The expert's guide to Defence Industry Security Program (DISP)
Introducing the Expert's Guide to Defence Industry Security Program (DISP)
This comprehensive guide provides a comprehensive overview of the Defence Industry Security Program (DISP), which is the security program for the defence industry in Australia. It covers the DISP’s purpose, scope, and requirements, as well as how to apply for and manage security clearances. It also provides guidance on how to protect sensitive information, how to manage security incidents, and how to comply with the DISP. This guide is an invaluable resource for anyone involved in the defence industry in Australia.
What is the Defence Industry Security Program?
The Australian Defence Industry Security Program (DISP) is a program designed to protect sensitive defense-related information and assets in Australia. It is managed by the Australian Department of Defence and aims to ensure that the defense industry meets stringent security standards to safeguard national security interests.
The DISP establishes security requirements and guidelines for defense industry companies that have contracts or partnerships with the Australian Department of Defence. These requirements cover various aspects such as personnel security, physical security, information security, and cyber security. The program is primarily focused on mitigating risks associated with the unauthorized access, disclosure, or compromise of sensitive defense information.
Under the DISP, defense industry companies are required to obtain security clearances for their personnel, implement appropriate security measures to protect classified information, and ensure the secure handling and storage of defense-related assets. The program also includes regular security audits and assessments to verify compliance with the established standards.
The DISP plays a crucial role in maintaining the integrity and security of Australia's defense industry, facilitating collaboration between the government and industry partners while ensuring that sensitive defense information remains protected.
What are the domains of DISP requirements?
The Australian Defence Industry Security Program (DISP) consists of four domains of requirements, which are governance, physical security, personnel security, and IT/cyber security. Here's an explanation of each domain:
Governance - This domain focuses on the overarching management and governance of security within defense industry companies. It involves establishing security policies, procedures, and frameworks to guide security practices. It also includes defining roles and responsibilities for security personnel, conducting risk assessments, and ensuring compliance with applicable laws and regulations. The governance domain emphasizes the need for a robust security culture and effective security management systems.
Physical Security - This domain covers the physical protection of defense-related assets, facilities, and information. It involves implementing measures to prevent unauthorized access, theft, sabotage, or damage to physical resources. Physical security measures may include access control systems, video surveillance, alarm systems, secure storage areas, and visitor management protocols. The objective is to create a secure physical environment that safeguards sensitive defense information and assets.
Personnel Security - Personnel security focuses on ensuring that individuals employed by or associated with defense industry companies are trustworthy and reliable. It involves screening and vetting personnel to assess their suitability for accessing sensitive information. This may include background checks, reference checks, and security clearances. Personnel security measures also encompass ongoing education and training to promote security awareness and the reporting of suspicious activities.
IT/Cyber Security - This domain pertains to the protection of information and communication technology (ICT) systems, networks, and data from cyber threats. It involves implementing robust cybersecurity measures, including firewalls, intrusion detection systems, encryption, secure network configurations, and regular security patching. IT/Cyber security also encompasses policies and procedures for secure data handling, incident response, and the protection of classified information in digital formats. The objective is to prevent unauthorized access, data breaches, and cyber-attacks that could compromise defense-related information.
What are the DISP membership levels?
The Defence Industry Security Program (DISP) is a security program that provides a framework for managing security requirements for defence industry participants. The program ensures that the Australian Government's security requirements are met and that sensitive information and assets are protected.
The DISP has four membership levels, each with specific requirements:
Entry Level (Official/Official: Sensitive): This is the basic membership level for those handling non-sensitive information and assets. Basic security measures are required, such as physical security, personnel security, and security governance measures.
Level 1 (Protected): This membership level is suitable for those dealing with sensitive information and assets. More stringent security measures are required, such as physical security, personnel security, and security governance measures.
Level 2 (Secret): This membership level is suitable for those handling highly sensitive information and assets. Even more stringent security measures are required, such as physical security, personnel security, and security governance measures.
Level 3 (Top Secret): This membership level is suitable for those handling extremely sensitive information and assets. The most stringent security measures are required, such as physical security, personnel security, and security governance measures.
The DISP membership levels are designed to ensure that defence industry participants meet the security requirements of the Australian Government. The higher the level of membership, the more stringent the security requirements. It is essential for defence industry participants to understand the security requirements of each level and ensure that they are meeting them.
Why Join the Defence Industry Security Program (DISP)?
Joining the Defence Industry Security Program (DISP) is an essential step for any Australian business looking to work with Defence. DISP provides businesses with the resources and guidance needed to ensure they meet their security obligations when delivering Defence contracts and tenders.
