Overview: The Four DISP Membership Levels
DISP membership is structured around four levels that align directly with the Australian Government's security classification system. Each level grants access to a specific tier of classified information and requires progressively more stringent security controls across the four security domains: governance, personnel, physical, and ICT/cyber security.
An important feature of the DISP framework is that membership levels are assessed independently for each security domain. An organisation can hold Entry level for physical security while holding Level 1 for personnel security, for example. However, the governance domain level must always equal the highest level held in any other domain. This reflects the fact that governance underpins all other security activities.
Organisations only need one DISP membership regardless of the number of Defence contracts they hold. The membership level should reflect the highest classification of information the organisation needs to access across all its Defence work.
| Level | Classification Access | Clearance Sponsorship | Typical Applicant |
|---|---|---|---|
| Entry | OFFICIAL / OFFICIAL: Sensitive | Not available | SMEs, tech vendors, new defence entrants |
| Level 1 | PROTECTED | Baseline and NV1 | System integrators, MSPs, engineering firms |
| Level 2 | SECRET | NV1 and NV2 | Prime contractors, critical infrastructure providers |
| Level 3 | TOP SECRET | PV (Positive Vetting) | Highly sensitive Defence program participants |
Each Level in Detail
Entry
Most common starting point
Entry level is the baseline DISP membership tier, designed for organisations that work with unclassified Defence information. It is the most common starting point for SMEs and technology vendors entering the defence supply chain.
Governance
Security Management Plan, Security Incident Response Plan, security awareness training, Annual Security Report
Personnel
Employment screening aligned with AS 4811:2022; no security clearance sponsorship
Physical Security
Basic physical security measures appropriate for OFFICIAL information handling
ICT & Cyber
Essential Eight ML2 across all ICT corporate systems used to correspond with Defence; 107-question CSQ
Who typically applies for this level:
- Technology vendors supplying software or hardware to Defence
- Consultancies providing non-classified advisory services
- Organisations seeking to tender for Defence contracts for the first time
- Subcontractors working under a prime contractor's DISP umbrella
Level 1
Required for classified contracts
Level 1 is required for organisations that need to access PROTECTED information — the first tier of classified information in the Australian Government security classification system. Level 1 membership also enables organisations to sponsor Australian Government security clearances for their personnel.
Governance
All Entry requirements plus enhanced security governance for PROTECTED information handling
Personnel
AS 4811:2022 screening plus ability to sponsor Baseline and NV1 security clearances for relevant personnel
Physical Security
Certified secure zone for handling PROTECTED information; ASIO zone certification required
ICT & Cyber
All Entry cyber requirements; ICT systems handling PROTECTED information must meet additional ISM controls
Who typically applies for this level:
- System integrators and managed service providers with access to classified systems
- Engineering and technical services firms on classified Defence programs
- Organisations that need to sponsor security clearances for their staff
- Companies working on Defence capability programs involving PROTECTED information
Level 2
High-assurance requirement
Level 2 is required for organisations that need to access SECRET information. This level involves significantly more stringent requirements across all four security domains and is typically held by organisations deeply embedded in sensitive Defence programs.
Governance
Comprehensive security governance framework with enhanced incident response and reporting obligations
Personnel
Ability to sponsor NV1 and NV2 security clearances; enhanced personnel security management
Physical Security
Certified secure zone for SECRET information; higher-grade physical security controls and ASIO certification
ICT & Cyber
Enhanced ICT security controls for systems handling SECRET information; alignment with ISM controls for SECRET environments
Who typically applies for this level:
- Prime contractors on major Defence capability programs
- Organisations with access to sensitive intelligence-related information
- Critical infrastructure providers with classified Defence interfaces
- Managed security service providers handling SECRET Defence data
Level 3
Highest assurance level
Level 3 is the highest DISP membership tier, required for organisations that need to access TOP SECRET information. This level is held by a small number of organisations involved in the most sensitive Defence programs and requires the most comprehensive security posture across all four domains.
Governance
Highest-level security governance with comprehensive assurance, reporting, and audit obligations
Personnel
Ability to sponsor PV (Positive Vetting) security clearances; most stringent personnel security requirements
Physical Security
Highest-grade secure zone certification; comprehensive physical security controls for TOP SECRET environments
ICT & Cyber
Most stringent ICT security controls; full alignment with ISM requirements for TOP SECRET systems
Who typically applies for this level:
- Organisations working on the most sensitive national security programs
- Defence prime contractors with access to TOP SECRET capability information
- Entities involved in intelligence-related Defence programs
- AUKUS Pillar II participants requiring highest-level security accreditation
How to Choose the Right Level
The most reliable way to determine the correct DISP membership level is to review the security requirements specified in your current or upcoming Defence contract. Your Defence Contract Manager can provide a Notice of Engagement or letter of endorsement that specifies the minimum level required.
If you do not yet have a contract but are seeking to enter the defence supply chain, consider the nature of the information you are likely to handle. Organisations providing technology products or advisory services that do not involve classified information typically start at Entry level. Those seeking to work on classified programs, or who need to sponsor security clearances for their staff, should apply for Level 1 as a minimum.
It is worth noting that DISP membership does not guarantee Defence contracts. Membership demonstrates that your organisation has the security posture required to participate in the defence supply chain, but contracts are still awarded through the usual procurement processes. Applying for a higher level than your contracts require adds cost and complexity without corresponding benefit.