Any Australian entity can apply for Defence Industry Security Program (DISP) membership.
Industry entities who wish to apply for DISP membership are required to meet several eligibility criteria that are defined in the Defence Security Principles Framework (DSPF) - Principle 16 Control 16.1. It provides principles, controls and instructions to support entities to understand and manage security risks when engaging with Defence.
The DSPF also provides detail on the role and responsibilities of the Chief Security Officer (CSO) and Security Officer (SO).
Eligibility
An entity must:
- Be registered as a legal business entity in Australia with an Australian Business Number (ABN).
- Be financially solvent.
- Have a Director or senior executive who is able to:
- obtain an Australian Personnel Security Clearance (commensurate with the level of membership)
- obtain an Australian Digital ID.
- create a Relationship Manager Authorisation account and be the principal authority
- fulfil the roles of CSO.
- Have a staff member who is able to:
- obtain an Australian Personnel Security Clearance (commensurate with the level of membership)
- obtain an Australian Digital ID.
- fulfil the role of SO (the CSO and SO can be the same individual).
- Establish and maintain security standards for their requested level of membership.
- Establish the entity’s risk of Foreign Ownership, Control or Influence (FOCI).
- A FOCI assessment examines the extent of control the entity is under from a foreign entity or entities.
- FOCI analysis is aligned with the The Treasury's Foreign Investment and Review Board.
- It provides information to Defence contracting areas to support their security risk management activities and make informed decisions when assessing security risks associated with the procurement of goods and services.
- Submit a FOCI declaration form as part of the DISP application process, and when there are potential or actual changes in FOCI status. Information includes, but is not limited to:
- foreign Directors
- foreign Board members
- foreign shareholders
- foreign revenue streams
- agreements with foreign persons
- foreign investments.
All information obtained is held in accordance with legislative requirements under the Privacy Act 1988 and the Freedom of Information Act 1982.
DISP also considers the following when assessing eligibility:
- Any risks arising from an entity’s previous or current commercial activities with any listed terrorist organisation or entity linked to any listed terrorist organisations (as listed under the Criminal Code Act 1995 (Cth)), or to persons for mercenary, terrorist or other criminal activity.
- Any relationships with regimes subject to Australian sanctions laws including the United Nations Security Council sanctions regimes and Australian autonomous sanctions regimes.
- Any relationship with persons or entities on the Department of Foreign Affairs and Trade Consolidated List.
Suitability
If an entity meets the eligibility criteria they can apply for DISP membership. Once an application is received by DISP an assessment to confirm eligibility and determine suitability is conducted.
Suitability is assessed against the DSPF Principle 16, Control 16.1.
Applicants self-nominate the membership level they need to meet their business needs. The entity’s suitability is assessed against the level of membership it applies for. Appropriate justification is required to support higher levels of membership.
Mandatory membership
DISP membership is mandatory for entities who:
- work on classified information or assets (i.e. PROTECTED and above)
- supply, maintain, store or transport weapons or explosive ordnance
- provide security services for Defence bases or facilities
- need to hold DISP membership as a condition of a Defence contract.
The only exceptions are when an entity is:
- working on classified information or assets, but they will be doing so only within Defence facilities or using Defence networks
- recognised under an applicable Security of Information Agreement or Arrangement (SIA).
Chief Security Officer
The CSO is responsible for security arrangements and championing the security culture of the entity. The CSO can delegate the day-to-day management of protective security to SOs.
On the DISP Member Portal, the CSO is responsible for reviewing, declaring and submitting. The CSO does not start or edit any submissions.
Security Officer
The SO is responsible for developing and implementing the entity’s security policies and plans and acts on behalf of the CSO.
On the DISP Member Portal, the SO is responsible for starting, editing and submitting to the CSO. The SO does not approve or declare any submissions.
The CSO and SO can be the same person, in this case, they are responsible for all roles, starting, editing, approving and declaring submissions.
ICT requirements
As a DISP member, investment in implementing cyber security standards is paramount.
The Defence-related information being worked on, supplied, stored or maintained makes the organisation a target for cyber-crime. Maturity to understand, prevent and manage cyber security risks is important.
In alignment with the DSPF Principle 16, Control 16.1, Annex A requirements, entities must meet or exceed the Australian Signals Directorate Essential Eight Mitigation Strategies at Maturity Level 2 across the entity’s ICT corporate systems used to correspond with Defence.
Entities who comply with other international security standards can use their documentation to demonstrate in part how they meet the Essential 8.
These standards include:
- Information security management: ISO/IEC 27001:2022
- Protecting Controlled Unclassified Information in Non-Federal Systems and Organisations (US ITAR requirement): NIST SP 800- 171
- Cyber security for Defence: Def Stan 5-138.
To find more information on cyber security, use the Cyber Security Assessment Tool and visit the Cyber and assurance page.
Subcontractors
DISP members may use subcontractors to fulfil duties associated with Defence related work. They are also responsible for ensuring that subcontractors are aware of DISP requirements. Entities working on Defence projects via a subcontracting arrangement are subject to the same eligibility criteria when determining if DISP membership is required.
If an entity is currently engaged or planning to engage in Defence classified work via a subcontracting arrangement, they are required to hold DISP membership to the appropriate levels for that contract or project.
For further information, contact the relevant Defence Contract Manager.
Foreign entities
An overseas entity cannot be a DISP member. However, foreign entities can still pursue opportunities to work with Defence on Australian classified contracts if certain conditions are met including:
- The country from where the foreign entity originates must be party to a Security of Information Agreement or Arrangement (SIA) with Australia.
