The Four Letters That Define Defence Industry Access
If you are an Australian business that supplies goods or services to the Department of Defence — or aspires to — you will encounter four letters early and often: DISP. For many contractors, the acronym first appears buried in a tender requirement or dropped casually by a prime contractor. For others, it surfaces only after a contract has been won and the security obligations become clear. Either way, understanding DISP before you need it is one of the most valuable investments a defence-adjacent business can make.
This guide explains what DISP is, why it exists, who needs it, how the membership levels work, and what the significant 2025 cyber security changes mean for every entity in the defence supply chain.
What is DISP?
The Defence Industry Security Program (DISP) is an Australian Government initiative administered by the Defence Industry Security Branch (DISB) within the Department of Defence. Its purpose is to ensure that non-government organisations working with Defence — or handling Defence-related information, assets, or systems — have the right security controls in place to protect Australia's national interests.
DISP is underpinned by Principle 16 of the Defence Security Principles Framework (DSPF), specifically Control 16.1, which sets out the security requirements that industry entities must meet to obtain and maintain membership. It is not a one-off certification or a document you file away. It is an ongoing security relationship between your organisation and Defence, with active assurance, annual self-attestation, and periodic audits.
In plain terms: DISP is how Defence decides whether it can trust your organisation with sensitive work. It is the gateway to the defence supply chain.
Who Needs DISP Membership?
DISP membership is open to any Australian entity seeking to participate in the defence industry supply chain. While membership is not mandated in every circumstance, it is effectively required for any organisation that:
- Provides goods or services directly to the Department of Defence
- Supports a prime contractor or subcontractor on a Defence project
- Handles, stores, or transmits Defence-related information or assets
- Operates facilities, systems, or networks connected to Defence capability
- Participates in Defence-funded programs, grants, or research
- Requires its personnel to hold Australian Government security clearances
Critically, DISP membership is increasingly being written into contract requirements by Defence primes — even where Defence itself has not mandated it. If you are a second- or third-tier supplier to a major defence contractor, you may find DISP membership is a condition of engagement, not a choice.
It is also worth noting that DISP membership does not guarantee Defence contracts. Procurement still follows standard government processes. What DISP does is establish your organisation as a credible, security-mature partner — which increasingly determines whether you are invited to tender at all.
The Four Security Domains
DISP assesses organisations across four interconnected security domains. A weakness in any one area can expose risk across the others, which is why Defence takes an integrated view rather than treating each domain in isolation.
1. Governance
Governance is the foundation. Defence wants to see that security is owned at the leadership level — not delegated entirely to an IT team or treated as a compliance checkbox. This means documented security policies and procedures, clear accountability structures, a named Security Officer (SO) and Chief Security Officer (CSO), risk-based decision-making processes, and evidence that security is actively managed and reviewed rather than passively written into a document that sits on a shelf.
The governance domain answers a fundamental question: Does this organisation take security seriously at the leadership level?
2. Personnel Security
Personnel security focuses on who has access to Defence-related information, systems, and facilities. It covers the identification of key, relevant, and ancillary personnel; appropriate security clearances where required; processes for onboarding, offboarding, and role changes; and individual accountability for security obligations.
One of the most misunderstood aspects of DISP is that personnel security is not just about clearance levels. It is about trust and control across your entire workforce — including contractors, subcontractors, and third-party service providers who may have incidental access to Defence-related environments.
3. Physical Security
Physical security protects the facilities, assets, and environments where Defence-related work takes place. Depending on your scope of work, this may include your office locations, data centres or technical environments, storage of sensitive material, visitor management, and access control systems.
Defence expects physical security controls to match the actual risk profile of your operations. A software consultancy working remotely on an unclassified project has a very different physical security profile to a manufacturer storing controlled technical data on-site. The controls must be proportionate and demonstrably effective.
4. Information and Cyber Security
This domain covers how Defence-related information is created, stored, accessed, transmitted, and protected. It includes information classification and handling procedures, ICT and system security, cyber controls and incident response capability, and alignment with Defence security expectations.
As of November 2025, this domain has undergone the most significant change in DISP's history — and it is the domain that is catching the most organisations off-guard.
The Four Membership Levels
DISP is a multi-level membership program. Organisations are assessed against membership levels that reflect their exposure, responsibilities, and the sensitivity of the work they undertake with Defence. There is no single correct level — the right level depends on your business reality and your Defence ambitions.
| Level | Classification Access | Typical Use Case |
|---|---|---|
| Entry | Unclassified / OFFICIAL | Early engagement with Defence; no classified information handling |
| Level 1 | Up to PROTECTED | System integrators, cyber vendors, managed service providers |
| Level 2 | Up to SECRET | Critical infrastructure, advanced managed services, sensitive projects |
| Level 3 | TOP SECRET and above | High-assurance projects, cleared defence primes, intelligence-adjacent work |
Each level requires progressively stronger controls across all four security domains. Entry level is the baseline — it demonstrates a foundational security posture and is appropriate for organisations that do not yet handle classified information. Level 1 is where most SMEs and technology vendors begin their serious defence engagement. Levels 2 and 3 are reserved for organisations with deep, ongoing involvement in sensitive Defence capability programs.
One of the most common mistakes organisations make is aiming too high, too early — or worse, aiming blindly without understanding what each level actually requires. The right approach is to define a target DISP profile that matches your current business reality and your realistic Defence ambitions over the next two to three years.
It is also important to note that Entry Level membership does not allow an organisation to sponsor security clearances for its personnel. That capability begins at Level 1, which is a significant practical consideration for any organisation whose Defence work requires cleared staff.
