Any Australian business can apply for DISP membership.
To successfully become a DISP member you will need to meet the eligibility and suitability requirements outlined in Control 16.1 DISP of the Defence Security Principles Framework (DSPF).
Control 16.1 of the DSPF relates specifically to the DISP. It provides principles, controls and instructions to support Defence industry to understand and manage security risks when engaging with Defence.
The following is a summary of key eligibility criteria. Please also refer to the eligibility section in Control 16.1 DISP in the Defence Security Principles Framework (PDF) for more detail.
To be eligible to join the DISP your business needs to:
- be registered as a legal business entity in Australia (i.e. have an ABN or ACN)
- be financially solvent
- have a board director or senior executive able to obtain an Australian security clearance and fulfil the role of a Chief Security Officer
- have a staff member able to obtain an Australian security clearance and fulfil the role of Security Officer (NB: the Chief Security Officer and Security Officer can be the same person) - for information on security clearances visit the AGSVA website
- create an email address in the form of: disp(at)insertyourbusinessname.xxx.xx
- satisfy Defence requirements around foreign ownership, control or influence (FOCI) (see the FOCI fact sheet for more information)
- not have any relationships with a listed terrorist organisation
- not have any relationships with regimes subject to Australian sanctions laws including the United Nations Security Council (UNSC) sanctions regimes and Australian autonomous sanctions regimes
- not have any relationship with persons and/or entities on the Department of Foreign Affairs and Trade’s Consolidated List.
In addition to the above your ICT network will also need to meet certain accreditation standards. Depending on your business and contractual needs, there are four cyber security standards you can choose from when applying for DISP membership:
- Top 4 of the ASD Essential 8 (specifically application control, patch applications, restrict administrative privileges and patch operating systems). Further information can be found on Cyber webpage.
- ISO/IEC 27001 and 27002. Further information can be found on ISO's website.
- NIST SP 800-171 (US ITAR requirement). Further information can be found on Computer Security Resource Centre.
- Def Stan 05-138. More information can be found on GOV.UK.
More information can also be found in the Which Cyber Standard is Right for My Business? guide.
If your business meets all the above criteria you can apply for DISP membership. Membership is not automatic. Once your application is received by Defence, we will conduct an assessment to confirm your eligibility and determine your suitability.
Suitability is assessed against the DISP Suitability Matrix. A copy of the matrix can be found at Annex B of Control 16.1 DISP in the Defence Security Principles Framework (PDF).The DISP Matrix outlines the minimum ‘suitability’ requirements for each of the four levels of DISP membership—Entry level, Level 1, Level 2 and Level 3.
Applicants self-nominate the membership they need to meet their needs. Your business’ suitability will be assessed against the level of membership you apply for.
DISP membership is a mandatory requirement in any of the following circumstances:
- when working on classified information or assets
- when storing or transporting weapons or explosive ordnance
- when providing security services for Defence bases or facilities
- if there is a Defence business requirement for DISP membership in the contract.
The only exceptions to this are when:
- the company is working on classified information or assets but they will be doing so within Defence facilities or using Defence networks
- the company is recognised under an applicable Security of Information Agreement or Arrangement (SIA).
While DISP membership may not be mandated in all circumstances it is highly recommended when working on any Defence project.
No, an overseas company cannot be a DISP member.
Foreign companies can however still pursue opportunities to work with Defence on Australian classified contracts if certain conditions are met. Firstly the country from where the foreign company originates must be party to an SIA with Defence. Secondly, if an SIA is in place, the foreign company’s security practices and clearances then need to be verified.
Typically foreign company security practices verification is achieved through recognition of a Facility Security Clearance (FSC). FSC verification occurs at the government to government level. For more information contact facility.securityclearance@defence.gov.au
Control 16.1 DISP in the Defence Security Principles Framework (PDF 11.78 MB)
Which Cyber Standard is Right for My Business? Download the PDF (157 KB)
Check your cyber security risk with the Cyber Security Risk Tool.
Foreign Ownership Control and Influence Fact Sheet Download the PDF (159 KB)
