Any Australian business can apply for DISP membership. To successfully become a DISP member you will need to meet the eligibility and suitability requirements outlined in Control 16.1 of the Defence Security Principles Framework (PDF 331 KB)
For more information visit our Eligibility & Suitability page.
A. DISP membership is mandated in some but not all circumstances.
Membership is a mandatory requirement in any of the following circumstances:
- your organisation is working on classified information or assets
- your organisation is storing or transporting weapons or explosive ordnance
- your organisation is providing security services for Defence bases and facilities
- there is a Defence business requirement for DISP membership in your contract.
The only exceptions to this are when:
- your organisation is working on classified information or assets but will be doing so within Defence facilities or using Defence networks
- your organisation is recognised under an applicable Security of Information Agreement or Arrangement (SIA) (PDF 159 KB).
While DISP membership may not be mandated in all circumstances it is highly recommended when working on any Defence project.
A. If DISP membership is mandated by your contract with Defence you need to consider the security of your supply chain. For further information contact your Defence contract manager.
A. No, an overseas company cannot be a DISP member. Foreign companies can however still pursue opportunities to work with Defence on Australian classified contracts if certain conditions are met.
For more information visit our Eligibility & Suitability page.
The Defence Security Principles Framework (PDF 4551 KB) (DSPF) is a framework to manage security risk across Defence, leading to robust security outcomes. This approach:
- Allows all parts of Defence to manage security within their operational context and constraints. This recognises the best security decisions are made in accordance with agreed principles, with a desired outcome in mind.
- Ensures the most appropriate people are setting security requirements. Those who know their business are best placed to set security standards and requirements for that aspect of Defence business.
- Sets clear processes and accountabilities, which underpin assurance of Defence protective security arrangements.
A. There are four membership levels and four security categories.
The membership levels are aligned with security classifications:
- Entry Level = OFFICIAL and OFFICIAL: Sensitive
- Level 1 = PROTECTED
- Level 2 = SECRET
- Level 3 = TOP SECRET.
The four security categories are:
- Security Governance
- Personnel Security
- Physical Security
- Information & Cyber Security.
When applying for membership you will need to identify the level of membership you require for each of the security categories. For more information visit our How to Apply page.
A. If you are applying for DISP membership as a requirement of a current or upcoming Defence contract, your Defence contract manager will be able to advise the level of membership required for each security category.
In all other instances, you can make a determination based on your organisational need. You can choose the level of membership you require for each of the four security categories depending on the type of goods or services you wish to supply to Defence.
For more information visit our How to Apply page.
This is an Australian employment screening standard. Pre-employment screening, in line with AS 4811-2006 Employment Screening standard, is essential for your DISP membership at Entry Level and above. Requirements under the standard include:
- An identity check requiring 100 points of ID.
- Address history checks for a minimum of five years.
- Character reference checks.
- A current national police check.
- An ASIC check (where relevant).
- Checks on all declared experience and qualifications.
- Social media assessment.
Other activities to consider in the pre-employment process, as appropriate, include:
- Eligibility to work in Australia.
- Employment history checks including Defence related work.
- Residential history checks.
- Referee checks.
- Personal employment contracts.
- Non-disclosure agreements.
- Non-compete clauses.
Employment screening applies to security cleared and non-security cleared personnel, contractors and others who will have access to Australian Government resources.
More information on the AS 4811-2006 standard can be obtained from the Standards Australia website.
A. Before starting an application, we recommend you visit our Eligibility & Suitability page to ensure your business meets all the required membership criteria.
A. On receipt of your application, you will be assigned a processing officer who will assess your application. As part of this process, you will be asked to participate in two assurance activities - an entry assessment and a cyber security assessment questionnaire.
If during the assessment phase we identify any further requirements or gaps, these will be advised to you and your processing officer will work with you to help you to identify and implement solutions.
During the membership assessment process, Defence will communicate to you via your primary DISP email address as listed on your application form (e.g. disp(at)yourbusinessname.xxx.xx).
We request that responses to any enquiries are undertaken within 30 business days from the date of the request. A follow-up request will be made if no response has been received during this time. If an applicant is still unresponsive after a further 30 business days, the DISP application will be cancelled and the applicant will be notified to re-apply.
A. Timeframes for processing DISP membership vary based on the required level of membership, your organisations security requirements and current level of security maturity, and dependencies on internal Defence resources.