DISP membership is a valuable asset to any business looking to work with Defence, as it provides access to a range of benefits. These benefits include:
- Access to Defence Contracts
- Enhanced Security Practices
- Collaboration and Networking
- Government Support and Assistance
- Competitive Advantage
- Contribution to National Security
Access to Defence Contracts
Becoming a DISP member opens up opportunities to work on contracts and projects with the Australian Department of Defence. The program serves as a prerequisite for involvement in defense-related activities and collaborations, allowing companies to compete for defense contracts and contribute to the country's defense capabilities.
Enhanced Security Practices
DISP membership requires companies to adhere to stringent security standards and guidelines. By joining DISP, organizations can strengthen their security practices and frameworks, ensuring that they have robust measures in place to protect sensitive defense information, assets, and technologies. This can enhance the company's overall security posture and provide assurance to both government and private sector clients.
Collaboration and Networking
Being a part of DISP provides companies with opportunities to collaborate and network with other defense industry stakeholders, including government agencies, defense contractors, and research institutions. This can facilitate knowledge sharing, partnerships, and access to industry-specific expertise, which can be valuable for business growth and development.
Government Support and Assistance
DISP membership comes with the support and guidance of the Australian Department of Defence. Companies can benefit from resources, training, and assistance provided by the department to enhance their security capabilities. Additionally, DISP members receive ongoing updates, briefings, and information on emerging security threats, policies, and best practices.
Demonstrating compliance with DISP requirements can give companies a competitive edge in the defense industry. It showcases a company's commitment to security and its ability to meet the rigorous standards set by the Australian Department of Defence. This can enhance the company's reputation, credibility, and attractiveness to potential clients and partners.
Contribution to National Security
Joining DISP allows companies to contribute to the protection of Australia's national security interests. By implementing robust security measures and safeguarding sensitive defense information, companies play a vital role in ensuring the integrity and resilience of the defense industry, which is critical for the country's defense capabilities.
What are the prerequisites for DISP?
The Defence Industry Security Program (DISP) is an Australian Government initiative that sets out the security requirements for businesses seeking to join Australia’s defence industry supply chain. In order to be eligible for DISP, businesses must meet certain prerequisites.
- First, businesses must be registered as a legal business entity in Australia. This means they must have an Australian Business Number (ABN) or Australian Company Number (ACN).
- Second, businesses must be financially solvent. This means they must have sufficient funds to cover all costs associated with their defence industry activities.
- Third, businesses must have a board director or senior executive who is able to obtain an Australian security clearance and fulfil the role of Chief Security Officer. This person is responsible for ensuring that the business meets all security requirements and for reporting any security incidents or breaches to the Australian Government.
- Fourth, businesses must have a staff member who is able to obtain an Australian security clearance and fulfil the role of Security Officer. This person is responsible for ensuring that the business meets all security requirements and for reporting any security incidents or breaches to the Australian Government.
- Fifth, businesses must create an email address in the form of “firstname.lastname@example.org”. This email address must be used for all communication with the Australian Government regarding security requirements.
- Sixth, businesses must satisfy Defence requirements around foreign ownership, control or influence (FOCI). This means that the business must not have any relationships with a listed terrorist organisation, any regimes subject to Australian sanctions laws, or any persons and/or entities on the Department of Foreign Affairs and Trade’s Consolidated List.
- Finally, businesses must have an appropriate security system in place. This includes physical security measures such as locks, alarms, and CCTV, as well as personnel security measures such as background checks and security clearances, and cyber/IT security.
In order to join the DISP, businesses must meet all of these prerequisites. By doing so, they will be able to access benefits of associated with DISP membership and have the opportunitiy to join or continue to participate in the defence industry supply chain.
How to increase the chances of achieving DISP membership?
Increasing the chances of achieving DISP membership requires a comprehensive approach to information security management. This means having the right policies, processes, and procedures in place to ensure the security of sensitive data.
To achieve DISP membership, businesses should follow these steps:
Ensure that you have an information security management system (ISMS) in place that meets the requirements of the ISO 27001 standard. This standard outlines the requirements for an ISMS and provides a framework for managing and protecting sensitive company information.
Regularly review and update your ISMS to meet the changing security landscape. This means regularly monitoring and assessing the security of your systems and data and making sure that any new risks or vulnerabilities are addressed.
Ensure that your staff are properly trained on information security. This includes educating them on the importance of data security, as well as teaching them how to identify potential threats and respond appropriately.
Ensure that you have the right security controls in place. This includes firewalls, antivirus software, encryption, access controls, and other measures to protect your data.
By following these steps, you can increase your chances of achieving DISP membership. However, it is also important to remember that DISP membership is not a guarantee of success. You may still be rejected if your security measures are not up to scratch. Therefore, it is important to make sure that you are continually improving your security measures and staying up to date with the latest developments in the security landscape. This will help to ensure that your systems and data remain secure and that you are able to meet the requirements for DISP membership.
How can I submit an application for DISP membership?
To apply for DISP membership, follow these steps:
Review 'Principle 16 and Control 16.1 – Defence Industry Security Program' of the DSPF to familiarize yourself with the program's requirements.
