[UPDATED 2026] DISP MEMBERSHIP REQUIREMENTS
DISP REQUIREMENTS
2026
The October 2024 Essential Eight ML2 mandate has fundamentally changed what DISP membership requires. This guide covers every updated obligation — personnel clearances, physical security, information security, and the 2026 Annual Security Report cycle.
Mandate Date
Oct
2024
E8 ML2 Effective
Controls Required
8
All at ML2
DSPF Domains
4
All Required
ASR Cycle
Annual
2025–2026
[SECTION 01]
What Changed in 2026
Critical
The Oct 2024 E8 ML2 mandate is the most significant change to DISP requirements since the program's inception. Organisations that have not completed the uplift are currently non-compliant.
Oct 2024
E8 ML2 Mandate
▶Essential Eight ML2 Now Mandatory
DISO mandated Essential Eight Maturity Level 2 across all eight controls for DISP members handling PROTECTED information. The previous Top 4 baseline is no longer sufficient. All eight controls — including user application hardening, restrict admin privileges, patch operating systems, multi-factor authentication, regular backups, application control, patch applications, and configure Microsoft Office macros — must reach ML2.
Nov 2025
Top 4 Sunset
Top 4 Compliance Sunset
The legacy Top 4 compliance pathway was formally retired. Organisations that had been maintaining only the Top 4 controls at ML2 were required to uplift the remaining four controls to ML2 by this date. DISO began issuing non-compliance notices to members who had not completed the uplift.
2025–2026
ASR Cycle
Updated Annual Security Report Requirements
The 2025–2026 ASR cycle introduced enhanced self-assessment requirements. Members must now provide evidence of Essential Eight ML2 compliance, confirm clearance currency for CSO and SO, report any DSPF-reportable incidents from the preceding 12 months, and attest to the accuracy of their Security Plan.
2026
AUKUS Alignment
AUKUS Pillar II Supply Chain Requirements
Companies seeking AUKUS Pillar II contracts face additional requirements beyond standard DISP, including alignment with CMMC 2.0 Level 2 for US-origin controlled technical information (CTI), ITAR compliance for US-origin defence articles, and enhanced supply chain security obligations under the AUKUS Industrial Base Framework.
[SECTION 02]
2026 Requirements by Domain
DISO assesses compliance across all four DSPF domains simultaneously. Weakness in any single domain is sufficient grounds for rejection or non-renewal.
Personnel Security
- —CSO and SO must hold current AGSVA clearances at or above the membership tier
- —All personnel accessing classified information must hold appropriate clearances
- —Clearance sponsorship obligations must be maintained for all cleared personnel
- —Insider threat awareness training must be current for all cleared staff
Physical Security
- —Facility must be accredited by DISO for the classification level of work
- —Secure areas must meet DSPF physical security standards
- —Visitor management procedures must be documented and operational
- —Security infrastructure (alarms, access control, CCTV) must be certified
Information Security
- —Essential Eight ML2 across all eight controls (mandatory from Oct 2024)
- —IRAP assessment by ASD-certified assessor required
- —ICT systems handling PROTECTED information must be accredited
- —Incident reporting within 72 hours of discovery to DISO and ASD
Industrial Security
- —Security Plan must address all four DSPF domains
- —Supply chain security obligations documented and implemented
- —Subcontractor security requirements flowed down in contracts
- —Annual Security Report submitted on time each compliance cycle
[SECTION 03]
Essential Eight ML2 in 2026
Previous Requirement
Top 4 Controls at ML2
2026 Requirement
All 8 Controls at ML2
The October 2024 mandate requires all eight Essential Eight controls to reach Maturity Level 2 for DISP members whose ICT systems handle PROTECTED or above information. ML2 means the control is implemented consistently across all systems, not just on a best-effort basis. Each control must be verified by an ASD-certified IRAP assessor.
Read the full guide: Essential Eight ML2 for DISP →
[SECTION 04]
Annual Security Report 2026
The ASR is not optional. Late or incomplete submissions result in compliance notices and potential membership suspension. DISPulse automates the entire ASR workflow.
Every current DISP member must submit an Annual Security Report (ASR) to DISO confirming ongoing compliance with all DSPF obligations. The 2025–2026 ASR cycle is the first to require explicit attestation of Essential Eight ML2 compliance across all eight controls.
Personnel Clearance Confirmation
Confirm CSO and SO clearances are current. List all cleared personnel and their clearance levels. Report any clearance suspensions or lapses during the reporting period.
