- Introduction
About the inquiry
1.1The Joint Standing Committee on Foreign Affairs, Defence and Trade (the Committee) is empowered under its resolution of appointment to conduct inquiries into annual reports of government departments and authorities and reports of the Auditor-General presented to the House.
1.2The Committee resolved to undertake an inquiry into the Auditor-General Report No. 4 of 2021-22 Defence’s Contract Administration – Defence Industry Security Program on 14 September 2022. The Committee referred the inquiry to the Defence Subcommittee to undertake.
1.3The Defence Subcommittee publicly announced the inquiry by media release on 16September2022 and invited submissions. The list of submissions received to the inquiry is at Appendix A.
1.4One public hearing was held in Canberra on 9 December 2022. A list of witnesses and organisations who appeared before the Subcommittee are at Appendix B.
1.5A copy of this report, the transcript of the public hearing, and submissions to the inquiry are available on the Committee’s website.
The Defence Industry Security Program
1.6The Defence Industry Security Program (DISP), managed by the Defence Industry Security Office (DISO) in the Department of Defence (Defence), supports Australian businesses to understand and meet their security obligations when engaging in Defence projects, contracts, and tenders. It is essentially security vetting for Australian businesses.
1.7The Defence Security Principles Framework (DSPF) states the DISP:
is one control in a layered approach to security that contributes to strengthening the assurance that the Government’s significant investment in Defence capability is appropriately protected. Managed by the Defence Industry Security Office (DISO), the DISP:
- is a membership-based program that sets baseline security requirements for Industry Entities wishing to engage with Defence;
- supports industry to identify security risks and to understand and apply security controls across the domains of governance, personnel security, physical, and information and cyber security;
- includes a system of reviews to ensure continued compliance; and
- enhances Defence’s ability to monitor and mitigate security risks.
- The DSPF states that DISP membership is mandatory for Industry Entities who require access to classified information or assets (PROTECTED and above); supply, maintain, store or transport weapons or explosive ordnance; provide security services for Defence bases or facilities; or are required to hold DISP membership as a condition in a contract.
- The DISP, which has been incorporated into Defence’s security policy framework for several decades, was reformed and relaunched in 2019. The reforms included opening DISP membership to any Australian entity interested in working with Defence and introduced different levels of DISP membership based on security classifications. The then Minister for Defence Industry stated the reforms would make it easier for industry to do business with Defence:
The reforms will maximise the benefits to Australian businesses from the unprecedented investment in defence industry by the Australian Government while providing better security outcomes for Australia.
1.10In July 2020, Defence completed a review of the DISP and identified several issues including: a backlog of applications along with an increased demand from industry; insufficient resourcing; poor technology support and low data quality; increased processing times; no clear processes for managing and escalating non-compliance with DISP membership compliance; and insufficient focus on assurance activities. To address these issues Defence commenced implementation of the DISP Improvement Plan in October 2020 with work anticipated to be delivered over the following three years.
Auditor-General’s Report No. 4 of 2021-22
1.11The Auditor-General presented Auditor-General Report No. 4 of 2021-22 Defence’s Contract Administration – Defence Industry Security Program to Parliament on 13September 2021.
1.12The objective of the audit was to ‘examine the effectiveness of Defence’s administration of contractual obligations relating to the Defence Industry Security Program (DISP)’ and to provide the Parliament with ‘independent assurance of the effectiveness of Defence’s arrangements to manage security risks when procuring goods and services’.
1.13The ANAO made the following findings in relation to Defence administration of the DISP:
- Defence’s administration of contractual obligations relating to the DISP is partially effective;
- Defence’s arrangements for administering contracted DISP requirements are partially fit for purpose;
- Defence has not established fit for purpose arrangements to monitor compliance with contracted DISP requirements; and
- Defence has not established effective arrangements to manage identified noncompliance with contracted DISP requirements.
- As a result of its findings, the ANAO made the following six recommendations in its report:
1The Department of Defence review its suite of contracting templates to ensure references are to the current DISP requirements set out in the Defence Security Principles Framework.
2The Department of Defence ensure that contract managers receive adequate training and support in the application of Defence Security Principles Framework Control 16.1: Defence Industry Security Program, to aid understanding and compliance.
3The Department of Defence assure itself that its current contracts meet DISP requirements, including that:
- contracts include DISP membership clauses where required;
- contractors hold the required levels of DISP membership; and
- requirements for DISP membership are met by contractors on an ongoing basis.
4The Department of Defence, consistent with its policy on records management, ensure that supporting documentation for DISP membership applications is accurate, accessible, and auditable.
5The Department of Defence fully implement the DISP assurance activities documented in the Defence Security Principles Framework.
6The Department of Defence establish a documented framework for managing non-compliance with contracted DISP requirements, with a clear escalation pathway.
1.15Defence agreed to implement all six recommendations and responded:
To address these recommendations, Defence will continue a program of improvements that will enhance the effectiveness of the DISP and commence improvements to strengthen DISP requirements in Defence contracts.
Defence has received positive feedback from industry regarding the Department’s: engagement with industry; activities to expand advice and support available to industry members applying for DISP membership; and faster processing times for DISP applications since the improvement program commenced in December 2020. Defence is confident that it will continue to build on the improvements gained through the first half of 2021, with improved systems, processes, and engagement for the DISP.
Furthermore, the DISP Assurance Program Framework, which was implemented across 2020 and 2021, is helping to practically improve security practices for DISP members. The Program periodically checks that DISP members are meeting Defence’s security standards, and a cooperative ‘uplift’ component within the Program supports defence industry to improve security resilience when and where needed.
1.16Chapter 2 examines the evidence received to the Committee’s inquiry into Defence’s compliance with the Auditor-General’s recommendations and the effectiveness of Defence administration of the DISP, including its effectiveness at monitoring compliance, managing non-compliance, and supporting and training contract managers and relevant Defence industry personnel.