Demystifying the DISP – The Defence Industry Security Program (DISP) was specifically developed for companies that work with the Australian Department of Defence. Not every entity that works for Defence requires to apply to be a member of the Program, but as a general rule, if project work is potentially sensitive then it will usually be considered; it is compulsory when entities are required to:

• work on classified information or assets;
• store or transport weapons or explosive ordnance;
• provide security services for Defence bases and facilities; and
• if there is a Defence business requirement for DISP membership in the contract.

Recent changes to the DISP

The DISP has undergone major changes in recent times, concurrent with shifting Defence functions and a rewrite of the superseded Defence Security Manual (DSM). Its contemporary, the Defence Security Principles Framework (DSPF), was prepared to better align with the Commonwealth Protective Security Policy Framework (PSPF), which itself was updated and re-released in October 2018, and to provide the platform for avoiding a one-size-fits-all approach to security.

The Defence Industry Security Office (DISO) essentially acts as overseer of the Program and industry members. The Office’s role includes entity application vetting, conformance auditing and general security advisory support to Defence Industry. It is certainly a helpful function in demystifying the DISP, and the experience is that the DISO takes an accommodating approach to applicants.

Pre-requisites for joining the DISP

There are several requirements to note in seeking to join the DISP. Adapted from DISP website guidance, businesses need to:

• Be registered as a legal business entity in Australia (i.e. have an ABN or ACN).
• Be financially solvent.
• Have a board director or senior executive able to obtain an Australian security clearance and fulfil the role of a Chief Security Officer.
• Have a staff member able to obtain an Australian security clearance and fulfil the role of Security Officer (NB: the Chief Security Officer and Security Officer can be the same person) – for information on security clearances visit the AGSVA website.
• Create an email address in the form of:  disp(at)insertyourbusinessname.xxx.xx.
• Satisfy Defence requirements around foreign ownership, control or influence (FOCI) (see the FOCI fact sheet for more information),
• Not have any relationships with a listed terrorist organisation.
• Not have any relationships with regimes subject to Australian sanctions laws including the United Nations Security Council (UNSC) sanctions regimes and Australian autonomous sanctions regimes.
• Not have any relationship with persons and/or entities on the Department of Foreign Affairs and Trade’s Consolidated List.

Other pre-requisites include specific training obligations for designated and all company staff (i.e. not just those with security clearances or working on Defence projects), preparation of designated policies and plans, and minimum standards for cybersecurity for systems used to “…correspond with Defence“ (several different standards are accepted, and options exist for self-accreditation [at present]).

Where a prospective business meets these criteria, representatives must download and electronically sign the AE250 application form, along with the Foreign Ownership, Control or Influence (FOCI) form. Where an entity is compelled by Defence to join, they will receive a Notification of Engagement requiring DISP Membership (AE250-2).

Image: Defence Industry has become extremely diverse as specialist needs have broadened

Still some way to go in Demystifying the DISP

If the new processes seem straightforward enough, those who take a literal view of policy guidance (as one should be expected to do when dealing with an organisation like Defence) may struggle with implied requirements and interpretations.

For example, the DISO intends that its guidance be applied across entire DISP member companies, and not just be applicable to those areas/personnel that work on Defence projects/hold security clearances. While this may be suitable for smaller entities, who would likely welcome pre-prepared security policy governance, it poses potentially unworkable problems for larger companies.

Improvements are also required in relation to the quality of supplied documents. For example, supplied security risk assessment (SRA) templates are based on the superceded version of ISO 31000, which was updated in 2018. SRA methods are also, arguably, not perfected as yet. Rigid MS Word templates seem especially outdated these days, when smart SRA systems (interest declared) are available online (in suitably protected/IRAP compliant environments).

There is also a requirement for ‘all’ company security incidents to be reported to Defence. This may prove problematic, especially where the significant majority have nothing to do with Defence. It is appreciated that otherwise unlinked incidents can sometimes be grouped to join the dots on issues of greater concern, but the practical effect is more likely to be under-reporting, thus weakening the likelihood of achieving the intended outcome. This is compounded by the dual-system obligation (i.e. internal and then Defence reporting). It is also plausible that Defence itself would become subject to ‘incident report analysis fatigue’, given the tempo of relatively minor security incidents that occur across the industry.

Further, “Security Policies and Plans” templates, which are available for download on the DISP website, are not actually policies and plans. At best they are directive statements that would be more at home in a set of SOPs. The audience for such documentation is also unclear at times, so messaging is inconsistent, often confused, and regularly duplicated.

While critically important documents that purport to frame requirements for the security of DISP businesses, these do tend to be operational problems (that would ideally be resolved sooner than later in view of the current global security dynamics at play in the Defence domain), when the present focus would no doubt be on issues of strategy. But this would certainly aid in demystifying the DISP and helping smooth application and assurance process.

Why the focus on Security in Defence Industry?

Defence Industry must be seen for what it is – the relatively soft underbelly of next generation Defence capabilities. Today’s compromises could well cause tomorrow’s battle space failures, and this could quite realistically result in catastrophic national impacts. Demystifying the DISP for applicants and those expected to comply with ongoing obligations is considered key to achieving successful outcomes.

Further, many individuals within Defence Industry are not initially recruited on the basis of being required to work on Defence projects. As such, organisational culture does not routinely align with the expectations of Defence itself, and hence the current efforts of the DISO.

Finally, security often holds a lesser priority than project delivery and perhaps other functional requirements across industries. Within the DISP, every effort must be made to ensure that security is afforded the appropriate degree of attention, consistent with the conformance and risk-based requirements of Defence, and indeed those of DISP members. The recent revamp of the Program is a positive step.

Yours in security risk and resilience,

Konrad Buczynski

Industry Risk is Australia’s shining light in solutions for security risk and business resilience. We welcome opportunities to assist entities in getting to a security baseline, then acting as guide in more advanced (proactive) endeavours.

*Information presented within this article was procured through open sources, and in most cases the DISP website itself.

** The author was previously an Australian Army Officer (RASigs/telecommunications) and subsequently the Chief Security Officer and Crisis/Business Continuity Program Manager for Thales Australia, the largest Defence prime contractor in the region at the time.