AUKUS Compliance for Australian Defence Companies
AUKUS is reshaping the compliance landscape for Australian defence companies. Participation in the AUKUS industrial base now requires simultaneous compliance with Australian, US, and UK security frameworks — creating a new multi-jurisdictional compliance burden that most companies are not yet prepared for.
What AUKUS Means for Australian Industry
The AUKUS security partnership, announced in September 2021, is the most significant restructuring of Australia's defence industrial base in decades. Under Pillar I, Australia will acquire nuclear-powered submarines through a trilateral arrangement with the US and UK. Under Pillar II, the three nations are collaborating on advanced capabilities including quantum technologies, AI, cyber, hypersonics, electronic warfare, and undersea capabilities.
For Australian industry, the critical implication is that companies participating in AUKUS programmes — particularly Pillar II technology development — will be required to meet the security standards of all three nations simultaneously. This means Australian DISP requirements, US CMMC 2.0 requirements, and UK Cyber Essentials Plus requirements may all apply to the same company, the same systems, and the same personnel — depending on the nature of the work and the classification of information involved.
The AUKUS Critical Minerals and Industrial Base Working Group, established in 2024, is actively developing harmonised supply chain security requirements. However, until harmonisation is achieved, Australian companies must navigate each framework independently — and the compliance burden is substantial.
DISP + DSPF
Essential Eight ML2 minimum for all DISP members. DSPF compliance for physical and personnel security. Mandatory for any company handling Australian classified defence information.
CMMC 2.0 + ITAR
CMMC 2.0 Level 2 for contracts involving Controlled Unclassified Information (CUI). ITAR registration and compliance for export-controlled technologies. Required for US DoD contracts and AUKUS Pillar II work involving US technology.
Cyber Essentials Plus + JSP 440
Cyber Essentials Plus certification for UK MoD contracts. JSP 440 compliance for handling UK classified information. Required for UK MoD contracts and AUKUS Pillar II work involving UK technology.
The AUKUS Compliance Stack
For an Australian company seeking to participate in AUKUS Pillar II programmes, the compliance obligations stack as follows. Each layer builds on the previous, and the total compliance burden is significantly greater than any single framework in isolation.
DISP Membership (Baseline)
The foundation. Every Australian company handling classified defence information or seeking to participate in Australian defence programmes must hold DISP membership. Since October 2024, this requires Essential Eight ML2 compliance as a minimum. DISP membership is the gateway to Australian defence contracts and is a prerequisite for handling Australian classified information in AUKUS programmes.
CMMC 2.0 Level 2 (for US DoD work)
Required for any company handling US Controlled Unclassified Information (CUI), which includes most AUKUS Pillar II technology development work. CMMC 2.0 Level 2 adds 110 practices across 14 control domains, with particular emphasis on governance documentation (SSPs, POA&Ms), incident response, awareness training, and supply chain risk management.
ITAR Registration and Compliance
Required for companies involved in the development, manufacture, export, or brokering of defence articles and services on the US Munitions List (USML). AUKUS Pillar II work involving advanced technologies — particularly quantum, hypersonics, and electronic warfare — is likely to involve ITAR-controlled technology. ITAR compliance requires registration with the US State Department's Directorate of Defense Trade Controls (DDTC) and implementation of a Technology Control Plan (TCP).
UK Cyber Essentials Plus (for UK MoD work)
Required for companies handling UK classified information or working on UK MoD contracts under AUKUS Pillar II. Cyber Essentials Plus is the UK government's baseline cybersecurity certification scheme, covering firewalls, secure configuration, access control, malware protection, and patch management. It is assessed by an accredited certification body and must be renewed annually.
AUKUS Pillar II: The Capability Areas and Their Compliance Implications
AUKUS Pillar II covers eight advanced capability areas. Each has distinct compliance implications depending on the classification level of the technology involved and the nationality of the prime contractor.
| Capability Area | DISP Required | CMMC Likely | ITAR Risk |
|---|---|---|---|
| Undersea Capabilities | Yes | Likely | High |
| Quantum Technologies | Yes | Likely | High |
| Artificial Intelligence & Autonomy | Yes | Likely | Medium |
| Advanced Cyber | Yes | Likely | High |
| Hypersonics & Counter-Hypersonics | Yes | Likely | High |
| Electronic Warfare | Yes | Likely | High |
| Innovation, Industrial Base & Supply Chain | Yes | Possible | Low-Medium |
| Information Sharing | Yes | Likely | Medium |
Sources: AUKUS Pillar II Capability Areas (defence.gov.au); CMMC 2.0 Final Rule (federalregister.gov, November 2024); ITAR USML Categories (ecfr.gov). ITAR risk assessment is indicative only — specific technology classification requires legal advice from an ITAR-qualified export control attorney.
What Australian Companies Must Do Now
The AUKUS compliance timeline is compressing. CMMC 2.0 Phase 1 began in November 2025, with full rollout across all US DoD contracts by 2028. DISP E8ML2 requirements are already in effect. Companies that begin their compliance journey now will be positioned to bid on AUKUS contracts as they are released; companies that delay will find themselves locked out of the most significant defence procurement programmes in Australia's history.
