A version of this article first appeared in Defence Connect as a contributed archTIS byline: https://www.defenceconnect.com.au/key-enablers/8062-understanding-and-meeting-disp-information-and-cyber-security-requirements
Securing Australia’s Defence Supply Chain
The Defence supply chain is a network of interrelated companies, services, and products that transform raw materials and information into goods and expertise for military materiel applications. Given the scale, breadth, and complexity of bringing so many different stakeholders and activities together, the risks that a supply chain presents can be challenging to define and manage. There are so many interactions and inputs involved in acquiring, producing, storing and delivering defence goods and services that an interruption at one point may ripple out to have a global impact.
The complexity and the associated risks, including growing cyber threats, mean that supply chains present a significant potential impact on sovereign capability and national security. The Australian Productivity Commission (PC) released a critical Interim Report in March 2021 on Vulnerable Supply Chains focusing on global supply chains as a whole (and Australia’s resilience to disruptions in these chains). However, many of these principles apply equally to any sector of the economy, including the Defence supply chain.
Cybersecurity Risks
Some of the significant cybersecurity-related issues within the Defence Supply chain include:
- Increased Cyber Risk: The number of cyber actors and their effectiveness and motivation to interrupt or attack supply chains has increased since the turn of the century. Small supply chain members are increasingly unable to protect themselves from these advanced threat vectors;
- National sovereignty: Modern Defence systems may have technologies from multiple countries with different requirements for controlling information across the supply chain.
- Siloed data storage: Storing all of your supplier, inventory, and procurement information in different systems can cause inefficiencies and errors;
- Data and Intellectual Property (IP) security and compliance concerns: Almost half of network security professionals reported at least one breach last year. Technology that is not secure or does not control access adequately increases the odds of a data breach. This is particularly concerning for the Aerospace and Defence (A&D) industry, as suppliers and buyers must share sensitive data and IP information while at the same time complying with data privacy and security regulations;
- System integration challenges, both internally and externally: Lack of integration between buyers and suppliers frustrates everyone and can lead you to fall back on less secure, less efficient means of communication, and;
- File size limits: Suppliers and buyers exchange information that can come in huge files. Attachment sizes can be a massive problem if you are using email and can even compromise your supply chain efficiency if you use automated systems that aren’t specifically meant for collaboration.
Without a robust and resilient supply chain, the ability of the Australian Defence Organisation (ADO) to protect national interests effectively could be dramatically impacted. Managing the risks of disruption or compromise across the Defence supply chain is imperative.
How the Defence Industry Security Program (DISP) Aims to Harden Security
What is DISP? Why is it important?
The Defence Industry Security Program (DISP) exists to help businesses address the risks associated with providing services, products, or capabilities to the ADO, directly or indirectly.
Managed by the Defence Industry Security Office (DISO), the intent of the program is to both guide and assess the businesses that may form part of a complex supply chain for Defence. DISP guidance and assessment encompasses processes, procedures, information technology (IT), cyber security, physical security, and personnel security.
DISP forms part of broad risk management across the complexities and challenges Defence needs to operate within to deliver its objectives. It also helps to apply Defence’s experience and expertise in operating in complex and security-conscious environments, helping Australian businesses improve their security.
By helping secure businesses across the supply chain, Defence can improve its sourcing arrangements’ resilience, security, and assurance.
What is required for DISP membership?
There are four DISP security categories members are assessed by:
- Personnel Security
- Physical Security
- Information & Cyber Security
- Security Governance
Each of the categories above is assessed according to your membership level. The higher the level applied for, the more rigorous and complex the process becomes for assessment and approval.
The four levels of membership for each of the categories within DISP, mapping to Australian Government Security Classifications, are:
- Entry Level = OFFICIAL/OFFICIAL: Sensitive
- Level 1 = PROTECTED
- Level 2 = SECRET
- Level 3 = TOP SECRET
Who is eligible for membership?
Any Australian business working with or looking to do business with Australian Defence can apply for DISP membership. Overseas companies are not eligible to become DISP members. However, they can work with Defence through other criteria.
DISP membership is mandatory for many, but not all, circumstances. Your organisation requires membership if:
- It works on classified information or assets.
