The ADF continues the rebuild and upgrade programs of major warfighting platforms with pace. With these opportunities come the responsibility for Australian defence businesses to ensure they are compliant with the respective regulations within contracts.
This is made more difficult due to the increasing diversity of the nationalities of the new capabilities being introduced. With the already tight supplier performance assessment criterion of traditional supply nations such as the US, defence businesses now need to make additional considerations.
There are a range of challenges for any potential or existing Defence supplier to consider in order to remain both current and competitive in the sector. These are in addition to the Export Control compliance standards I have previously written about here.
Defence requires suppliers to hold an appropriate level of Defence Industry Security Program (DISP) membership when working on sensitive or classified information or assets; storing or transporting Defence weapons or explosive ordnance; providing security services for Defence bases and facilities; or as a result of a specific Defence business requirement.
The DISP membership is split into four levels to separate requirements: physical security, information and cyber security, personnel security, and governance. A supplier's level of risk will determine the appropriate DISP level and associated security requirements, the higher the risk, the more stringent the security requirements. Through the DISP membership program, suppliers are provided support and information on how to meet the appropriate level security requirements and what certifications are to be met.
When entering the Defence marketplace, you must ensure your processes within your documented management system conform to the quality standards of an accredited certification body. This certification is recognized by the Defence Primes and integral to the CASG Performance Scorecards in evaluating suppliers. Examples of some of these standards include ISO 9001, ISO 14001, ISO 27001, IATF 16949 and AS 9100D, all of which can be prerequisites for pursuing opportunities with Defence Primes and entry level capability for CASG supplier assurances.
The Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD) produces the Australian Government Information Security Manual (ISM). The purpose of the ISM is to outline a cyber security framework that organisations can apply, using their risk management framework, to protect their information and systems from cyber threats. Suppliers can use ISO 28001 Supply Chain Risk Management System Standard with guidance from ISO 31000.
The ISM itself is broken up into 22 broad guidelines consisting of a suite of controls that support 34 cyber security principles and the ASD’s essential mitigations to protect organisations and systems from a range of adversaries. Different systems, scopes, and environments will each have a set of guidelines they are obligated to comply with. A risk-based approach is applied to managing controls: not every control needs to be applied and ensuring that the organisation and its stakeholders are well informed will go a long way to reinforcing confidence that they are adequately protected.
Australian SMEs should consider wider legal obligations as part of their compliance requirements. For example, in the past, some local businesses have entered contracts with overseas primes and have overlooked issues such as the documents being governed by foreign laws. This includes the requirement for the Australian business to comply with the Australian Privacy Principles and, in the US example, their strict customs laws and regulations.
The proper negotiation of terms relating to intellectual property and technical data is sometimes overlooked but is an essential part of the legal and commercial negotiations. For example, the negotiated classification of contractor IP, contractor materials and technical data can have an enormous effect on the value and risk associated with the contract. Specialist legal advice is therefore essential.
Note: Kevin Chenney is Senior Consultant Defence Compliance for Goal Professional Services.