For more information go to the How long will it take? section on our How to Apply page.
A. Although there is no direct cost associated with DISP membership, there may be costs associated with implementing and maintaining security measures to meet initial and ongoing DISP requirements. These might include, for example, facility certification and accreditation, personnel security clearances, physical security measures.
Organisations should consider these costs in relation to the level of DISP membership required prior to lodging their DISP membership application.
A. The CSO is responsible for, and has oversight of, security arrangements and championing a security culture in the organisation. They have the flexibility to delegate the day-today management of protective security to Security Officers (SOs).
The CSO must be an Australian citizen and be able to obtain and maintain a personnel security clearance at the Baseline level or above, in line with the organisation’s level of DISP membership. Any change in the CSO needs to be advised to Defence.
More detail on the role and responsibilities of the CSO can be found in Control 16.1 of the Defence Security Principles Framework (PDF 331 KB).
The SO is responsible for developing and implementing the organisation’s security policies and plans and acts on behalf of the CSO. The CSO and SO can be the same person.
The SO must be an Australian citizen and be able to obtain and maintain a personnel security clearance at the Baseline level or above, in line with the organisation’s level of DISP membership. Any change in the SO needs to be advised to Defence.
More detail on the role and responsibilities of the SO can be found in Control 16.1 of the Defence Security Principles Framework (PDF 331 KB).
A. If a DISP membership application is denied the unsuccessful applicant is able to appeal the decision. Defence will inform the applicant of the relevant avenue(s) of appeal when notifying them of the decision to deny.
A. As well as benefits, DISP membership comes with ongoing responsibilities at every level. These are set out in Control 16.1 of the Defence Security Principles Framework (PDF 331 KB).
You can also find more information on our Maintaining Membership page.
A. Security governance is having clear lines of accountability and responsibility, and suitable plans, processes and people in place to make sure your business is secure.
It is assurance that you have appropriate practices across physical security, personnel security, information and cyber security. This includes appropriate security education and training, and security incident response and reporting.
A. Governance documentation lays the foundation for Entry Level security measures. These include:
- Security Risk/Incidents Register
- Annual Security Awareness Course (including Insider threat training)
- Security Policies and Plans
- Designated Security Assessed Positions (DSAP) list or equivalent
- Employment Policy (AS-4811 required)
- Classified Document Register (if required)
- Cyber Questionnaire
- ICT Action Plan
- Identified Chief Security Officer and Security Officer (can be the same person).
These all reflect your organisation’s ability to safeguard your and Defence’s people, information and assets.
A. These include:
- Report any changes in governance arrangements.
- Submit an Annual Security Report.
- Participate in audit and assurance activities.
- Report security incidents and suspicious contacts.
- Report on overseas travel for security cleared staff.
For more information visit our Maintaining Membership page.
A. Yes. As a member of DISP, you must report security incidents.
Reporting a security incident allows Defence to work with you to fix the issue and prevent further loss or compromise.
Even if an incident seems small or harmless the information in your report could be helpful. Information from all security reports is collated and analysed to build insights and identify any patterns.
If you are unsure whether to report or not, it’s best to notify Defence to be safe. For information on how to report a security incident go to our Make a Security Report page.
A. The CSO must provide the ASR to Defence within ten business days of the anniversary of their original membership grant date. Download the ASR template (Word 66.4 KB).
A. Personnel security is the collaboration between human resources and security within a business, including:
- Australian Government security clearances
- personnel security training
- personnel security awareness programs
- personnel security policies and procedures
- personnel security reporting processes.
A. The Australian Government Security Vetting Agency (AGSVA) manages the security clearance process on behalf of the Australian Government.
For information on vetting and security clearances, including the different clearance levels, the vetting process, timelines, costs, etc, visit the AGSVA website.
For information on sponsoring security clearances for defence industry personnel or the Defence Industry Security Program (DISP), please contact 1800 333 362. You can also download the following factsheets located on the defence industry resources page:
- Sponsoring Defence Clearances Securely
- Designated Security Assessed Positions (DSAP) - including an example Designated Security Assessed Positions Register
A. DISP members have the option to sponsor and manage their own security clearances. This is dependent upon the DISP member's Personnel Security Membership Level and the classification of the information, systems or facilities being accessed.
