate the business need:

  • If the entity have a current contract with Defence, the Contract Manager will be able to supply the Notice of Engagement form to provide notification and context found in the contract for the business needs.
  • If the entity is about to engage in a contract with Defence, the Contract Manager will be able to send to DISP a letter of endorsement.
  • If an entity is engaging in a subcontract as part of an existing contract, the sponsoring entity is also able to send to DISP a letter of endorsement as part of the application.

Membership level considerations

Entities are entitled to have different membership levels for the different domains.

The membership level applied for in the security governance domain will always equal the highest level applied for in any of the other 3 security domains.

Entities only need 1 DISP membership regardless of the number of Defence contracts they are engaged in.

Entities applying for level 1, 2 and 3 memberships must provide an appropriate justification to support higher levels of membership, such as working on highly classified programs/projects.