Understanding the Latest Changes to DISP Cyber Security Requirements: What It Means for Defence Members in Australia
In September 2024, the Defence Industry Security Program (DISP) introduced significant updates to its cyber security standards, bringing the compliance expectations in line with evolving security threats and the need for increased resilience. The changes affect both existing DISP members and new applicants, and now require organisations to adopt more comprehensive cyber security measures, aligning with the full Australian Signals Directorate (ASD) Essential Eight strategies at Maturity Level 2.
Top 4 Is No Longer Fit-For-Purpose
The Defence Industry Security Program (DISP) has long required defence contractors to uphold cyber security measures to protect Australia’s sensitive information and critical infrastructure. Until these recent changes, DISP’s cyber security requirements were based on implementing only four of the Australian Signals Directorate’s Essential Eight strategies at Maturity Level 1. This “Top 4” approach included Application Whitelisting, Patching Applications, Restricting Administrative Privileges, and Patching Operating Systems key measures to prevent and mitigate common cyber threats.
However, this limited focus no longer provides comprehensive protection against the evolving cyber threat landscape. Advanced persistent threats, increasingly sophisticated ransomware, and heightened regulatory expectations across defence partners have underscored the need for a more complete and proactive approach. Consequently, the DISP standards now demand adherence to all Essential Eight strategies at Maturity Level 2 to support a stronger, more resilient defence supply chain.
Key Changes in the New DISP Cyber Security Standards
1. Expansion to the Full Essential Eight Strategies
The Essential Eight, developed by the ASD, is a set of cyber security mitigation strategies designed to protect organisations from a range of cyber threats. Previously, DISP compliance focused on the “Top 4” strategies, which included:
• Application Whitelisting
• Patching Applications
• Restricting Administrative Privileges
• Patching Operating Systems
The recent updates now require organisations to implement all eight strategies, adding:
• Multi-Factor Authentication (MFA)
• Application Hardening
• User Application Control
• Regular Backups
2. Increased Maturity Level
Under the new guidelines, DISP members are expected to achieve Maturity Level 2 for each of the Essential Eight strategies. This level indicates that each mitigation strategy is being actively managed and improved, rather than merely implemented at a basic level. Maturity Level 2 includes measures such as configuring application controls to prevent unapproved applications from executing, deploying vulnerability management processes, and implementing more frequent patching.
3. Alignment with Latest ASD Recommendations
The DISP updates align the program more closely with the latest guidance from the ASD. This alignment reflects the Australian Government’s commitment to elevating cyber security standards across its defence supply chain. Compliance with these updated standards ensures that organisations are equipped to handle advanced cyber threats and demonstrates a proactive approach to safeguarding critical information.
Why Were These Changes Necessary?
The update to DISP standards comes as a response to the increasing frequency and sophistication of cyber attacks on critical infrastructure and sensitive sectors. Defence contractors and suppliers manage data and services that, if compromised, could have severe implications for national security. By enforcing stricter cyber security requirements, the DISP aims to mitigate the potential impact of cyber incidents, reducing vulnerability across the defence sector.
The addition of multi-factor authentication, application control, and regular backups helps create a more resilient security posture. These elements are designed to limit access to sensitive systems, prevent unauthorised software from running, and ensure that data can be recovered in case of ransomware or other destructive attacks.
What Does Compliance with Maturity Level 2 Look Like?
Achieving Maturity Level 2 for the Essential Eight strategies involves going beyond the basic implementation to actively manage and monitor these security measures. Here’s what this entails for each strategy:
• Application Whitelisting and Control: Only authorised applications can run, preventing unknown or potentially malicious software from being executed.
• Patching Applications and Operating Systems: Regularly updating software and OS versions reduces vulnerabilities that could be exploited by attackers.
• Restricting Administrative Privileges: Limiting administrative access to only those who absolutely need it minimises the damage that can be done if an account is compromised.
• Multi-Factor Authentication: Requires a second form of verification, such as a code from a mobile app, to ensure that the right user is accessing sensitive systems.
• User Application Hardening: Involves configuring software settings to limit potential exploits, such as disabling macros in Microsoft Office applications.
• Regular Backups: Establishing a routine for data backup ensures critical data can be restored after a cyber incident, reducing downtime and loss.
Organisations that meet Maturity Level 2 are expected to not only implement these practices but also review and refine them regularly, responding to emerging threats with adaptability.
Challenges and Considerations for DISP Membership
Complying with the updated DISP standards may pose challenges, particularly for smaller contractors who may lack in-house cyber security resources. The need for continuous monitoring, regular patching, and implementing multi-factor authentication can require new investments in cyber security management capabilities.
Furthermore, DISP members must also consider third-party risks. Working with external vendors who may have access to sensitive data or systems can introduce vulnerabilities. DISP’s updated standards encourage contractors to assess and manage these third-party risks as part of a broader security posture.
Preparing for the Future: Staying Compliant and Cyber-Resilient
DISP members must now adapt to a more comprehensive and proactive cyber security framework. Compliance is not a one-time task but an ongoing process requiring regular audits, updates to security practices, and a commitment to improvement. By meeting these standards, defence contractors not only fulfil their obligations under DISP but also enhance their resilience to cyber threats in an increasingly volatile digital landscape.
This shift towards comprehensive security aligns with global trends, where governments and private sectors alike are stepping up their cyber security requirements. Australian defence contractors are now at the forefront of these changes, showcasing the country’s commitment to a secure and resilient supply chain.
Looking Ahead: Preparing for the Future of Cyber Security Compliance
These recent changes to the DISP cyber security requirements are just the beginning of a broader shift towards more stringent security frameworks. Not only does this update mark a step forward for the Essential Eight, which is set to be revised annually by the ASD, but it also signals the upcoming influence of the Cybersecurity Maturity Model Certification (CMMC).
The recent DISP cyber security updates mark a crucial first step, but they are just the beginning. With the Cybersecurity Maturity Model Certification (CMMC) expected to impact Australian industry in the next 12–18 months, especially those maintaining or pursuing DISP membership or securing key contracts with a prime or U.S. defence contractors, it’s essential to think beyond today’s standards.
Addressing current requirements positions organisations to meet today’s expectations—yet looking forward, targeting an uplift toward CMMC Level 2 compliance will be critical. For those in the defence sector, this is an opportunity to embrace a proactive, long-term approach, aligning with an evolving security landscape that demands resilience, adaptability, and trust.
This may be the first hurdle, but it’s also a chance to lay a foundation that will support your organisation through future challenges and opportunities.