DISP members must certify that their Security Officer agrees to support their organisation’s security clearance holders to uphold their clearance responsibilities.
These responsibilities include but are not limited to:
- monitoring and reporting on any changes in attitude or behaviour of the staff they sponsor
- submitting change of circumstances forms
- reporting security incidents
- reporting suspicious contacts
- overseas travel briefings
- revalidations and re-evaluations of security clearances
- regular maintenance of a Designated Security Assessed Positions Register.
Sometimes a DISP member's Personnel Security Membership Level does not meet the requirements to sponsor clearances at the required level for your DISP contract. In this case the Defence project Security Officer for the project will need to sponsor the security clearances.
Please note DISP members are not able to sponsor PV clearances.
For more information on sponsoring security clearances for defence industry personnel or the Defence Industry Security Program (DISP), please contact 1800 333 362. You can also download the following factsheets located on the defence industry resources page:
- Sponsoring Defence Clearances Securely
- Designated Security Assessed Positions (DSAP) - including an example Designated Security Assessed Positions Register
A. If the country you are seeking to do business with has a Security of Information Agreement or Arrangement (SIA) (PDF 159KB) with Defence, DISP members may be able to have their security clearances recognised by that country.
For more information email firstname.lastname@example.org
A. Physical security is putting in place security measures to ensure a safe and secure physical environment; they include perimeter security (fencing, locks, guards), surveillance cameras and sensors, alarms, secure server rooms, smart cards, biometric identification, water, smoke and heat detectors.
Physical security measures and procedures are continuously evolving as new threats emerge.
A. DISP membership for physical security will depend on the level of security classification required for the receipt, handling, storage and destruction of information or physical assets that are being held at your facilities.
- Entry Level – must be able to provide a description of your physical security and access controls for OFFICIAL, OFFICIAL: Sensitive information and assets.
- Level 1 – must ensure facilities are certified and accredited in accordance with the Defence Security Principles Framework (DSPF) up to PROTECTED information and assets.
- Level 2 - must ensure facilities are certified and accredited in accordance with the DSPF up to SECRET information and assets.
- Level 3 - must ensure facilities are certified and accredited in accordance with the DSPF up to TOP SECRET information and assets.
A. As part of your DISP application you will need to:
- Identify the information or physical assets that are being protected.
- Assess required security classification and/or business impact level.
- Conduct a security risk assessment of the sites/facilities that are being planned to store and/or use the information or physical assets.
- Determine the appropriate physical security zone(s).
- Determine appropriate DISP level membership for physical security.
- Certify and accredit the appropriate physical security zone(s).
- List on the DISP application form the physical addresses of all your business facilities, including any located outside of Australia.
A. Security zones are scalable level areas on a site that process, handle and store security-protected assets. The levels are:
- Security Zone 1 - a public access area within a space or area that has access control measures in place at the perimeter. The storage of classified information or security protected assets is not recommended in a Security Zone 1.
- Security Zone 2 - facilities are considered low-risk and commonly recognised as normal office buildings with commercial locking and restricted profile keying systems.
- Security Zone 3 - facilities have limited employee and contractor access with visitors escorted. Storage of information up to SECRET is permitted.
- Security Zone 4 - has strictly controlled employee access with personal verification as well as card access. Security protected assets with a business impact level of catastrophic can be stored within this security zone.
- Security Zone 5 - has strictly controlled employee access, with personal identity verification as well as card access (dual authentication access). Storage of information classified at TOP SECRET, codeword information or large quantities of SECRET information is stored and used or where the aggregate of information would have a catastrophic business impact if compromised.
- Security Zone 5 SCIF – if you require a Zone 5 Sensitive Compartmented Information Facility (SCIF) Defence will work with you to establish this.
The following diagram provides an example of the setup of a layered approach to physical security zones within an organisation’s premises.
The physical security zones do not directly correlate with DISP level of membership for physical security. Please contact us if you require more information.
A. As part of your DISP membership application you will be asked whether your facilities hold physical security certification and/or accreditation:
- No certification or accreditation is required for Zone 1.
- For Zone 2, businesses may be able to conduct a Zone 2 self-certification, with support from Defence Security & Vetting Service (DS&VS) who will complete the final accreditation.
- For Physical Security Zones 3 to 5, the DS&VS team’s involvement will be needed with respect to certification and accreditation.
- Accreditation expires after 10 years for Zone 2.