Determine which membership level is most suitable for the nature of work your business engages in.
For further guidance on selecting the appropriate DISP membership level, consider reaching out to your Defense contract manager (if you currently have a contract with Defense) or the DISP team. If you are a supplier through a major Prime contractor, consult their Australian Industry Content representatives or review the contract they have provided. These sources will outline their expectations regarding DISP membership and the required level.
Collect the necessary evidence to demonstrate that you meet the specified requirements for Governance, Personnel security, Physical security, and ICT and cyber security. Additionally, complete the following forms (also available here):
- DISP application form: Fill out the form and save it to your computer.
- DISP foreign ownership, control, and influence declaration form: Fill out the form and save it to your computer.
- Email the completed forms to email@example.com.
By following these steps, you will be on your way to submitting your DISP membership application.
What is the duration of the DISP assessment process?
The timeframe for processing DISP membership applications varies depending on factors such as the desired level of membership, the existing level of security maturity, and the specific requirements and dependencies on internal Defence resources. Defence will prioritize the processing of DISP applications in the following order, based on the nature of your business:
- If your business has a contract with Defence to support an ongoing Defence operation.
- If your business has a contract with Defence.
- If your business is involved in the shipbuilding supply chain.
- If your business is planning to tender for a Defence opportunity or is currently engaged in negotiations for a Defence opportunity.
- If your business is applying for DISP membership without an existing relationship with Defence and no immediate tender opportunities.
The exact timeframe for each application will depend on the specific circumstances and complexity involved. Defence will work to process DISP applications as efficiently as possible within these prioritized categories.
What are the key components of a strong DISP application?
A well-prepared DISP application includes the following elements:
Chief Security Officer (CSO) and Security Officer (SO): Nominate a CSO and ensure they have undergone the appropriate security clearance. Similarly, nominate an SO and ensure they have the necessary security clearance.
Business security risk assessment: Conduct a comprehensive assessment of your business's security risks.
Security policies and plans: Have current security policies and plans in place to meet your obligations under DSPF (and, if applicable, PSPF). These should cover various aspects, such as employee screening, facility security, cyber security framework implementation, risk oversight, Foreign Ownership, Control and Influence reporting, security awareness programs, and Insider Threat programs.
Employee screening: Follow the guidelines outlined in AS 4811-2006 for screening all employees, including identity checks, address history checks, character reference checks, national police checks, ASIC checks (if relevant), experience and qualification verification, social media assessment, and maintaining screening records.
Facility identification: Identify the facilities you intend to use for your Defence-related work and maintain records such as key audits, security container (safe) records, alarm system maintenance records, security guard patrol records (if applicable), and Defence Security Division accreditation certificates.
Cyber security framework: Determine and implement an appropriate cyber security framework, such as ASCS Top 4, NIST 800-171, DEFSTAN 05-138, or ISO 27001. Demonstrate that the requirements of your chosen framework have been implemented.
Security risk register: Implement a security risk register or a system for effective risk oversight and management.
Foreign Ownership, Control, and Influence reporting: Regularly report any changes in your organisation's Foreign Ownership, Control, and Influence status.
Security briefings and debriefings: For DISP Level 1-3, have a mechanism in place to manage security briefings and debriefings for your security cleared staff.
Classified material management: Develop and maintain policies, plans, and procedures demonstrating your ability to manage classified material up to the required level (PROTECTED, SECRET, or TOP SECRET) based on your DISP level.
By addressing these components thoroughly and providing the necessary documentation and evidence, your DISP application will showcase a strong commitment to security and compliance.
What are the ongoing requirements after obtaining DISP membership?
Once you have obtained DISP membership, it is crucial to maintain compliance with the program's requirements throughout the year. Some of the key ongoing obligations include:
Regular security training: Conduct regular security training for your staff, including induction training for new employees.
Incident response and reporting: Promptly respond to and report any security incidents, maintaining an accurate register of incidents and your corresponding responses.
Reporting substantial changes: Notify Defence as soon as possible about any substantial changes, such as alterations in your Foreign Ownership, Control, and Influence (FOCI) status.
Ongoing employment screening: Continuously conduct employment screening and suitability checks for your staff members.
Annual Security Report (ASR): Submit an ASR to Defence each year. The ASR serves as a declaration of your DISP compliance. It should be completed by your Security Officer (SO) or Chief Security Officer (CSO) and approved or endorsed by your Board (or equivalent) before submission.
It is essential to note that maintaining compliance is as crucial as obtaining membership initially. If you are not compliant, you must take remedial action to regain compliance. Declaring compliance while being non-compliant can lead to a review of your DISP membership and potential termination.
Having a system in place to manage and fulfill these ongoing requirements is vital for achieving annual compliance and ensuring the continued success of your DISP membership.