Critical Compliance Dates
- 30 September 2024 — DISP strengthened its cyber standard, requiring all members to achieve Essential Eight ML2.
- 15 November 2025 — Cyber Assessments against the legacy Top 4 strategies concluded. Full E8 ML2 now mandatory for all members.
- 2026 ASR cycle — Annual Security Reports must reflect full E8 ML2 compliance across all eight strategies.
Why the Essential Eight ML2 Uplift Matters
The Defence Industry Security Program (DISP) has long required defence contractors to implement cyber security controls aligned with the Australian Signals Directorate (ASD) Essential Eight framework. For years, the minimum standard was the "Top 4" strategies at Maturity Level 1 — a baseline that provided meaningful but limited protection. That era is now over.
The shift to full Essential Eight at Maturity Level 2 reflects the reality that defence supply chains are high-value targets for sophisticated threat actors. Advanced persistent threats, ransomware groups, and state-sponsored actors routinely probe defence contractors precisely because they hold sensitive technical data, contract information, and access to classified systems. ML1 controls — which protect against opportunistic, commodity-level attacks — are no longer sufficient for the threat environment facing Australian defence industry participants.
Maturity Level 2 is designed to protect against adversaries who invest significant time and effort in targeted attacks. It requires not just that controls are implemented, but that they are actively managed, monitored, and verified. The difference between ML1 and ML2 is the difference between having a lock on the door and having a monitored alarm system with regular testing.
What Systems Are in Scope?
DISP requires Essential Eight ML2 across your ICT corporate systems used to correspond with Defence. This is a deliberately broad definition that covers the full range of systems through which your organisation communicates, collaborates, and shares information with the Department of Defence and its supply chain partners.
In practice, this means your email infrastructure, identity and access management systems, collaboration platforms (such as Microsoft 365 or Google Workspace), all managed endpoints (laptops, desktops, servers), document management systems, and any cloud services used to store or process defence-related information. If a system touches defence work in any way, it is almost certainly in scope.
Organisations that maintain a separate, dedicated ICT environment for defence work — sometimes called a "defence enclave" — can limit their ML2 scope to that environment. However, this approach requires careful network segregation and governance controls to ensure the boundary between corporate and defence systems is genuinely enforced and auditable.
The Eight Strategies at Maturity Level 2
The following table summarises what each of the eight mitigation strategies requires at ML2. Each strategy builds on ML1 foundations by adding active management, monitoring, and verification requirements.
Application Control
Prevent unauthorised programs from executing on workstations and servers. At ML2, application control must be applied to all user workstations and internet-facing servers, with event logging enabled and logs reviewed regularly.
Application control applied to all workstations and internet-facing servers; event logs reviewed for anomalies.
Patch Applications
Keep internet-facing applications patched within 48 hours of a critical vulnerability being identified. For non-critical patches, a 30-day patching cycle applies. Applications that are no longer vendor-supported must be removed.
Critical patches applied within 48 hours; non-critical within 30 days; unsupported applications removed.
Configure Microsoft Office Macro Settings
Block macros from the internet by default. At ML2, only macros from trusted locations or digitally signed by a trusted publisher are permitted. Macro execution is logged and reviewed.
Macros blocked from internet sources; only trusted/signed macros permitted; logging enabled.
User Application Hardening
Disable high-risk browser and application features including Flash, Java, and web advertisements. At ML2, web browsers must be configured to block ads and prevent execution of web-based code from untrusted sources.
Flash, Java, and web ads blocked; browser hardening applied consistently across all endpoints.
Restrict Administrative Privileges
Limit administrative access to only those who require it for their role. At ML2, privileged accounts must not be used for email or web browsing, and privileged access workstations (PAWs) or equivalent controls are required.
Privileged accounts restricted to administrative tasks only; no email or web browsing on admin accounts.
Patch Operating Systems
Keep operating systems patched within 48 hours of a critical vulnerability. Unsupported operating systems must be removed from the environment. At ML2, automated patching tools are expected.
Critical OS patches applied within 48 hours; unsupported OS versions removed from production.
Multi-Factor Authentication (MFA)
Require a second factor for all remote access, privileged accounts, and access to important data repositories. At ML2, phishing-resistant MFA (such as hardware tokens or passkeys) is required for privileged accounts.
