What is the DISP Cyber Security Questionnaire (CSQ)?

The Cyber Security Questionnaire (CSQ) is the structured questionnaire used by DISP to assess your Essential Eight posture. Part B contains 107 ML2-aligned control questions covering all eight mitigation strategies. It is completed during the DISP application process and forms part of the Annual Security Report (ASR) cycle.

Which systems are in scope for Essential Eight ML2 under DISP?

ICT corporate systems used to correspond with Defence are in scope. This covers day-to-day identity management, email, collaboration platforms, endpoints, document handling, and related services used to engage with Defence. It does not require all systems in your organisation to be in scope — only those used for Defence correspondence.

Do I need to achieve ML2 before applying for DISP?

No. Applicants complete the CSQ as part of their application. DISP assesses the CSQ, issues a Maturity Action Plan, and places applicants into the Essential Eight Cyber Standards Uplift Program. You are not required to have achieved ML2 before submitting your application, but you will be guided and assessed toward ML2.

Does ISO 27001 certification satisfy DISP cyber requirements?

No. DISP states that documentation from ISO/IEC 27001, NIST SP 800-171, or UK Def Stan 05-138 can help demonstrate aspects of your security posture, but you still need to meet or exceed Essential Eight ML2 for in-scope systems. ISO 27001 does not replace the E8 ML2 requirement.

What is the Annual Security Report (ASR) and who must submit it?

The Annual Security Report is a self-attestation of compliance with security obligations under the Defence Security Principles Framework (DSPF). It is due on the anniversary of your DISP membership certificate and must be submitted via the DISP Member Portal. The Security Officer (SO) prepares the ASR and the Chief Security Officer (CSO) reviews and submits it. Since the 2024–2025 cycle, the Essential Eight CSQ forms part of the ASR.

What DISP membership level do ICT vendors typically need?

Most ICT vendors supplying to Defence require Entry Level DISP membership, which corresponds to OFFICIAL and OFFICIAL: Sensitive information. Vendors handling PROTECTED information require Level 1 membership. Vendors involved in SECRET programmes require Level 2. The level is determined by the classification of information your systems process, store, or transmit.

Do MSSPs need DISP membership to provide security services to defence contractors?

Yes. Managed Security Service Providers (MSSPs) that access, monitor, or manage ICT systems used to correspond with Defence — including SIEM platforms, SOC services, endpoint management, and vulnerability scanning — must hold DISP membership. The MSSP's own systems must also meet Essential Eight ML2.

INDUSTRY BRIEFICT VENDORS & MSSPS

DISP CYBER
SECURITY
REQUIREMENTS

Q: When did DISP mandate full Essential Eight Maturity Level 2?

DISP strengthened its cyber standard on 30 September 2024, requiring all members to achieve Essential Eight ML2. Cyber Assessments against the top 4 of the Essential Eight concluded on 15 November 2025, after which the full Essential Eight at Maturity Level 2 became mandatory for all DISP members.

All Defence Industry Security Program (DISP) members must achieve and maintain the full Essential Eight at Maturity Level 2 — mandatory from 15 November 2025 under DSPF Principle 16 Control 16.1. ICT vendors, MSSPs, cloud providers, and technology consultants supplying to Australian defence must hold current DISP membership and pass the 107-question Cyber Security Questionnaire.

MANDATORY FROM 15 NOV 2025

Full E8 ML2 — all 8 mitigation strategies

107-question Cyber Security Questionnaire (CSQ)

Annual Security Report (ASR) via DISP Member Portal

DSPF Principle 16 Control 16.1 compliance

Ongoing Suitability Assessments (OSA)

Deep Dive Audits (DDA) for higher-risk members

30 Sep 2024

Date DISP strengthened E8 standard to full ML2 for all members

107

Control questions in the DISP Cyber Security Questionnaire Part B (ML2-aligned)

15 Nov 2025

Date full E8 ML2 (all 8 strategies) became mandatory — top-4-only phase concluded

Annual

Frequency of Annual Security Report submission via DISP Member Portal

THE COMPLIANCE MANDATE

Why DISP Cyber Security Applies to ICT Vendors and MSSPs

The Defence Industry Security Program (DISP) applies to any entity that handles, stores, transmits, or provides services that access Commonwealth defence information — regardless of whether that entity is a manufacturer, a professional services firm, or a technology provider. ICT vendors whose software is deployed in defence environments, MSSPs monitoring defence contractor networks, and cloud providers hosting OFFICIAL: Sensitive or PROTECTED data are all subject to the same DISP obligations as prime contractors.

