The DISP Rejection Rate Nobody Talks About
The Defence Industry Security Program (DISP) is the gateway to working with the Australian Department of Defence. Without DISP membership, your organisation cannot access classified contracts, participate in AUKUS supply chains, or bid on the majority of prime contractor opportunities.
What most organisations don't know is that approximately 67% of DISP applications are rejected or returned for significant rework before they are accepted. That's not a rumour — it's a pattern we see consistently across the applications we review and support.
The reasons for rejection are almost always the same. And almost all of them are avoidable.
The Five Most Common Reasons DISP Applications Fail
1. Inadequate Security Risk Management Plans (SRMPs)
The Security Risk Management Plan is the centrepiece of your DISP application. It must demonstrate that your organisation has identified, assessed, and mitigated security risks across personnel, physical, ICT, and information domains. Most rejected applications either submit a generic template with minimal customisation, fail to address all four security domains, or cannot demonstrate that the SRMP has been reviewed and approved by senior leadership.
Defence assessors are experienced. They can identify a copy-paste SRMP immediately. Your plan must reflect your actual business, your actual facilities, and your actual risk environment.
2. Personnel Security Gaps
DISP requires that key personnel — particularly your Facility Security Officer (FSO) and anyone accessing classified material — hold appropriate security clearances or have clearances in progress. Applications frequently fail because organisations nominate an FSO who does not yet hold a clearance, or because they cannot demonstrate that all personnel with access to OFFICIAL: Sensitive or above material have been appropriately vetted.
Clearance processing times have extended significantly in recent years. If you are planning a DISP application, initiate clearance requests for key personnel at least six months in advance.
3. ICT Security That Doesn't Meet the Baseline
The Essential Eight Maturity Model is not optional for DISP applicants. Defence expects applicants to demonstrate progress toward Essential Eight Maturity Level 2 across all eight controls. The most common gaps are in application control, patching cadence, and multi-factor authentication coverage.
Many SMEs apply for DISP believing their existing IT setup is "good enough." It rarely is. A formal Essential Eight assessment against the ACSC guidance — not a self-assessment — is the minimum credible evidence base for your application.
4. Physical Security That Doesn't Match the Membership Level
DISP has four membership levels, each with progressively stricter physical security requirements. Level 1 requires a lockable, access-controlled area for sensitive material. Level 2 and above require certified security containers, alarm systems, and in some cases SCIF-equivalent environments.
Applications are rejected when the physical security described in the SRMP does not match the membership level being sought, or when applicants cannot provide evidence (photographs, floor plans, alarm certification) to support their claims.
5. Incomplete or Inconsistent Evidence Packages
The DISP application is not a form — it is an evidence submission. Every claim in your SRMP must be supported by documented evidence: policies, procedures, training records, system configurations, and physical security certifications. Applications that make claims without evidence, or where the evidence contradicts the claims, are returned immediately.
A common failure point is the gap between what an organisation's policies say and what actually happens in practice. If your Acceptable Use Policy says all staff complete annual security awareness training but you cannot produce training records, that inconsistency will be identified.
What a Successful DISP Application Looks Like
Successful applications share several characteristics. They are specific — they describe the actual organisation, not a generic defence contractor. They are evidenced — every control is supported by documentation. They are honest about gaps — where controls are not yet fully implemented, the application describes a credible remediation timeline. And they are internally consistent — the SRMP, the evidence package, and the membership level sought all tell the same story.
Organisations that work with experienced DISP consultants before submitting — rather than after receiving a rejection — consistently achieve first-time acceptance rates significantly above the industry average.
The Cost of Getting It Wrong
A rejected DISP application is not just a setback. It delays your ability to pursue classified contracts, damages your credibility with prime contractors who may have been expecting your DISP membership, and requires you to restart significant portions of the application process. In a competitive defence market, a six-month delay can mean losing a contract opportunity entirely.
The 67% rejection rate is not inevitable. With the right preparation, the right evidence, and the right guidance, DISP membership is achievable for most organisations that genuinely need it.
How Serious Defence Can Help
DISPath is our DISP readiness consulting service, designed specifically to address the gaps that cause applications to fail. We conduct a structured gap analysis against DISP requirements, help you build a credible SRMP, prepare your evidence package, and guide you through the submission process.
If you are preparing a DISP application — or if you have already received a rejection — contact us to discuss how we can help you achieve membership with less confusion and rework.