From compliance to advantage: Elevating security and competitiveness with DISP
Australia's defence suppliers must now achieve full Essential Eight Maturity Level 2 compliance under the DISP or forfeit access to contracts in a sector bolstered by an extra A$70 billion in funding through 2034-35.
Key takeaways
- •The Defence Industry Security Program ended its transitional 'top four' Essential Eight cyber assessments on 15 November 2025, requiring all members to implement and maintain the full eight strategies at Maturity Level 2.
- •Non-compliance blocks participation in thousands of Defence contracts, including around 4,000 at OFFICIAL classification level identified between July 2023 and October 2024, as the National Defence Strategy launches in 2026.
- •While strengthening supply-chain resilience against advanced threats, the mandate imposes significant implementation burdens on smaller firms, creating tensions between national security goals and commercial agility in delivering AUKUS-era capabilities.
DISP's Cyber Mandate
In February 2026, with the National Defence Strategy due for release imminently, Australian entities in the defence supply chain are navigating the full enforcement of upgraded security rules under the Defence Industry Security Program. DISP, the multi-level framework managed by the Department of Defence, ensures companies bidding on tenders or handling classified material maintain standards across governance, personnel, physical and cyber domains to protect national interests.
The cyber domain has seen the sharpest change. Transitional assessments against only the top four of the Australian Signals Directorate's Essential Eight mitigation strategies concluded on 15 November 2025. All DISP members must now comply with the complete set—application control, patching, macro restrictions, user application hardening, privileged access limits, operating system patching, multi-factor authentication and regular backups—at Maturity Level 2. This is verified via a detailed cyber security questionnaire forming part of annual security reports for the October 2024–October 2025 cycle, submitted through the modernised DISP Member Portal.
The stakes are concrete. Defence has flagged roughly 4,000 contracts at the OFFICIAL level requiring DISP membership between July 2023 and October 2024 alone, with many more at higher classifications. Failure to meet the new standards risks rejection from tenders tied to record investments, including an additional A$70 billion over the decade to 2034-35 for capability acquisition and industry development. Smaller suppliers, often without in-house cyber expertise, confront costs for technology, training, audits and uplift plans that can run well into six figures, even as primes push for faster delivery on sovereign projects.
Less discussed is the inherent trade-off. Heightened requirements bolster defences against persistent threats from actors targeting critical infrastructure, yet they demand ongoing validation and cultural shifts that may constrain the very innovation needed to outpace adversaries in areas like autonomous systems and submarine construction under AUKUS. Defence provides guidance and support services, but ultimate responsibility—and competitive differentiation—now rests with industry proving not just baseline adherence but sustained maturity.
Sources
- https://www.defence.gov.au/business-industry/industry-governance/industry-regulators/defence-industry-security-program/cyber-assurance
- https://www.defence.gov.au/business-industry/industry-governance/industry-regulators/defence-industry-security-program
- https://virtuellegroup.com.au/navigating-the-latest-disp-changes-why-the-essential-8-matters-more-than-ever/
- https://www.australianindustrygroup.com.au/news/blogs/2025/new-disp-cyber-compliance-requirements/
- https://asiapacificdefencereporter.com/viewpoint-2026-defence-industry-outlook/
- https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Foreign_Affairs_Defence_and_Trade/-/media/48E8E9D5230A464DA0A3DCCE4971829B.ashx