Facilities, Resources & Equipment Assurance

Tightening Defence Supply Chain Security

The Defence Industry Security Program (DISP), administered by Australia's Department of Defence, requires companies handling sensitive defence information or assets to maintain rigorous security standards. Membership, while free of direct fees, demands substantial investment in controls across four domains: governance, personnel security, physical security, and cyber security.

A pivotal shift occurred in late 2024 and crystallised in 2025: DISP raised the cyber bar from compliance with just the 'Top 4' Essential Eight mitigation strategies to full implementation of all eight at Maturity Level 2. This change took full effect after assessments against the limited controls concluded on 15 November 2025. All members—new applicants and existing ones renewing via annual security reports—must now demonstrate a hardened IT environment, including approved configurations, equipment management policies, and hardening of information technology hardware per Australian Signals Directorate guidance.

This matters amid escalating geopolitical tensions and Australia's push for greater sovereign defence industrial capability. The defence budget has risen sharply, reaching $58.99 billion for 2025-26, with forecasts to $74 billion by 2030. Programs like continuous naval shipbuilding, nuclear-powered submarines, and domestic manufacture of guided weapons depend on a secure supply chain. Grants under the Defence Industry Development Grants Program—Security Stream, with $12.7 million allocated, explicitly support small to medium enterprises in achieving DISP accreditation to protect intellectual property, equipment, and facilities against physical and cyber threats.

The stakes are concrete. Failure to meet the new standards bars participation in defence contracts, potentially costing companies access to billions in opportunities. Costs include facility certifications, personnel clearances, physical perimeter protections, and cyber uplifts—often running into hundreds of thousands of dollars for mid-sized firms. Deadlines are unforgiving: annual security reports must reflect compliance, and assurance activities by DISP can impose remediation timelines.

Less obvious tensions arise in implementation. While cyber receives the spotlight, physical security of facilities and resources—such as secure storage of equipment and controlled access—underpins cyber controls and remains critical for handling classified assets or explosive ordnance. Smaller suppliers face a squeeze: the uplift aligns with sovereign priorities but demands upfront spending that may strain cash flow, even as grants offer partial relief. Larger primes push compliance down the chain, creating cascading pressure. Moreover, the focus on maturity level 2 addresses advanced persistent threats but trades off against speed—full compliance can take 6-12 months, delaying entry into a booming market.