- If a SIA is in place, the foreign entity's security practices and clearances need to be verified. Foreign entity security practice verification is achieved through recognition of a Facility Security Clearance at the government-to-government level.
For more information contact facility.securityclearances@defence.gov.au.
Reporting security incidents
It is obligatory that all security incidents are reported. Information from all security reports are collated and analysed to build insights and identify any patterns.
For information on how to report a security incident go to make a security report page.
Membership levels
There are 4 levels of DISP membership:
- Entry level
- Level 1
- Level 2
- Level 3.
The 4 membership levels align with the Australian Government security classifications that determine the level of information an entity is accredited to handle.
- Entry level = OFFICIAL and OFFICIAL: Sensitive
- Level 1 = PROTECTED
- Level 2 = SECRET
- Level 3 = TOP SECRET.
When applying for membership the entity needs to identify the level of membership required for each of the security domains.
Security domains
Membership levels are across 4 security domains. These security domains provide the foundation to help safeguard the entity and integrity of Defence’s information assets and people.
- Security governance
- Personnel security
- Physical security
- ICT and cyber security
Security governance domain
Security governance is accountability, responsibility, and suitable plans, processes and people in place to make sure the entity is secure.
It is having appropriate practices across physical security, personnel security, information and cyber security. This includes appropriate security education and training, and security incident response and reporting.
Security governance reflects an entity’s ability to safeguard people, information and assets. There are a number of specific documents required to support the entity’s DISP application.
The ongoing security governance obligations for DISP membership also include regular reporting documents that are required to be self-managed and submitted for ongoing membership management.
Personnel security domain
Personnel security is about ensuring an entity’s employees and contractors are suitable to access government information and assets, and meet an appropriate standard of security competence, integrity and honesty.
Employment screening applies to security cleared and non-security cleared personnel, contractors and others who will have access to Australian Government resources.
DISP members need to meet Australian Standard for Workforce Screening AS 4811:2022 standard.
For more detailed information regarding clearance requirements and certification see the Australian Government Security Vetting Agency site.
Physical security domain
Physical security is the protection of people, property, and physical assets from actions and events that could result in damage or loss.
A secure physical environment helps to prevent or mitigate threats or attacks against Defence facilities, personnel and security protected information and assets. Physical security establishes the environment threat actors must work in, and is a building block of effective insider threat management and cyber security.
Physical security measures and procedures are continuously evolving as new threats emerge.
DISP membership requirements for physical security will depend on the level of security classification required for the receipt, handling, storage and destruction of information or physical assets that are being held at the facilities.
For more detailed technical information regarding zone requirements and certification of zone facilities see Australian Security Intelligence Organisation website.
ICT and cyber security domain
ICT and cyber security involves the identification of, protection from, and remediation of security incidents or attacks on ICT systems and digital networks. Understanding the risk of a cyber incident and measures that can be put in place will help improve security outcomes.
To meet the ICT and cyber security DISP membership requirements, an entity will need to demonstrate how they meet or exceed the Australian Signals Directorate (ASD) Essential Eight Mitigation Strategies at Maturity Level 2 across its ICT corporate systems used to correspond with Defence. For more information, visit the Cyber and assurance page.
| SECURITY DOMAINS | |||||
|---|---|---|---|---|---|
| Security governance | Personnel security | Physical security | ICT and cyber security | ||
| MEMBERSHIP LEVEL | Entry level | OFFICIAL and OFFICIAL: Sensitive | OFFICIAL and OFFICIAL: Sensitive | OFFICIAL and OFFICIAL: Sensitive | OFFICIAL and OFFICIAL: Sensitive |
| Level 1 | PROTECTED | PROTECTED (Baseline) | PROTECTED | PROTECTED | |
| Level 2 | SECRET | SECRET (Negative vetting 1 | SECRET | SECRET | |
| Level 3 | TOP SECRET | TOP SECRET (Negative vetting 2 | TOP SECRET | TOP SECRET | |
DISP membership is based on a profile that is built to suit the requirements of the entity and work with Defence.
Entities self-nominate the membership level they require, which can vary based on demonstrated business requirements.
There are 2 ways to determine required membership levels:
- A specific level of DISP membership as a requirement of a current or upcoming Defence contract or project.
- Determining requirements of membership levels in each of the security domains depending on the type of goods or services and organisational need.
In the absence of a contract, the entity must demonstrate a business need for DISP membership levels. There are a few ways to demonstrate the business need:
- If the entity has a current contract with Defence, the Contract Manager will be able to supply the Notice of Engagement submission to provide notification and context found in the contract for business needs.
- If the entity is about to engage in a contract with Defence, the Contract Manager will be able to send to DISP a letter of endorsement.
- If an entity is engaging in a subcontract as part of an existing contract, the sponsoring entity is also able to send to DISP a letter of endorsement as part of the application.
Membership level considerations
Entities are entitled to have different membership levels for the different domains.
The membership level applied for in the security governance domain will always equal the highest level applied for in any of the other 3 security domains.
Entities only need 1 DISP membership regardless of the number of Defence contracts they are engaged in.
Entities applying for level 1, 2 and 3 memberships must provide an appropriate justification to support higher levels of membership, such as working on highly classified programs/projects.
Detailed security domain and membership level requirements can be found in DSPF Principle 16, Control 16.1, Annex A.