DISP Cyber Security Requirements — A Complete Guide

What does DISP require for Cyber Security?
The DISP cyber requirements (Entry Level) are based on the Essential Eight Maturity Level 2 minimum with documented policies, incident management, user access controls, and continuous monitoring.

Here’s a step-by-step breakdown of the process.

Step 1: Target Essential Eight Maturity Level 2 as the Minimum

The first and most critical step is to understand the target you need to hit. While the Essential Eight framework has three Maturity Levels, the Department of Defence requires Maturity Level 2 as the minimum baseline for all DISP membership applications.

This requirement ensures a strong, unified security standard for all businesses operating within the Defence supply chain.

Here’s a quick overview of the levels for context:

    • Maturity Level 1 (ML1): A foundational level of security.

    • Maturity Level 2 (ML2): A robust level of security designed to protect against more sophisticated adversaries. This is the required minimum for DISP membership.

    • Maturity Level 3 (ML3): An advanced level for protecting against the most determined attackers, often required for specific contracts involving highly sensitive information.

Even if you are only targeting the Entry Level of DISP, you must plan and implement your cyber security controls to meet ML2.

A Note for Existing DISP Members

If your business gained DISP accreditation before the ML2 minimum was established (September 2024), you might not be compliant with the current requirements if your cyber security progam hasn’t been upgraded throughout this period. Defence is standardising its security expectations across the entire supply chain, and all members are now expected to meet or exceed ML2 to maintain their accreditation.

This means that even if you are an existing member, you will likely need to conduct a new gap analysis against the ML2 controls and create a plan to remediate any shortfalls before your next review.

Step 2: Conduct a Gap Analysis

Once you know your target Maturity Level, you need to find out how your current security measures stack up. This is done through a gap analysis.

A gap analysis involves:

    1. Reviewing your existing technology, policies, and procedures.

    1. Comparing them against every requirement of your target Essential Eight Maturity Level.

    1. Identifying the specific “gaps” where you don’t currently meet the standard.

The output of a gap analysis is a clear roadmap, detailing exactly what needs to be implemented or improved to achieve compliance. This is arguably the most critical step, as it prevents wasted time and money on unnecessary solutions.

Step 3: Implement the Essential Eight Mitigation Strategies

With your roadmap in hand, it’s time for implementation. This involves putting technical controls and processes in place across the eight key areas, consistent with the ACSC’s official order.

Here’s a plain-English look at what each strategy involves:

    1. Application Control: Preventing unauthorised programs from running. This stops most malware in its tracks.

    1. Patch Applications: Keeping your software (like Adobe Reader, web browsers, and Microsoft Office) up-to-date to fix known security holes.

    1. Configure Microsoft Office Macro Settings: Blocking or restricting macros in Office files, as these are a common way for attackers to deliver malware.

    1. User Application Hardening: Customising settings in your applications (like web browsers) to disable high-risk features that you don’t need.

    1. Restrict Administrative Privileges: Ensuring that only a few trusted users have powerful “admin” access. This limits the damage an attacker can do if they compromise a standard user account.

    1. Patch Operating Systems: Keeping your Windows, macOS, or Linux systems updated with the latest security patches.

    1. Multi-factor Authentication (MFA): Requiring a second form of verification (like a code from your phone) in addition to a password to prove your identity. This is one of the most effective security controls.

    1. Regular Backups: Regularly creating copies of your important data and ensuring you can actually restore it if something goes wrong (like a ransomware attack).

Step 4: Develop and Document Your Policies

Meeting the DISP requirements isn’t just about the technology, you must also document everything. This is a core part of the DISP Governance domain.

You need clear, written policies and procedures that describe how you manage your cyber security. Examples include:

    • An Information Security Policy

    • An Incident Response Plan (what you do when a breach occurs)

    • An Access Control Policy

    • A Backup and Recovery Plan

These documents prove to Defence that your security measures are deliberate, well-managed, and repeatable.

Step 5: Prepare for Assessment and Continuous Monitoring

Once the controls are in place and documented, you need to gather evidence to demonstrate that they are working as intended. This evidence will be reviewed during your DISP assessment.

