How to Meet DISP Cyber Requirements: A Step-by-Step Breakdown

Achieving Defence Industry Security Program (DISP) membership involves meeting requirements across four key domains, but it’s the Information and Cyber Security domain that often requires the most technical effort. So, what do you actually need to do to meet these cyber requirements?

For most businesses entering DISP, the cyber security requirements are based on the Australian Cyber Security Centre’s (ACSC) Essential Eight framework. This framework outlines practical mitigation strategies to protect your systems against a range of cyber threats.

Here’s a step-by-step breakdown of the process.

Step 1: Target Essential Eight Maturity Level 2 as the Minimum

The first and most critical step is to understand the target you need to hit. While the Essential Eight framework has three Maturity Levels, the Department of Defence requires Maturity Level 2 as the minimum baseline for all DISP membership applications.

This requirement ensures a strong, unified security standard for all businesses operating within the Defence supply chain.

Here’s a quick overview of the levels for context:

    • Maturity Level 1 (ML1): A foundational level of security.

    • Maturity Level 2 (ML2): A robust level of security designed to protect against more sophisticated adversaries. This is the required minimum for DISP membership.

    • Maturity Level 3 (ML3): An advanced level for protecting against the most determined attackers, often required for specific contracts involving highly sensitive information.

Even if you are only targeting the Entry Level of DISP, you must plan and implement your cyber security controls to meet ML2.

A Note for Existing DISP Members

If your business gained DISP accreditation before the ML2 minimum was established (September 2024), you might not be compliant with the current requirements if your cyber security progam hasn’t been upgraded throughout this period. Defence is standardising its security expectations across the entire supply chain, and all members are now expected to meet or exceed ML2 to maintain their accreditation.

This means that even if you are an existing member, you will likely need to conduct a new gap analysis against the ML2 controls and create a plan to remediate any shortfalls before your next review.

Step 2: Conduct a Gap Analysis

Once you know your target Maturity Level, you need to find out how your current security measures stack up. This is done through a gap analysis.

A gap analysis involves:

    1. Reviewing your existing technology, policies, and procedures.

    1. Comparing them against every requirement of your target Essential Eight Maturity Level.

    1. Identifying the specific “gaps” where you don’t currently meet the standard.

The output of a gap analysis is a clear roadmap, detailing exactly what needs to be implemented or improved to achieve compliance. This is arguably the most critical step, as it prevents wasted time and money on unnecessary solutions.

Step 3: Implement the Essential Eight Mitigation Strategies

With your roadmap in hand, it’s time for implementation. This involves putting technical controls and processes in place across the eight key areas, consistent with the ACSC’s official order.

Here’s a plain-English look at what each strategy involves:

    1. Application Control: Preventing unauthorised programs from running. This stops most malware in its tracks.

    1. Patch Applications: Keeping your software (like Adobe Reader, web browsers, and Microsoft Office) up-to-date to fix known security holes.

    1. Configure Microsoft Office Macro Settings: Blocking or restricting macros in Office files, as these are a common way for attackers to deliver malware.

    1. User Application Hardening: Customising settings in your applications (like web browsers) to disable high-risk features that you don’t need.

    1. Restrict Administrative Privileges: Ensuring that only a few trusted users have powerful “admin” access. This limits the damage an attacker can do if they compromise a standard user account.

    1. Patch Operating Systems: Keeping your Windows, macOS, or Linux systems updated with the latest security patches.

    1. Multi-factor Authentication (MFA): Requiring a second form of verification (like a code from your phone) in addition to a password to prove your identity. This is one of the most effective security controls.

    1. Regular Backups: Regularly creating copies of your important data and ensuring you can actually restore it if something goes wrong (like a ransomware attack).

Step 4: Develop and Document Your Policies

Meeting the DISP requirements isn’t just about the technology, you must also document everything. This is a core part of the DISP Governance domain.

You need clear, written policies and procedures that describe how you manage your cyber security. Examples include:

    • An Information Security Policy

    • An Incident Response Plan (what you do when a breach occurs)

    • An Access Control Policy

    • A Backup and Recovery Plan

These documents prove to Defence that your security measures are deliberate, well-managed, and repeatable.

Step 5: Prepare for Assessment and Continuous Monitoring

Once the controls are in place and documented, you need to gather evidence to demonstrate that they are working as intended. This evidence will be reviewed during your DISP assessment.

Cyber security isn’t a “set and forget” project. DISP requires you to continuously monitor your security posture. This means regularly reviewing your controls, patching systems, and ensuring your policies are being followed to maintain compliance over the long term.

Meeting DISP cyber requirements can seem daunting, but by breaking it down into these manageable steps, you can create a clear path to compliance, strengthening your business and unlocking opportunities in the Defence sector.