Are you working with the Defence industry or aiming to be part of the Defence supply chain? If so, it’s crucial to be aware of the recent changes in the Defence Industry Security Program (DISP) compliance requirements.
Late last year, the Department of Defence officially elevated the Cyber domain compliance requirement to the full Essential Eight.
Allow me to give some background.
The Essential Eight are a list of cybersecurity mitigation strategies, originally outlined in 2010 as part of the Australian Signal Directorate's larger publication, Strategies to Mitigate Cyber Security Incidents.
The Eight strategies aim to not only prevent cyber threats, but limit their impact and help with recovery. They include frequent patching, restricting macros and administrator rights, limiting what software can run, and ensuring regular backups are occurring.
Over time, the ASD's Australian Cyber Security Centre (ACSC) team have evolved them to four Maturity Levels, from zero to 3, listing out a total of 149 individual controls.
The Maturity Level 1 controls are designed to thwart opportunistic attackers relying on commodity tradecraft, while the 107 Level 2 controls help resist attackers who are more skilled and often targeting specific organisations for a purpose. Finally, all 149 controls at Level 3 help resist very sophisticated adversaries who are highly skilled at exploiting vulnerabilities and circumventing security measures.
The Defence Department, in their requirement to align with the Federal Government’s Protective Security Policy Framework (PSPF), moved to ensure that not only did Defence need to meet Maturity Level 2, but all suppliers to Defence as well; this is where DISP comes in.
The Defence Industry Security Program (DISP) is how Defence ensures appropriate security alignment between their systems and the Defence industrial base.
There are four DISP membership levels, aligning with the Australian Government's security classification system. And there are four domains: Governance, Physical Security, Personnel Security, and Cyber Security.
But it is the Cyber Security domain that causes organisations the most angst as they step out on their DISP membership journey. Until October 2024, the cyber domain requirement was based on the ACSC "Top 4". Meeting this particular set of four security safeguards was often challenging enough, but now the minimum requirement for all organisations has been elevated to the full Essential Eight, at Maturity Level 2 (ML2).
As all DISP interactions must now be performed through the new Portal, new applications as well as renewals for existing DISP members (as they submit their Annual Security Report) must complete the new cyber security questionnaire that comprises of around 120 questions--the Essential Eight ML2 questions as well as others relating to infrastructure, access, support and cyber training.
If you are feeling a little daunted by all of this, don’t despair. The AiGroup Business Consulting team are here to assist you in navigating the complex cyber requirements of DISP. For just a single day’s consulting, you will gain valuable insights into your current compliance status and receive a detailed gap analysis report that will help guide your next steps in meeting the new DISP standard.
Reach out to Mark Schmidt, Senior Cyber Consultant, on 03 9867 0202 or email cyber.services@aigroup.com.au