The cyber security obligations flow from the Defence Security Principles Framework (DSPF) Principle 16 Control 16.1, which requires all DISP members to meet or exceed the Australian Signals Directorate's Essential Eight at Maturity Level 2. This requirement was strengthened on 30 September 2024, when DISP began the Essential Eight Cyber Standards Uplift Program. Cyber Assessments against the top 4 of the Essential Eight concluded on 15 November 2025, after which the full Essential Eight at ML2 became the mandatory baseline for all DISP members.

The scope of systems subject to E8 ML2 is defined as "ICT corporate systems used to correspond with Defence." For ICT vendors, this means the systems your staff use to communicate with Defence — email, collaboration platforms, identity management, endpoints, and document handling. It does not require every system in your organisation to meet E8 ML2, but in practice most technology companies find that their in-scope systems represent the majority of their ICT environment.

The Annual Security Report (ASR) is the primary compliance demonstration mechanism. DISP members must submit a compliant ASR to the Defence Security and Vetting Service (DSVS) annually, on the anniversary of their membership certificate. Since the 2024–2025 ASR cycle, the Essential Eight CSQ forms part of the ASR — meaning every member must now complete the 107-question questionnaire as part of their annual compliance cycle.

THE EIGHT MITIGATION STRATEGIES

Essential Eight ML2 — What Each Strategy Requires

Source: Australian Signals Directorate Essential Eight Maturity Model (ASD/ACSC). ML2 is designed to protect against adversaries who invest more time and effort than commodity attackers — the minimum standard for defence supply chain participation.

Application Control

Prevent unauthorised applications from executing on workstations and internet-facing servers. At ML2, application control must be implemented across all workstations and internet-facing servers, with logs reviewed at least monthly.

ML2: All workstations + internet-facing servers

Patch Applications

Apply patches, updates, or vendor mitigations for security vulnerabilities in internet-facing services within 48 hours of release when exploits exist. For other applications, within two weeks.

ML2: 48hrs (critical) / 2 weeks (standard)

Configure Microsoft Office Macro Settings

Block macros from internet-sourced files and only allow macros in documents from trusted locations or that are digitally signed by a trusted publisher. Macro antivirus scanning must be enabled.

ML2: Blocked by default; signed/trusted only

User Application Hardening

Configure web browsers to block Flash, ads, and Java from the internet. Disable unneeded features in Microsoft Office, web browsers, and PDF viewers. Block web-based ads at the proxy or DNS level.

ML2: Flash/Java blocked; ads blocked

Restrict Administrative Privileges

Privileged access workstations (PAWs) required for privileged activities. Admin accounts must not be used for email, web browsing, or other standard activities. Just-in-time administration enforced.

ML2: PAWs required; JIT administration

Patch Operating Systems

Apply OS patches within 48 hours when exploits exist for internet-facing systems. For workstations and non-internet-facing servers, within two weeks. Unsupported operating systems must not be used.

ML2: 48hrs (internet-facing) / 2 weeks (other)

Multi-Factor Authentication

MFA required for all users accessing internet-facing services, remote access, and privileged accounts. Phishing-resistant MFA (hardware tokens or passkeys) required for privileged access at ML2.

ML2: All internet-facing + privileged access

Regular Backups

Backups of important data, software, and configuration settings performed at least daily. Backups stored offline or in a separate environment. Restoration tested at least every three months.

ML2: Daily; offline copy; quarterly restore test

WHO NEEDS DISP

Which ICT Organisations Require DISP Membership

Software Vendors

Supplying software to CASG or ADF systems

Hosting Defence data in cloud environments

Providing SaaS platforms to DISP members

Developing capability management systems

DISP Entry Level + E8ML2 + Annual ASR

Managed Security Providers

SOC services monitoring Defence contractor environments

SIEM platform access to Defence-adjacent systems

Endpoint detection and response (EDR) management

Vulnerability scanning and penetration testing

DISP membership + E8ML2 on MSSP systems

Cloud Service Providers

Hosting OFFICIAL: Sensitive or PROTECTED data

Providing IaaS/PaaS to defence prime contractors

Managed cloud environments for DISP members

Backup and disaster recovery for Defence data

DISP + IRAP assessment (for PROTECTED)

