Security requirements for Defence Contractors

Graeme Mickelberg by Graeme Mickelberg
09/01/2011
Contact the Author

Companies interested in winning government contracts, particularly with the Department of Defence, involving sensitive information and technology need to meet exacting security requirements. Graeme Mickelberg offers some timely advice on the processes involved.

In a recent address to Australian business representatives, Paul O’Sullivan, the Director General of the Australian Security Intelligence Organisation (ASIO), highlighted that defence industry companies working with the Australian Government are likely to be directly involved in producing sensitive technology and information or having access to such technology and information.

Mr O’Sullivan went on to explain “there is little doubt that given the opportunity, some governments would seek to obtain information or technology and that Australia’s defence industry may be regarded as a potential soft target”.

A US study undertaken in 2004 identified the following top ten technologies as targets for foreign governments intent on collecting information and/or acquiring technologies:

  • information technology;
  • sensors;
  • aeronautics;
  • electronics;
  • armaments and energetic materials;
  • lasers and optics;
  • signature control technology;
  • materials and processing technology;
  • chemical technology; and
  • space systems.

Although it could be argued the potential for the security threats to defence industry is more likely in the US than Australia, the defence links between the two countries and the involvement of Australian businesses with US defence industry are such that poor security on the part of Australian businesses could place at risk the unique relationship Australia has with the US with the potential to damage the standing of Australian organisations.

Tim Scully, the Head of the Defence Security Authority, has stated “that Australian defence industry faces a range of security threats and the level of threat from various sources will differ between organisations”.

Mr Scully has identified the following security threats confronting Australian defence industry:

  • terrorism;
  • espionage;
  • drug use;
  • theft;
  • damaging behaviour by employees; and
  • protest action.

Companies wanting to do defence business should be aware of the security requirements and expectations of the Department of Defence. A key requirement for companies entering into defence contracts, either as a prime contractor or as sub contractor, that involve access to classified information is their agreement to become a member of the Defence Industry Security Program (DISP). Underpinning the DISP is an agreement to comply with Defence security policies, practices and procedures.

The DISP, which recognises that security risks are present and seeks to sustain the integrity of Australia’s defence capabilities by ensuring compliance with measures designed to mitigate security risks, is managed by the Defence Security Authority. Companies that are members of the DISP are required to comply with security policies and guidance addressed in the following publications:

  • Defence Security Manual;
  • Australian Government Protective Security Manual; and
  • Australian Government Information Security Manual.

Companies involved in the following defence activities are required to maintain membership of the DISP:

  • the storage or transport of Defence weapons or explosive ordnance;
  • the storage or handling of assets categorised as major or important;
  • access to, storage of and/or handling of hardcopy national security information classified at CONFIDENTIAL or higher level;
  • accessing electronic national security information classified at RESTRICTED or higher level on a Defence ICT system;
  • possessing an ICT system that processes or stores information at classified at RESTRICTED or higher level;
  • provision of guarding or access control services;
  • accessing, storing or handling physical equipment classified at RESTRICTED or higher level;
  • accessing, storing or handling electronic or hardcopy non-national security information classified at PROTECTED or higher level.

The essential steps in gaining DISP membership are as follows.

Step 1: obtaining sponsorship

Where a business is required to have access to classified, sensitive or strategically important information and/or material, the business must be sponsored by a Defence Service or Group; an Australian Government agency or a foreign government under an extant bilateral security instrument.

Step 2: applying for DISP membership

Sponsored businesses must:

  • provide their DISP sponsor with information about foreign ownership, control or influence;
  • appoint a Security Officer;
  • ensure their Security Officer submits necessary documentation to obtain a personnel security clearance at the RESTRICTED or higher level if required; and
  • prepare and maintain Security Standing Orders for the business.

Step 3: receiving DISP Membership

Before a business may be granted DISP membership it must meet all relevant eligibility criteria, including:

  • compliance with all the required physical or ICT accreditation;
  • demonstrated need to be a member of the DISP, and sponsorship by a Defence Service or Group, and Australian Government agency or a foreign government under an extant bilateral security instrument;
  • showing that it is not foreign owned, controlled or influenced to the extent that the granting of DISP membership would not be in Australia’s national security interests; and
  • registration by ASIC if the business is a financial market operator or participant.

Information contained in this article concerning the DISP was drawn from: http://www.defence.gov.au/dsa/industry/disp_program.html

This article first appeared in Australian Security Magazine (ASM) Nov-Dec 2010 edition, p.10

 

Article Added: 09/01/2011

« Back