- It stores or transports weapons or explosive ordnance.
- It provides security services for Defence bases and facilities.
- Your contract has a Defence business requirement for DISP membership.
Exceptions include:
- If any classified information or assets work is done within Defence facilities or using Defence networks
- An applicable Security of Information Agreement or Arrangement (SIA) exists with the company.
What are the benefits of membership?
DISP membership has significant benefits to Defence supply chain organisations, including:
- Access to knowledge, training, advice, and analysis on security trends, threats, and mitigations to improve security planning and practices;
- Ability to engage with Defence and other providers to add value within security constraints;
- Access to Defence Security services that enable you to be ready to respond when responding or delivering contracts and tenders;
- At higher membership levels, the ability to sponsor and maintain Australian Government security clearances for your personnel, and;
- Improved security resilience and cyberworthiness through strengthened information systems, security practices, and education.
Challenges to Meeting DISP Compliance
While DISP membership is strongly recommended and, in some cases, necessary, the application process is comprehensive and requires businesses to prove their processes and systems can meet cybersecurity requirements.
One of the critical pillars of DISP is how organisations manage and secure information. Hence, the Information and Cyber Security category is critical, requiring the IT systems used by a business to meet several security criteria. However, the extensive security criteria, security controls, and system documentation required for IT systems can be complex and challenging to create and maintain.
What are the information and cyber security levels?
Both information and cyber security are critical for DISP, including identifying, protecting against, and remediating security incidents or attacks on your company’s information systems and networks. You need to determine which of the four levels of information and cyber security below is right for you, assess the state of your systems and networks, and implement the required standard:
- Entry Level – You are implementing the required membership controls against the nominated cyber security standard that your business meets for storing, processing and communicating OFFICAL and OFFICIAL: Sensitive information
- Level 1 – You have, or require, a minimum of one network or standalone device to store, process and communicate up to PROTECTED information.
- Level 2 – You have, or require, a minimum of one network or standalone device to store, process and communicate up to SECRET information.
- Level 3 – You have, or require, a minimum of one network or standalone device to store, process and communicate up to TOP SECRET information.
Finally, you will need to demonstrate your organisation fully meets the required standard for the chosen level.
Accelerate Your DISP Membership with Kojensi
While imperative for security, the level of compartmentalised access and sharing controls required by DISP for sensitive and classified information collaboration is costly and challenging to achieve for many existing or prospective Defence Industry organisations.
Larger companies and Defence contracts often use bespoke solutions that are difficult to maintain, complicated and differ in quality. Small and medium enterprises (SMEs) often find it costly and challenging to meet the stringent information security controls required by DISP, which can impact their ability to compete for Defence business.
Fortunately, Kojensi can provide these capabilities out of the box to immediately increase compliance and cyber resiliency cost-effectively and with fewer resources.
Enforcement of Data Governance
Kojensi is a proven and accredited software as a service (SaaS) platform for sensitive and classified information collaboration and sharing that provides the level of compliance and security of information required by DISP. It offers easy-to-deploy, secure cloud-based collaboration and storage for files and documents up to and including Australian Government PROTECTED information. With Kojensi, businesses can easily separate sensitive or classified Defence information from their corporate systems, helping immediately meet the information and cybersecurity criteria required for DISP membership.
Access Controls and a Secure Workspace
Kojensi enables information owners to set and enforce strict security controls over information using Attribute Based Access Control (ABAC). It provides access based on a user’s organisation, nationality, clearance, and compartmentalisation of information. Users can share data securely between multiple organisations, at various classifications, and across different jurisdictions – while meeting compliance and security requirements.
Audit and Accountability
Every action performed in the Kojensi platform is logged and timestamped for auditing, transparency and remediation if required. You can also integrate user activity and logs with SIEM tools for downstream analysis.
System and Information Integrity
Kojensi compartmentalises data and users to prevent overprivileged user abuse and ensures both product and local administrators cannot override security.
Talk to us about how we can help accelerate your DISP membership today!
White Paper: Understanding and Meeting DISP Information Security Requirements
Strategies to quickly increase compliance and cyber resiliency