Network & Infrastructure

Managing network infrastructure at Defence facilities

Providing SD-WAN or MPLS connectivity to CASG

Maintaining communications systems for ADF

Physical and logical access control systems

DISP membership + physical security controls

MEMBERSHIP LEVELS

DISP Membership Levels and Cyber Requirements

Level	Classification	E8 Requirement	Assessment	Typical For
Entry Level	OFFICIAL / OFFICIAL: Sensitive	ML2 mandatory	107-question CSQ	Most ICT vendors and MSSPs
Level 1	PROTECTED	ML2 + additional controls	Extended CSQ + site assessment	Cloud providers hosting PROTECTED data
Level 2	SECRET	ML2 + ISM controls	Full CSQ + Deep Dive Audit	Classified programme ICT suppliers
Level 3	TOP SECRET	ML3 + full ISM	Full CSQ + continuous monitoring	Highly sensitive capability ICT

Source: defence.gov.au — Defence Industry Security Program eligibility and suitability

DISPULSE FOR ICT VENDORS

107 CSQ Controls. Continuous Monitoring. 1-Click ASR.

The DISP Cyber Security Questionnaire Part B contains 107 ML2-aligned control questions. Completing it manually — gathering evidence, mapping controls to systems, and documenting policies — typically takes 6 to 12 weeks for an ICT organisation without a dedicated compliance team. Repeating this process annually for the ASR compounds the burden.

DISPulse eliminates this cycle. The platform continuously monitors your Essential Eight posture across all in-scope systems, maintaining a live evidence base mapped to each of the 107 CSQ controls. When your ASR is due, DISPulse generates a pre-formatted, DSVS-ready report in one click — with all required attestations, control evidence, and gap documentation included.

For MSSPs managing multiple client environments, DISPulse provides a multi-tenant compliance dashboard with client-level visibility, gap identification, and remediation tracking. This enables MSSPs to offer DISP compliance monitoring as a managed service to their defence contractor clients — creating a new revenue stream while strengthening the entire defence supply chain.

DISPulse also covers PSPF, CMMC 2.0, and ISM controls simultaneously — giving ICT vendors with US DoD contracts or AUKUS Pillar II involvement a single platform for multi-framework compliance without duplicate evidence collection.

FAQ

DISP Cyber Security — Frequently Asked Questions

E8 GAP ASSESSMENT

Book Your Essential Eight ML2 Assessment

We assess your ICT environment against all 107 CSQ controls and deliver a prioritised remediation register within 5 business days.

COMPLIANCE DEADLINE

Full E8 ML2 (all 8 strategies) has been mandatory since 15 November 2025. DISP members who completed only the top-4 uplift are now non-compliant and subject to Ongoing Suitability Assessment action.

COMPLIANCE FRAMEWORKS

E8 ML2ASD Essential Eight Maturity Level 2

DSPFDefence Security Principles Framework

DISPDefence Industry Security Program

PSPFProtective Security Policy Framework

ISMInformation Security Manual (ASD)

CMMC 2.0US DoD Cybersecurity Maturity Model

SOLUTIONS FOR ICT VENDORS

DISPulse

GRC platform — E8ML2, DISP, PSPF, CMMC 2.0, 1-click ASR

DISPeer

Sovereign cloud — OFFICIAL:Sensitive and PROTECTED hosting

DISPath

Consulting — DISP application, E8 uplift, CSQ preparation

RELATED GUIDES

DISP Compliance in AustraliaGUIDE

DISP Requirements ChecklistCHECKLIST

How to Get DISP MembershipHOW-TO

Global IT Vendors & E8ML2INDUSTRY

Defence Manufacturing DISPINDUSTRY

SERIOUS DEFENCE

Your DISP Cyber Journey.
Our Platform.

Serious Defence has guided ICT vendors, MSSPs, and cloud providers through DISP accreditation and Essential Eight ML2 uplift. DISPulse is the only platform built specifically for the DISP compliance lifecycle — from CSQ preparation through to 1-click Annual Security Report generation.

E8 ML2 gap assessment against all 107 CSQ controls

DISP application preparation and CSQ completion support

Essential Eight uplift implementation and evidence collection

Sovereign cloud (DISPeer) for OFFICIAL: Sensitive and PROTECTED data

Annual Security Report generation in one click via DISPulse

Ongoing compliance monitoring — DISP, PSPF, CMMC 2.0, ISM

DISP CYBERSECURITYREQUIREMENTS