- Accreditation expires after 5 years for Zones 3-5.
- Accreditation can also cease if:
- there is a change to the level of information or assets associated with the area, or
- significant changes are made to the facility or physical security controls, or
- there are other circumstances outlined by the accreditation authority.
A. Once you have determined the required physical security zones, you will need to consider the relevant physical security measures for each zone category:
- Each physical security zone will have its own requirements for the types of physical security measures put in place.
- The choice of measures will depend on the security risk assessment undertaken.
- Some physical security measures can include things like walls, CCTV, barriers and bollards, identity cards etc.
A useful summary of the minimum and/or recommended standards expected for each physical measure that should be implemented at each physical security zone is available from the PSPF: https://www.protectivesecurity.gov.au/sites/default/files/Table-3-physical-protections-for-security-zones.pdf
A. These are:
- Audit your facilities’ keys every six months.
- Keep up to date records of your security containers.
- Keep security alarm systems maintained.
- Keep guarding instructions and procedures up to date.
A. Information and cyber security involves the identification of, protection from, and remediation of security incidents or attacks on your information systems and digital networks.
Understanding the real risk of a cyber-incident and the counter measures you can put in place will help improve the outcomes for your business.
A. Determining the right level is not about doing the bare minimum to meet the criteria for DISP membership but improving your position against the probability of a cyber-attack.
To meet appropriate levels for information and cyber security requirements, you will need to:
- Determine which cyber security standard is right for your business (see our fact sheet: Which cyber standard is right for my business? (PDF 157 KB)
- Assess your systems and networks.
- Implement your chosen standard.
- Provide evidence your business meets the required standard (at Entry level this means self-certification through completion of the DISP membership form).
Assessing your systems and networks will help you determine how and where to apply your chosen cyber security standard.
A. There are four levels of information and cyber security. These are:
- Entry Level - implementing the controls required for membership against the nominated cyber security standard that your business meets for storing, processing and communicating OFFICAL and OFFICIAL: Sensitive information
- Level 1 - organisation has, or requires, at least one network or standalone device to store, process and communicate up to PROTECTED information.
- Level 2 - organisation has, or requires, at least one network or standalone device to store, process and communicate up to SECRET information.
- Level 3 - organisation has, or requires, at least one network or standalone device to store, process and communicate up to TOP SECRET information.
If your ICT network does not meet requirements for the appropriate level, you may want to consider whether employees with existing Defence clearances could use Defence Protected Network (DPN) access (e.g. using a DREAMS remote access) while awaiting accreditation. To find out more about DREAMS, please contact us.
A. There are four cyber security standards you can choose from depending on your business and contractual needs:
- ASD Essential Eight (top 4)
- NIST SP 800-171
- Def Stan 05-138
- ISO-27001 and relevant components
You will need to apply your chosen security standard to any systems or networks that will be involved in storing, processing or communicating Defence information.
For more information see our fact sheet: Which cyber standard is right for my business? (PDF 157 KB)
A. There are costs and timeframes for implementing your chosen standard. These are dependent on:
- The current level of cyber maturity of your business, and what gaps you need to fill to meet the requirements.
- The size of your systems and networks.
- The complexity of your systems and networks, such as access and connectivity to cloud services, external service providers or third party infrastructure.
- Your number of employees.
There will be ongoing costs to maintain your chosen cyber security standard and you may like to use an IT service provider to ensure your networks and systems continue to meet cyber security requirements.
A. Certification is when you identify, assess and report on the risk that your system presents to the information environment. Certification by a third party is official recognition that your system meets a particular standard.
A. Accreditation is when an authoritative body (Accreditation Authority) gives formal recognition, approval and acceptance of the risk identified.
A. To meet higher levels of DISP membership information and cyber security requirements (Level 1, Level 2 and Level 3), you will need to obtain Defence accreditation of your network or standalone device.
The Defence accreditation process has no additional cost to business, however it can take a considerable length of time to complete.
Options to meet higher level DISP membership requirements and speed up the certification and accreditation process are:
- get an IRAP assessment
- purchase an ASD Certified Service
- use a standalone device
- if under a current Defence contract, use a Defence network or device (DREAMS token (DPN), or physical install of DPN or DSN or TSN terminal).
Following receipt of your DISP application, you will be assigned a CIOG consultant who will get in contact with you to provide Defence accreditation.