Achieve DISP Membership with E8ML2 Compliance
ImmediateIf your company does not yet hold DISP membership, this is the first and most urgent priority. The DISP application backlog has been running at 6–12 months, and the E8ML2 requirement means companies must complete a significant cybersecurity uplift before applying. Start now — every month of delay is a month your competitors are getting ahead.
Conduct a CMMC 2.0 Gap Assessment
ImmediateCommission a gap assessment against CMMC 2.0 Level 2 requirements. This will identify the specific controls and documentation you need to develop, estimate the remediation effort and cost, and allow you to build a realistic roadmap to certification. Companies that have already achieved E8ML2 typically have 40–50% of CMMC requirements in place; the remaining 50–60% is primarily governance and documentation work.
Develop Your System Security Plan (SSP)
6–12 monthsThe SSP is the cornerstone of CMMC compliance and the most time-consuming document to produce. It requires a complete inventory of all systems in scope, a description of how each of the 110 CMMC practices is implemented, and identification of all gaps. For most companies, this is a 3–6 month project. Starting early is essential — C3PAO assessment queues are already forming.
Assess Your ITAR Exposure
Before bidding on US workBefore bidding on any AUKUS Pillar II work involving US technology, assess whether the technology is subject to ITAR. This requires a review of the US Munitions List (USML) and the Export Administration Regulations (EAR). If ITAR applies, you must register with the DDTC and implement a Technology Control Plan before handling the technology. Failure to comply with ITAR carries severe civil and criminal penalties.
Extend Security Requirements to Your Supply Chain
OngoingBoth CMMC 2.0 and AUKUS supply chain security requirements cascade down to subcontractors. If your subcontractors handle CUI or classified information, they must also meet the relevant compliance requirements. Audit your supply chain, identify gaps, and either require subcontractors to achieve compliance or change your supply chain to use compliant providers.
How Serious Defence Supports AUKUS Compliance
Serious Defence is one of the few Australian consultancies with deep expertise across all three AUKUS compliance frameworks — DISP/DSPF, CMMC 2.0, and UK Cyber Essentials Plus. Our integrated approach means you build your compliance programme once and satisfy all three frameworks, rather than running three separate compliance projects.
DISP Application & E8ML2 Uplift
End-to-end DISP application management, from eligibility assessment through to membership approval. Includes E8ML2 gap assessment, remediation roadmap, and IRAP assessment preparation.
CMMC 2.0 Readiness Programme
Structured 6–12 month programme to achieve CMMC 2.0 Level 2 readiness. Includes gap assessment, SSP development, POA&M management, and C3PAO assessment preparation.
Dual-Framework Compliance
Integrated programme that achieves E8ML2 and CMMC 2.0 Level 2 simultaneously, with shared evidence and documentation. Typically 30–40% more efficient than running two separate programmes.
DISPulse Platform
Our GRC platform maps your control evidence to DISP, E8ML2, CMMC 2.0, and ISO 27001 simultaneously. Real-time compliance posture, automated evidence collection, and audit-ready reporting.
AUKUS Compliance: Frequently Asked Questions
Does AUKUS automatically require CMMC 2.0 compliance for Australian companies?
Not automatically. CMMC 2.0 requirements are triggered by US DoD contracts that involve Controlled Unclassified Information (CUI). Australian companies working on AUKUS Pillar II programmes through US prime contractors, or bidding directly on US DoD contracts, will likely encounter CMMC requirements. Companies working exclusively on Australian AUKUS programmes through Australian primes may not face CMMC requirements directly — but their US prime contractors may flow down CMMC requirements through their supply chain.
Can we use our DISP IRAP assessment as evidence for CMMC?
Partially. An IRAP assessment report documenting E8ML2 compliance can be used as evidence for the CMMC control domains that overlap with the Essential Eight — primarily System and Information Integrity (patching), Identification and Authentication (MFA), and some Configuration Management controls. However, CMMC requires a C3PAO assessment by a US-accredited third-party assessment organisation, and the IRAP report alone is not sufficient for CMMC certification.
How long does it take to achieve CMMC 2.0 Level 2 certification?
For a company starting from scratch, achieving CMMC 2.0 Level 2 certification typically takes 12–18 months. For a company that has already achieved E8ML2, the timeline is typically 6–12 months, as the technical controls are largely in place and the remaining work is primarily governance documentation and process development. C3PAO assessment queues are currently running at 3–6 months, so planning ahead is essential.
What is the difference between ITAR and EAR?
ITAR (International Traffic in Arms Regulations) controls the export of defence articles and services on the US Munitions List (USML). EAR (Export Administration Regulations) controls the export of dual-use items on the Commerce Control List (CCL). AUKUS work involving advanced military technologies is most likely to be subject to ITAR. Determining which regime applies to specific technology requires legal advice from an ITAR/EAR-qualified export control attorney.
Does AUKUS affect small and medium-sized Australian defence companies?
Yes, significantly. AUKUS Pillar II is explicitly designed to involve the broader defence industrial base, including SMEs with advanced technology capabilities in quantum, AI, cyber, and hypersonics. The compliance burden falls equally on SMEs and large primes — but the relative cost is much higher for smaller companies. This is why integrated, efficient compliance programmes that satisfy multiple frameworks simultaneously are particularly valuable for SMEs.