Essential Eight ML2 Attestation
Attest to ML2 compliance across all eight controls for all in-scope ICT systems. Provide IRAP assessment reference or confirm assessment is current within the required timeframe.
Incident Reporting
Report all DSPF-reportable security incidents from the preceding 12 months, including any cyber incidents, physical security breaches, or personnel security concerns.
Security Plan Currency
Attest that the Security Plan accurately reflects current operations, personnel, facilities, and ICT systems. Submit updated plan if material changes have occurred.
[SECTION 05]
Why Applications Fail in 2026
Most Common
67%
of first-attempt applications are returned due to E8 ML2 gaps
Essential Eight ML2 Gaps
The most common failure in 2026. Organisations that achieved ML2 on the Top 4 controls but have not uplifted the remaining four controls (restrict admin privileges, patch operating systems, MFA, regular backups) are non-compliant. DISO will not approve applications or renew memberships without full ML2 across all eight controls.
CSO or SO Clearance Lapsed
AGSVA clearances must remain current. If the CSO or SO clearance lapses or is suspended, the organisation is immediately non-compliant. Applications submitted without cleared CSO and SO personnel are returned without assessment.
Outdated Security Plan
The Security Plan must reflect current operations, personnel, and ICT systems. Plans that were written for the original application and not updated to reflect the Oct 2024 E8 ML2 mandate, new staff, or changed ICT systems will fail the DISO review.
Missing IRAP Assessment
An IRAP assessment is required to verify Essential Eight ML2 compliance. Self-assessments or vendor attestations are not accepted. The assessment must be conducted by an ASD-certified IRAP assessor and must cover all in-scope ICT systems.
Late or Incomplete ASR
Failure to submit the Annual Security Report on time, or submitting an incomplete ASR that does not address all four DSPF domains, results in a compliance notice and potential membership suspension.
[SECTION 06]
Frequently Asked Questions
Questions
5
covering the most common 2026 requirements queries
What are the DISP membership requirements in 2026?
In 2026, DISP membership requires compliance with the Defence Security Principles Framework (DSPF) across four domains: personnel security (AGSVA clearances for CSO and SO), physical security (facility accreditation), information security (Essential Eight ML2 for ICT systems handling PROTECTED information), and industrial security (supply chain obligations). The October 2024 Essential Eight Maturity Level 2 mandate is now fully in effect, replacing the previous Top 4 baseline.
What changed in DISP requirements between 2024 and 2026?
The most significant change was the October 2024 mandate requiring all DISP members handling PROTECTED information to achieve Essential Eight Maturity Level 2 (ML2) across all eight controls. Previously, only the Top 4 controls (application control, patch applications, configure Microsoft Office macros, user application hardening) were required. The 2025–2026 Annual Security Report cycle also introduced new self-assessment requirements and tighter evidence standards.
Is an IRAP assessment required for DISP in 2026?
Yes. An IRAP (Information Security Registered Assessors Program) assessment by an ASD-certified assessor is required to verify your ICT environment meets Essential Eight ML2 before DISO will approve your application. The assessment must cover all systems that process, store, or transmit PROTECTED or above information.
What is the Annual Security Report (ASR) requirement in 2026?
All current DISP members must submit an Annual Security Report (ASR) to DISO each year confirming ongoing compliance with DSPF obligations. The 2025–2026 ASR cycle requires members to self-assess against all four DSPF domains, report any security incidents, confirm clearance currency for CSO and SO, and attest to Essential Eight ML2 compliance for relevant ICT systems.
What clearances do CSO and SO need for DISP in 2026?
The Chief Security Officer (CSO) and Security Officer (SO) must hold AGSVA security clearances appropriate to the highest classification level the organisation will access. For Baseline membership, NV1 clearances are typically required for CSO and SO. For NV1 and NV2 membership levels, clearances must match or exceed the membership tier. Applications submitted without cleared CSO and SO personnel are returned immediately.
[NEXT STEP]
ARE YOU COMPLIANT
WITH 2026 REQUIREMENTS?
The October 2024 E8 ML2 mandate is now fully in effect. If you haven't completed the uplift from Top 4 to all eight controls, you are currently non-compliant. DISPath provides a structured pathway from assessment to DISO approval.
3–6 months for Baseline with full E8 ML2 in place
CSO and SO clearances must be current before submission
ASR due annually — late submission triggers compliance notice
DISPulse automates ASR generation and E8 evidence collection