DISP COMPLIANCE
FOR DEFENCE
SUBCONTRACTORS
Australian defence subcontractors working under prime contractors in CASG, AUKUS, or classified Defence programs must hold their own DISP membership. Your prime contractor's accreditation does not cover your organisation — DISP obligations flow down through the supply chain and each entity must be independently accredited.
SUBCONTRACTOR DISP REQUIREMENTS
Prime contractors flow DISP obligations down to subcontractors via contract clauses — if your prime is DISP-accredited, you likely need to be too
Access to PROTECTED or above classified information by subcontractor personnel requires DISP membership and appropriate security clearances
Typical timeline from gap assessment to DISP accreditation for subcontractors with no prior compliance program in place
All four DISP domains apply to subcontractors — governance, personnel, ICT, and physical security obligations cannot be delegated to the prime
THE COMPLIANCE IMPERATIVE
Why Subcontractors Cannot Rely on Their Prime's DISP Accreditation
One of the most common misconceptions in the Australian defence supply chain is that a subcontractor is covered by their prime contractor's DISP membership. This is incorrect. DISP membership is organisation-specific — it accredits a single legal entity against the DSPF. It does not extend to subsidiaries, related entities, or subcontractors, regardless of their relationship with the prime.
Prime contractors are required by DSVS to ensure that their subcontractors hold appropriate DISP membership before allowing them access to classified Defence information. This obligation is typically enforced through contract clauses that flow DISP requirements down through the supply chain. If your prime is DISP-accredited and your contract requires you to access classified information, you will almost certainly find a DISP obligation in your contract terms.
The Security Management Plan for a subcontractor is scoped to the specific classified information you access and the environments in which you operate. It does not need to replicate your prime's Security Plan — it needs to accurately describe your organisation's security controls for the work you perform under the contract.
The Essential Eight ML2 mandate applies to all systems you use to process, store, or transmit classified or sensitive Defence information — including systems used to receive deliverables from your prime, submit reports, or communicate with Defence personnel. For subcontractors, this typically means uplifting your existing IT environment rather than deploying a separate secure environment.
DISP DOMAINS FOR SUBCONTRACTORS
What DISP Requires From Your Organisation
Governance & Security Management
Personnel Security
ICT Security
Physical Security
THE SERIOUS DEFENCE PROCESS
From Gap to Certified in 90 Days
Subcontractor Gap Assessment
DISPulse maps your organisation against all four DISP domains with reference to your specific contract scope and the classified information you will access. You receive a prioritised remediation register within 5 business days.
Security Plan Development
DISPath consultants develop your Security Management Plan — scoped to your subcontractor role, the classified information you handle, and the physical and ICT environments in which you operate.
Application Preparation
DISPulse generates your complete DISP application package: Security Plan, personnel clearance register, and supporting evidence mapped to DSPF requirements and your contract obligations.
Ongoing Compliance
DISPulse monitors your posture continuously, triggers ASR generation annually, and alerts you to regulatory changes — keeping you compliant across the full term of your Defence contracts.
FREQUENTLY ASKED QUESTIONS
Subcontractor DISP Questions Answered
Does my prime contractor's DISP membership cover me as a subcontractor?
No. DISP membership is organisation-specific. Your prime contractor's accreditation does not extend to your organisation. If your contract requires you to access classified Defence information, you must hold your own DISP membership — regardless of your prime's accreditation status.
How do I know if my subcontract requires DISP membership?
Review your contract for clauses referencing the DSPF, DISP, or security obligations. If your contract requires you to access OFFICIAL: Sensitive or above information, operate in classified Defence facilities, or handle controlled unclassified information, DISP membership is almost certainly required. Contact Serious Defence for a contract review.
Can I apply for DISP as a small subcontractor with fewer than 10 staff?
Yes. DISP membership is available to organisations of all sizes. Small subcontractors often qualify for DISP Entry Level, which has lower compliance requirements than higher membership levels. The appropriate level depends on the classification of information you access and the nature of your Defence work.
SUBCONTRACTOR ASSESSMENT
Book Your DISP Gap Assessment
We assess your organisation against all four DISP domains scoped to your specific contract obligations.
FLOW-DOWN OBLIGATIONS
Your prime contractor's DISP membership does not cover your organisation. DISP obligations flow down through the supply chain — each entity must hold its own accreditation. Review your contract for DSPF or DISP clauses before assuming you are covered.
SERIOUS DEFENCE
Your DISP Application.
Our Expertise.
Serious Defence has guided Australian subcontractors through DISP accreditation across CASG supply chains, AUKUS programs, and prime contractor relationships. We understand the unique compliance challenges of organisations that are new to the Defence sector.