The 2025 Essential Eight Uplift: What Changed and Why It Matters
On 15 November 2025, the most significant change to DISP's cyber security requirements in the program's history took effect. All DISP members — regardless of membership level — are now required to achieve and maintain compliance with the full Essential Eight at Maturity Level 2 (ML2).
Prior to this date, DISP had been progressively rolling out the Essential Eight requirement, starting with the top four mitigation strategies. The November 2025 deadline extended this to all eight strategies at ML2 — with no exceptions and no grandfathering for existing members.
The Essential Eight is a set of eight cyber security mitigation strategies developed by the Australian Signals Directorate (ASD). At Maturity Level 2, organisations must demonstrate:
- Application control — preventing unapproved software from executing
- Patch applications — applying patches within 48 hours for internet-facing services, two weeks for others
- Configure Microsoft Office macro settings — blocking macros from the internet
- User application hardening — disabling Flash, ads, and Java in browsers
- Restrict administrative privileges — limiting admin access to those who genuinely need it
- Patch operating systems — keeping OS patches current within defined timeframes
- Multi-factor authentication (MFA) — enforcing MFA for all users accessing important data systems
- Regular backups — maintaining tested, offline backups of critical data
The DISP Cyber Security Questionnaire (CSQ) now includes Part B with 107 controls aligned to the full Essential Eight at ML2. Organisations applying for DISP membership — or renewing through their Annual Security Report — must complete this questionnaire. Where gaps are identified, DISP's Cyber Team will work with the entity to develop a maturity action plan, but the expectation is that ML2 is achieved and maintained.
For 2026, the trajectory continues. Level 1 attestation is expected to be tied to defence procurement processes, meaning that demonstrating DISP Level 1 compliance — including full Essential Eight ML2 — will become a procurement gate rather than a post-award obligation.
The Application Process
DISP applications are submitted and managed through the DISP Member Portal. The process begins with an Entry Level Assessment (ELA), which is a security governance assessment conducted as part of the application to ensure the entity meets the requirements of the membership level requested.
The ELA process includes three components: a review of security documentation, a phone interview with the nominated Security Officer and Chief Security Officer, and completion of the Cyber Security Questionnaire. Any gaps identified during the ELA must be addressed before DISP membership is granted.
There is no direct cost for DISP membership — there is no membership fee. However, the costs of implementing and maintaining the required security controls can be substantial. Facility certification and accreditation, personnel security clearances, physical security measures, and the technical uplift required to achieve Essential Eight ML2 all represent real investment. For many SMEs, this is where the journey becomes challenging without specialist support.
Once membership is granted, it must be actively maintained. This includes submitting an Annual Security Report (ASR) — a self-attestation of compliance — on the anniversary of the membership certificate. DISP also conducts Ongoing Suitability Assessments (OSAs) and Deep Dive Audits (DDAs) on a risk-based selection basis. These are not punitive exercises; they are collaborative reviews designed to identify gaps and support uplift.
The Benefits of DISP Membership
Beyond the compliance obligation, DISP membership delivers tangible commercial and operational benefits:
- Access to Defence security services — including security advice, training materials, and cyber security guidance that is not available to non-members
- Ability to sponsor security clearances — essential for any organisation whose Defence work requires cleared personnel (Level 1 and above)
- Greater access to international contracts — DISP membership is recognised by international Defence partners, including through AUKUS arrangements, opening doors to Five Eyes supply chain opportunities
- Improved security posture — the discipline of meeting DISP requirements strengthens an organisation's overall security operating environment, reducing risk beyond the Defence context
- Competitive differentiation — as DISP becomes more widely mandated, membership increasingly separates credible defence industry participants from those who are not yet ready
Common Misconceptions
"DISP is just a certification." It is not. DISP is an ongoing membership with active obligations — annual reporting, assurance activities, and the requirement to implement uplift recommendations within agreed timeframes. Treating it as a one-time certification is one of the fastest ways to lose membership.
"We only need Entry Level because we don't handle classified information." Entry Level is appropriate for many organisations, but it still requires demonstrating governance, personnel, physical, and cyber security controls — including the full Essential Eight at ML2. Entry Level is not a light-touch option.
"DISP membership guarantees us Defence contracts." It does not. DISP membership is a prerequisite for participation in the supply chain, not a guarantee of work. Procurement still follows standard government processes.
"We can sort out DISP after we win the contract." This is the most expensive misconception. DISP membership takes time — the ELA process, gap remediation, and cyber uplift can take months. Starting after a contract is awarded creates delivery risk and can damage the relationship with the prime or Defence customer before it has begun.
Where to Start
The most important first step is an honest assessment of where your organisation currently sits across the four security domains. Not where you aspire to be — where you actually are today. That gap analysis determines your realistic path to the appropriate membership level, the investment required, and the timeline you need to plan for.
For most organisations entering the defence supply chain for the first time, the journey to Entry Level or Level 1 DISP membership takes between three and nine months, depending on the maturity of existing security controls and the complexity of the Essential Eight uplift required.
The organisations that navigate this most effectively are those that treat DISP not as a compliance burden but as a strategic investment — one that opens access to one of Australia's most significant and growing procurement markets, and that builds the security foundations required to operate credibly in an increasingly contested threat environment.
If you are ready to start that journey, or if you need an honest assessment of where your organisation stands today, speak to the Serious Defence team. We have guided organisations from initial gap analysis through to full DISP membership — and we understand what it actually takes to get there.