Defence Industry Security Program (DISP) membership needs to be established, maintained and reviewed at regular intervals. Once an entity has achieved membership, they need to maintain certain standards. DISP members submit annual self-assessments, and undergo checks and audits of their security.

Member responsibilities

DISP membership comes with ongoing responsibilities at every level. These are set out in the Defence Security Principles Framework (DSPF) - Principle 16 Control 16.1.

They include:

• The safeguard of Defence and industry’s people, information and assets.
• Appointing and retaining a Chief Security Officer (CSO) and Security Officer (SO).
• Reporting changes that may affect DISP membership, including:
  • eligibility and suitability changes

  • changes to ownership and control 

    Foreign ownership control and influence fact sheet (PDF, 644.62 KB)

  • changes in circumstances for security cleared personnel.
• Responding to and reporting any security incidents and suspicious contacts.
• Maintaining an accurate register of incidents and responses including:
  • security and fraud incidents
  • all contacts with foreign nationals, official and unofficial.
• Submitting an Annual Security Report every 12 months from the date of DISP membership.
• Keeping a register of overseas travel and travel briefings for security cleared staff.
• Regular security training of staff including induction training.
• Ongoing employment screening and suitability checks.
• Maintaining a classified document register if accessing information at SECRET level or higher.

• Maintaining a designated security assessed positions (DSAP) register where the entity is a sponsor of personnel security clearances. 

  Designated Security Assessed Positions (DSAP) Fact Sheet (PDF, 320.52 KB)

Annual Security Reports  

The SO must complete the Annual Security Reports (ASR) annually. It must be submitted within 10 business days of the anniversary of a member’s original membership grant date.

The SO is responsible for starting, editing and submitting to the CSO. The SO does not approve or declare any submissions.

The CSO is responsible for reviewing, declaring and submitting. The CSO does not start or edit any submissions.  The CSO and SO can be the same person, in this case, they are responsible for all roles, starting, editing, approving and declaring submissions.

Submit the ASR on the DISP Member Portal.

Change in circumstance

Entities must report, as they arise, all changes that might have an impact on their membership.

The following Change in Circumstance are available for submission on the DISP Member Portal.

Entity details

Report changes to the entity's details such as:

• Office and postal addresses.
• DISP@ email address.
• Entity and business names.  
• Domains and capabilities the entity provides services or products for.  
• Any other company related info that may affect the entity’s membership.

Chief Security Officer and Security Officer 

Report changes to the entity’s nominated CSO and/or SO that accesses and uses the DISP. Members must notify DISP within 14 days of any changes to their nominated CSO or SO.

The new CSO and/or SO must meet eligibility and suitability requirements.  

If the entity is changing their CSO, the entity will need to upload a signed acknowledgment letter from the board as part of the change.  

The new CSO and/or SO will need to have completed the necessary security training and provide evidence as part of the change.

Contracts and panels

This includes:

• Any change to the entity’s contract(s) with Defence, including new contracts, extensions, changes and closure of contracts
• Changes to any new Defence panels the entity joins. 

Foreign Ownership Control and Influence

Making a change to the entity's Foreign Ownership Control and Influence status. This includes, but is not limited to:

• Foreign Directors
• Foreign Board members
• Foreign Shareholders
• Foreign revenue streams
• Agreements with foreign person(s)
• Foreign investments.

Physical and ICT  

This is for any new or changes to Defence certifications and/or accreditations on the entity's physical facilities or ICT networks.

Essential Eight Cyber

Any changes to the entity's cyber posture. The entity is obliged to report on compliance with the Essential Eight Mitigation Strategies. This includes, but is not limited to:

• implementation of restricted Microsoft Office macros, multi-factor authentication, user application hardening or regular backups
• changes between maturity levels
• major systems update
• changes to internal technical cyber policies and procedures
• new or a change to the existing Managed Service Provider.

Membership levels

DISP members may apply to upgrade or downgrade membership levels as needed by contacting DISP.

Membership obligations

Australia faces a challenging strategic environment and businesses currently working with Defence, or those seeking to work with Defence, have increased security obligations to protect Defence capabilities and eliminate security vulnerabilities for both Defence and defence industry.

The Defence Industry Security Program (DISP) supports Australian businesses to understand and meet their security obligations when participating in Defence projects, contracts and tenders.

Where an entity fails to meet the requirements of their DISP membership, Defence will employ a scalable approach in responding to the non-compliance strengthening Defence’s supply chain security (Defence Security Principles Framework Control 16.1 Defence Industry Security Program, paragraph 39 – 40).

Where non-compliance occurs, Defence will endeavour to reach an informal resolution with the entity, where appropriate. Depending on the extent of non-compliance, Defence may seek a number of formal remedies as outlined under Escalation pathway section 40 in the Control 16.1 Defence Industry Security Program.

The DISP has launched its Return to Compliance Program which evolves its scalable assurance framework to resolve ongoing non-compliance and strengthen security in the Defence supply chain.

Decision review and appeals

Procedural fairness applies to a decision to deny, limit, downgrade, suspend or terminate DISP membership. Procedural fairness ensures that a fair and reasonable procedure is followed when making a decision that may adversely affect an entity’s DISP application for membership or current membership. 

If Defence intends to make a decision which may adversely affect an entity, the entity will have a reasonable opportunity to respond in writing before a final decision is made.

If an entity receives notification that their DISP membership application has been denied or that their DISP membership has been downgraded, suspended or terminated, the entity can write to Defence to seek a review of the decision.

An entity may also appeal the outcome of an adverse membership review decision via the Commonwealth Ombudsman or by way of judicial review.