Cyber security isn’t a “set and forget” project. DISP requires you to continuously monitor your security posture. This means regularly reviewing your controls, patching systems, and ensuring your policies are being followed to maintain compliance over the long term.

Meeting DISP cyber requirements can seem daunting, but by breaking it down into these manageable steps, you can create a clear path to compliance, strengthening your business and unlocking opportunities in the Defence sector.

F.A.Q

What are the current DISP cyber requirements?

From 30 September 2024, DISP mandates alignment to the Australian Signals Directorate’s Essential Eight at Maturity Level 2 (ML2). This uplift sits under DSPF Principle 16, Control 16.1, and is now embedded in DISP assurance activities. 

Do I need to be at ML2 before I apply for DISP?

No. Applicants complete the Cyber Security Questionnaire (CSQ) with their application. DISP assesses the CSQ, issues a Maturity Action Plan, and places applicants into the cyber uplift program. You are not required to achieve ML2 before submitting the application or the immediate ASR period, but you will be guided and assessed toward ML2. 

Which systems are in scope for ML2?

Your ICT corporate systems used to correspond with Defence are in scope for meeting or exceeding Essential Eight ML2. This phrase covers day-to-day identity, email, collaboration, endpoints, document handling, and related services used to engage with Defence. 

How does DISP align with the Essential Eight?

DISP has formally aligned its cyber standard to the full Essential Eight at ML2 and uses ACSC’s Essential Eight guidance and assessment process as the basis for questionnaires and audits. 

Is ML2 a minimum or a maximum?

A minimum. Entities must meet or exceed ML2 across in-scope systems used to correspond with Defence. Higher risks or contractual obligations may drive controls beyond ML2. 

What evidence will Defence look for?

Evidence is gathered through the Entry Level Assessment (documentation review, interview, CSQ), Ongoing Suitability Assessments, Deep Dive audits, and the Annual Security Report. Since Oct 2024 the Essential Eight CSQ forms part of ASR activity and ongoing assurance. 

What exactly is the CSQ?

The Cyber Security Questionnaire is the structured questionnaire used by DISP to capture your Essential Eight posture. It includes an ML2-aligned Part B with 107 control questions and feeds into your maturity determination and uplift plan. 

Do existing DISP members also need ML2?

Yes. DISP strengthened standards on 30 September 2024 and incorporated the Essential Eight CSQ into the 2024–2025 ASR cycle, with uplift support toward ML2 for members. 

Is DISP membership mandatory for everyone?

It is mandatory if you handle classified information, deal with weapons and explosive ordnance, provide base security services, or if your Defence contract requires DISP. There are narrow exceptions when all classified work is performed on Defence networks or where a Security of Information Arrangement applies. 

How do DISP levels relate to government classification levels?

Entry Level corresponds to OFFICIAL and OFFICIAL: Sensitive, Level 1 to PROTECTED, Level 2 to SECRET, and Level 3 to TOP SECRET. You nominate the level per domain based on business need and contract context. 

What are the DISP security domains?

DISP covers four domains: security governance, personnel security, physical security, and ICT and cyber security. Cyber sits alongside the other three as part of a whole-of-organisation security posture. 

Does having ISO 27001 or NIST SP 800-171 mean I meet DISP?

Not by itself. DISP states that documentation from ISO/IEC 27001, NIST SP 800-171 or UK Def Stan 05-138 can help demonstrate aspects of your posture, but you still need to meet or exceed Essential Eight ML2 for in-scope systems. 

How does ongoing assurance work after I become a member?

DISP runs a collaborative assurance and uplift program. Members submit an Annual Security Report, may undergo desktop Ongoing Suitability Assessments, and can be selected for Deep Dive audits. Recommendations are tracked to closure within agreed timeframes. 

Where can I find the official Essential Eight maturity details?

ACSC publishes the Essential Eight maturity model and the Essential Eight Assessment Process Guide, which DISP references for its CSQ and assessments.