DISP COMPLIANCE
FOR SAAS
COMPANIES
Australian SaaS companies supplying software to the Department of Defence, CASG, or intelligence agencies must hold current DISP membership. Without it, your platform cannot be evaluated for Defence procurement panels — regardless of its technical capability or security certifications.
DEFENCE PROCUREMENT REQUIREMENTS
Mandatory ASD cyber baseline for all SaaS platforms processing OFFICIAL: Sensitive or PROTECTED data
Of Defence software procurement panels require current DISP membership before vendor evaluation
Typical time to achieve DISP accreditation for a SaaS company without structured guidance
Export control obligations apply to SaaS platforms hosting US-origin defence technology data
THE COMPLIANCE IMPERATIVE
Why DISP Is Non-Negotiable for Australian SaaS Companies
The Defence Industry Security Program (DISP) applies to any organisation that accesses, stores, or processes classified or sensitive Defence information — including SaaS platforms that host Defence data, integrate with Defence systems, or are used by Defence personnel. DISP membership is a prerequisite for inclusion on Defence procurement panels, not a post-award requirement.
The Essential Eight Maturity Level 2 (E8ML2) mandate from the Australian Signals Directorate applies to all ICT systems processing OFFICIAL: Sensitive or PROTECTED information. For SaaS companies, this means your production environment, development pipelines, CI/CD infrastructure, and any systems that can access Defence data must meet all eight controls at ML2 — not just the "Top 4" that applied before November 2025.
Foreign ownership, control and influence (FOCI) is a critical consideration for SaaS companies with overseas investors, parent companies, or board members. DISP requires a FOCI assessment and, where foreign influence is identified, a mitigation plan that satisfies the Defence Security and Vetting Service (DSVS). This applies to VC-backed companies with foreign fund participation, not just wholly foreign-owned entities.
The Annual Security Report (ASR) — submitted annually to DSVS — requires SaaS companies to demonstrate that all four DISP domains remain compliant. DISPulse generates your ASR automatically from continuous compliance monitoring data, eliminating the 3–6 month manual evidence collection process that causes most SaaS companies to submit late or incomplete reports.
ICT SECURITY MANDATE
Essential Eight ML2 for SaaS Platforms
The ASD's Essential Eight Maturity Level 2 is the minimum cyber security baseline for all DISP-accredited organisations. For SaaS companies, the eight controls apply across your entire technology stack — not just the customer-facing application layer.
Application control, patching of applications and operating systems, restricting Microsoft Office macros, user application hardening, multi-factor authentication, restricting administrative privileges, patching operating systems, and daily backups — all eight must be implemented at ML2 before your DISP application will be assessed.
E8 ML2 SCOPE FOR SAAS
DISP DOMAINS FOR SAAS
What DISP Requires From Your SaaS Operation
Governance & Risk Management
Personnel Security
ICT & Cloud Security
Physical Security
THE SERIOUS DEFENCE PROCESS
From Gap to Certified in 90 Days
DISP Readiness Assessment
DISPulse maps your SaaS architecture against all four DISP domains and E8ML2 controls. You receive a prioritised remediation register within 5 business days.
ICT Hardening
DISPath engineers implement E8ML2 controls across your cloud environment — patching cadence, MFA, application control, and privileged access management.
Application Preparation
DISPulse generates your complete DISP application package: Security Plan, personnel clearance register, and supporting evidence mapped to DSPF requirements.
Ongoing Compliance
DISPulse monitors your posture continuously, triggers ASR generation annually, and alerts you to regulatory changes across DISP, E8, and PSPF.
FOREIGN OWNERSHIP & INVESTMENT
FOCI Assessment for VC-Backed SaaS Companies
Foreign Ownership, Control and Influence (FOCI) is one of the most commonly misunderstood DISP requirements for SaaS companies. DISP does not prohibit foreign investment — it requires that foreign influence over security-relevant decisions is identified, assessed, and mitigated to a level acceptable to the Defence Security and Vetting Service (DSVS).
For VC-backed SaaS companies, FOCI assessment covers board composition, investor rights (particularly information rights, board observer rights, and veto rights over security-relevant decisions), and the nationality of key personnel with access to classified Defence data. Companies with US, UK, or Five Eyes-aligned investors typically face a lighter FOCI burden than those with investors from non-allied nations.
DISPath consultants conduct FOCI assessments and prepare the FOCI mitigation plan required by DSVS — including board resolution templates, security deed structures, and personnel access control frameworks that satisfy DISP requirements without requiring foreign investors to divest.
SAAS ASSESSMENT
Book Your DISP Gap Assessment
We assess your SaaS platform against all four DISP domains and E8ML2 controls. You receive a prioritised remediation register within 5 business days.
PROCUREMENT RISK ALERT
Defence procurement panels evaluate DISP membership status before technical assessment begins. A SaaS company without current DISP membership is excluded from evaluation — regardless of product capability or ISO 27001 certification.
SOLUTIONS FOR SAAS
SERIOUS DEFENCE
Your DISP Application.
Our Expertise.
Serious Defence has guided Australian SaaS companies through DISP accreditation across platforms including GRC software, data analytics, communications, and mission planning tools. We understand the intersection of cloud architecture, FOCI obligations, and DISP compliance in a way that generic IT consultants do not.