System Status: Operational/// DISP DEFENCE TECH NETWORK ///DISP COMPLIANCE PLATFORM
SD
SeriousDefence
[DEFENCE CONTRACTOR COMPLIANCE]

DEFENCE
CONTRACTOR
COMPLIANCE

DISP, DSPF, ITAR and CASG requirements for Australian defence contractors — what you need, when you need it, and how to get there.

Start Compliance JourneyDownload Requirements Checklist →
3,000+
Active DISP members in Australia
67%
First-attempt rejection rate
3–6mo
Typical compliance timeline
[COMPLIANCE REQUIREMENTS]

WHAT COMPLIANCE DOES AN AUSTRALIAN DEFENCE CONTRACTOR NEED?

Requirements depend on the classification level of information accessed, the nature of the work, and the contracting entity.

FrameworkWhen RequiredAdministered ByTypical Timeline
DISP MembershipAccess to classified info (PROTECTED+), controlled technology, or Defence facilitiesDISO (Dept of Defence)3–6 months (Baseline)
DSPF ComplianceAll entities working with Defence — embedded in DISP obligationsDept of DefenceOngoing — part of DISP
Essential Eight ML2Mandatory for all DISP Baseline members since Oct 2024ASD / ACSC3–6 months uplift
IRAP AssessmentRequired as part of DISP application for ICT systemsACSC-accredited assessors4–8 weeks
ITAR ComplianceWork involving US-origin defence articles or technical dataUS State Dept / DECOOngoing — licence-based
AGSVA ClearancesPersonnel requiring access to classified informationAGSVA (Dept of Defence)3–12 months per person
[THE JOURNEY]

THE DEFENCE CONTRACTOR COMPLIANCE JOURNEY

From pre-bid assessment to ongoing compliance management — the six phases every defence contractor must navigate.

[01]

Pre-Bid Assessment

Before bidding on a classified Defence contract, assess whether DISP membership is required and at what level. Review the Contract Security Requirements (CSR) document and determine the gap between your current posture and what is required.

[02]

Gap Analysis & Remediation

Conduct a formal gap analysis across all four DISP security domains. Remediate identified gaps — particularly Essential Eight ML2 for ICT systems, which is the most common and time-consuming gap for most organisations.

[03]

IRAP Assessment

Engage an ACSC-accredited IRAP assessor to assess your ICT systems against Essential Eight ML2 requirements. Address any findings before submitting your DISP application.

[04]

Security Plan Preparation

Prepare the Security Plan — the centrepiece of the DISP application. The Security Plan documents your security posture across all four domains and must be comprehensive, accurate, and evidence-backed.

[05]

DISO Application Submission

Submit the complete DISP application through the DISP Member Portal. DISO will assess the application and may request additional information. First-attempt approval typically takes 3–6 months from submission.

[06]

Ongoing Compliance Management

Post-membership, maintain compliance through annual ASR submission, continuous E8 ML2 maintenance, clearance renewals, and proactive notification of material changes to DISO.

Full guide: How to get DISP membership
[WHY CONTRACTORS FAIL]

WHY DEFENCE CONTRACTOR COMPLIANCE APPLICATIONS FAIL

67%
First-attempt rejection rate for DISP applications
Inadequate Security Plan

The Security Plan lacks the depth, evidence, or specificity required by DISO. Generic or template-based plans are a common rejection trigger.

Essential Eight ML2 Gaps

ICT systems are not compliant with Essential Eight ML2 at the time of application. IRAP findings are not remediated before submission.

Applying at the Wrong Level

Applying for NV1 when Baseline is sufficient, or vice versa. The wrong level means the wrong requirements — and a guaranteed rejection.

Incomplete Personnel Clearances

The SO or FSO does not hold the required clearance level at the time of application, or clearance applications have not been submitted.

Physical Security Non-Compliance

Facilities do not meet DSPF physical security requirements for the classification level. Common gaps include inadequate access control, insufficient secure storage, and missing CCTV coverage.

No IRAP Assessment

Submitting a DISP application without a current IRAP assessment of in-scope ICT systems. DISO requires IRAP evidence for all applications.

Insufficient Evidence

Claims in the Security Plan are not supported by documentary evidence. DISO requires evidence for every security control claimed.

Late or Incomplete Submission

Missing documents, unsigned declarations, or incomplete sections in the application package. DISO will return incomplete applications without assessment.

Full guide: Why DISP applications are rejected
[FAQs]

DEFENCE CONTRACTOR COMPLIANCE — FAQs

5 key questions about defence contractor compliance in Australia.

What compliance does an Australian defence contractor need?

Australian defence contractors typically need: DISP membership (mandatory for access to classified information or controlled technology); compliance with the Defence Security Principles Framework (DSPF); Essential Eight Maturity Level 2 for ICT systems; and potentially ITAR compliance if the contract involves US-origin defence articles or technical data. The specific requirements depend on the classification level of information accessed, the nature of the Defence work, and the contracting entity (Commonwealth, prime contractor, or subcontractor).

Is DISP mandatory for defence contractors?

DISP membership is mandatory for any organisation that requires access to classified Defence information (PROTECTED and above), controlled technology, or Defence facilities. It is not mandatory for all defence supply chain work — organisations performing unclassified work may not require DISP membership. However, most significant Defence contracts require DISP membership, and primes increasingly require subcontractors to hold DISP membership as a condition of engagement.

What is the DSPF and how does it relate to DISP?

The Defence Security Principles Framework (DSPF) is the overarching security policy framework for the Australian Department of Defence. It sets out the security principles and controls that apply to all entities working with Defence. DISP is the mechanism through which industry entities demonstrate compliance with the DSPF — specifically Principle 16 (Industry Security). Achieving DISP membership means the organisation has been assessed as meeting the relevant DSPF requirements for its membership level.

What is CASG and what are its compliance requirements?

CASG (Capability Acquisition and Sustainment Group) is the Defence organisation responsible for acquiring and sustaining Defence capability. CASG contracts typically include specific security requirements in the Contract Security Requirements (CSR) document, which specifies the DISP membership level required, clearance levels for key personnel, and any additional security obligations. Contractors must meet all CSR requirements before commencing classified work under a CASG contract.

How long does defence contractor compliance take?

The timeline for achieving full defence contractor compliance depends on the starting point and target membership level. For a Baseline DISP application with no significant gaps, the process typically takes 3–6 months from engagement to DISO approval. For organisations with significant Essential Eight gaps or complex ICT environments, the timeline can extend to 9–12 months. Personnel clearances (AGSVA) add additional time — Baseline clearances typically take 3–6 months, NV1 clearances 6–12 months.

[RELATED GUIDES]
DISP Compliance
What DISP compliance requires across all four security domains and how to achieve it.
Read guide
AUKUS Compliance
DISP, CMMC 2.0 and ITAR obligations for contractors working on AUKUS projects.
Read guide
Defence Manufacturing & DISP
DISP compliance for Australian defence manufacturers — CASG, AUKUS supply chain, and CASG contracts.
Read guide
[NEXT STEP]

START YOUR
COMPLIANCE
JOURNEY TODAY.

Book a free Defence Contractor Compliance Assessment. We'll map your requirements, identify your gaps, and give you a structured path to first-attempt DISP approval.

Book Free AssessmentDISP Membership Guide →