MFA required for all remote access and privileged accounts; phishing-resistant MFA for privileged users.
Regular Backups
Maintain regular backups of important data, software, and configuration settings. At ML2, backups must be tested for restoration, stored offline or in an immutable form, and retained for at least three months.
Backups tested regularly; offline or immutable copies maintained; minimum three-month retention.
The 107-Question Cyber Security Questionnaire
DISP assesses your Essential Eight posture using the Cyber Security Questionnaire (CSQ). Part B of the CSQ contains 107 ML2-aligned control questions covering all eight mitigation strategies. This questionnaire is completed during the initial application process as part of the Entry Level Assessment (ELA) and is revisited annually as part of the Annual Security Report (ASR) cycle.
The CSQ is not a pass/fail test. It is a structured self-assessment that produces a maturity profile across all eight strategies. Where gaps are identified, DISP issues a Maturity Action Plan (MAP) that documents the remediation steps required and the timeframe within which they must be completed. New applicants who cannot yet demonstrate full ML2 are placed in an uplift program — meaning you do not need to achieve ML2 before submitting your application, but you must have a credible, documented plan to get there.
Existing DISP members who have not yet achieved full ML2 across all eight strategies should treat the 2026 ASR cycle as a hard deadline. The Annual Security Report is a self-attestation of compliance submitted on the anniversary of your DISP membership certificate via the DISP Member Portal. Reporting a maturity level below ML2 in the 2026 ASR cycle will trigger a remediation requirement and potentially affect your membership status.
The Three DISP Cyber Assessment Types
DISP uses three distinct assessment mechanisms to evaluate and maintain cyber security compliance across its membership base. Understanding which assessment applies to your organisation at any given time is important for planning your compliance activities.
Entry Level Assessment (ELA)
Conducted during the application process. Includes a documentation review, phone interview with your Chief Security Officer or Security Officer, and completion of the Cyber Security Questionnaire (CSQ). The ELA establishes your baseline maturity profile.
Ongoing Suitability Assessment (OSA)
A desktop audit conducted periodically to verify that your security posture remains compliant with DISP requirements. The OSA reviews your Annual Security Report, governance documentation, and evidence of continued E8 ML2 compliance.
Deep Dive Audit (DDA)
A detailed, evidence-based assessment that may include site visits and technical testing. The DDA is typically triggered by a significant change in your organisation's risk profile, a security incident, or as part of a higher-level membership application.
Does ISO 27001 Replace the E8 ML2 Requirement?
This is one of the most common misconceptions among organisations preparing for DISP membership. ISO/IEC 27001:2022, NIST SP 800-171, and UK Def Stan 05-138 are all recognised information security frameworks that can help demonstrate aspects of your security posture. However, none of them replace the Essential Eight ML2 requirement.
DISP specifically mandates the ASD Essential Eight framework at Maturity Level 2. ISO 27001 certification demonstrates that you have an Information Security Management System (ISMS) in place, but it does not map directly to the technical controls required by the Essential Eight. An organisation can be ISO 27001 certified and still fail to meet E8 ML2 requirements — particularly in areas such as application control, macro settings, and phishing-resistant MFA. If you hold ISO 27001 certification, it will be noted positively during your DISP assessment, but you will still need to complete the CSQ and demonstrate ML2 compliance across all eight strategies.
Preparing for Your 2026 Annual Security Report
The Annual Security Report (ASR) is your organisation's annual self-attestation of DISP compliance. It is submitted via the DISP Member Portal on the anniversary of your membership certificate. For the 2026 ASR cycle, all members must be able to demonstrate full E8 ML2 compliance across all eight strategies.
Preparing for your ASR requires more than completing the questionnaire. You need documented evidence of your controls — configuration baselines, patch management records, MFA deployment logs, backup test results, and privileged access reviews. DISP assessors may request this evidence during an Ongoing Suitability Assessment or Deep Dive Audit, and the quality of your documentation will directly affect the outcome of those assessments.
Organisations that have not yet achieved full ML2 should begin their uplift work immediately. The most common gaps identified in DISP assessments are phishing-resistant MFA for privileged accounts, application control on servers, and immutable backup storage. These are not quick fixes — they require infrastructure changes, policy updates, and staff training. Starting early gives you the time to implement controls properly and gather the evidence needed to support your ASR.