A parliamentary committee has demanded Defence demonstrate how it is improving its processes for enhancing industry security compliance.
That follows a critical report by the national auditor which found Defence’s administration of the long running Defence Industry Security Program (DISP) was no more than “partially effective” while arrangements for administering contracted DISP requirements were just “partially fit for purpose.”
That was as good as it got. The Australian National Audit Office (ANAO) said Defence had not established fit-for-purpose arrangements to monitor compliance with DISP requirements.
In particular, it had not fully implemented the compliance and assurance framework identified in the Defence Security Principles Framework. Neither did Defence know which of its active contracts required a business to have DISP membership.
All this from a defence program spanning “several decades” and intended to support Australian businesses to understand and meet security obligations when engaging in Defence projects, contracts and tenders.
Security of defence contractors was important back when DISPO was stood up. It’s even more important now in this era of strategic uncertainty and rampant espionage and cyber intrusions by nation states and others.
Membership of DISP is open to any Australian business dealing with Defence. For some Defence work, DISP membership is mandatory.
The DISP website says they will help a business attain the right security requirements when delivering Defence contracts and tenders, providing security advice and support services.
In the ANAO report released in September 2021, Defence acknowledged DISP shortcomings and undertook to continue a program of improvements to enhance DISP effectiveness.
The parliamentary Joint Standing Committee on Foreign Affairs, Defence and Trade set out to see how Defence was progressing.
It said the ANAO report raised serious concerns about Defence’s implementation of DISP and management of non-compliance which was fundamental to assuring the security of Defence’s people, information, and assets.
“The Committee has carefully considered Defence’s progress in implementing the six primary recommendations it committed to a year ago,” it said.
It seems much more work is needed.
The committee said Defence needed to listen more carefully to industry concerns raised about the quality of DISP security training including for APS staff. It should embed a structured, transparent mechanism to ensure industry feedback directly informed continuous improvement to ensure training meets industry’s reasonable expectations.
The committee said Defence needed to implement systems to regulate and audit DISP compliance.
Within six months, it should outline to the Committee how all six ANAO recommendations have been fully implemented. Within a year, it should report back on progress to further improve DISP-related compliance and audit systems.
In a submission to the inquiry, defence company Leidos acknowledged Defence had made significant improvements to DISP but challenges remained.
“Leidos recognises that through dedicated efforts to increase training and due diligence practices, efficiency of communication between Defence and industry, and centralisation of compliance efforts, DISP will continue to develop towards a fit-for-purpose program that enables industry to best support Defence in defending Australia and its national interests,” it said.