- Review of the contract administration of the DISP
- All participants in the inquiry from Defence industry considered the Defence Industry Security Program (DISP) to be an essential component of ensuring Australia’s strong defence capability. Mr Vermeer, Government Relations Manager, Babcock Australasia stated:
…a robust DISP which efficiently enables a secure interface between defence and industry is a fundamental measure to achieving Australia’s force posture going forward.
2.2The Department of Defence (Defence) asserted its commitment to working with industry partners as DISP evolves to provide a robust and consistent security framework around a significant proportion of Australia’s defence industry base. Ms Perkins, Deputy Secretary, Defence stated:
DISP will only grow in importance, protecting defence industry people, information, facilities and systems from foreign intelligence collection efforts, providing assurance to our allies around the protection of information shared with Australia and enabling cooperation with confidence between companies and entities within Defence.
Administering contracts with DISP memberships
2.3Defence increased investment in the Defence Industry Security Program (DISP) in 2020-21, growing the program ‘from 14 staff and budget of $2 million in 2020 to over 80 staff and a budget of $22.6 million in 2021-22’. DISP membership has grown from approximately 165 members to 1,268 members as of December 2022 and Defence is receiving an average of 30 new applicants every month.Ms Perkins stated that Defence had ‘largely removed the backlog of new DISP membership applications’ and most entry level or level one DISP memberships were being finalised in under three months. Higher levels of memberships, at the SECRET and above levels, are taking six to 12 months to finalise.
2.4Ms Louis, Head of Defence and National Security, Australian Industry Group (AI Group), stated that overall feedback from their members was there had been many positive changes and benefits since the expansion and changes to DISP in April 2021. However, ‘significant reform is still required to make the operations of the DISP more effective and efficient’, including requiring appropriate levels of skills and experience in Defence to administer the DISP and consult on policy issues with defence industry.
2.5Defence’s submission to the inquiry, in relation to ANAO recommendation one that Defence review its suite of contracting templates to ensure references to DISP requirements in the Defence Security Principles Framework (DSPF), outlined that:
Defence has closed this item and implemented additional DISP related contract clauses for inclusion in future defence contracting, standing offers, and panel arrangement templates. These new clauses are aligned with the Defence industry security requirements in the Defence Security Principles Framework.
2.6In its submission, the AI Group acknowledged that ‘Defence has continued to develop the contracting suite to implement DISP requirements and mature the contract administration aspects of DISP’.
Security training and guidance to contract managers
2.7The ANAO noted that in July 2020, Defence found ‘the DISP was poorly integrated and understood within Defence’. The ANAO also identified numerous gaps in tools and guidance provided to its contract managers in relation to the DISP.
2.8In relation to the training available to contract managers, the ANAO received evidence from Defence there were at least 1500 contract managers across Defence and that ‘Defence is not able to give an exact figure of contract managers across the enterprise’. Defence was also unable to give assurance that all contract managers requiring DISP training had completed it.
2.9In response to ANAO recommendation two that Defence ensure contract managers receive adequate training, Defence submitted that:
- Defence has revised its security training courses to assist Contract Managers with the application of Defence Security Principles Framework Control 16.1 - Defence Industry Security Program. Defence has also refreshed the Defence Security Service Offer, which provides contract and project managers with comprehensive information on accessing security expertise, support and tools.
- Defence has also developed a decision framework to assist contract managers in determining when DISP membership is required, explain the security benefits of DISP membership, and reinforce the need for contract and project managers to manage security risks specific to their contracted activities.
- Defence has incorporated DISP training into its Defence Commercial Skilling Framework and embedded information on DISP into its Defence Procurement Manual. Specific policy guidance and training for contract managers and security personnel engaged in defence research and collaboration has been developed and is being implemented.
- Evidence provided by industry indicated the current training provided by Defence was not meeting the requirements of industry participants in the DISP. The AI Group advised feedback from their members was that current training is sufficient at producing security managers who are ‘generalists’ but lacked adequate depth to produce ‘the deep skill set, and experience required to build a workforce that can implement the DISP effectively’.
- Babcock Australasia noted the training provided by Defence is very administrative in nature and includes topics like ‘how to set up a security register’. Leidos Australia made the comment the quality of contract managers suffers from the habit in the Australian Public Service of continuous turnover of staff and movement within departments causing consistency of experience to be compromised.
- Defence acknowledged that it had not provided sufficient training across DISP during COVID. However, Defence stated it had since increased the amount of training and was further refining its courses with more emphasis on improving the understanding and compliance of the DISP. This included the Defence security officer course which had been refreshed and was being provided to approximately 1000 people during November and December 2022. Defence training is refreshed every year and Defence had been holding a series of roundtables with industry and universities to seek feedback on the training programs which assists Defence to ‘uplift next year’s refreshed training package’.
- Defence also noted the Deputy Secretary Security and Estate had written to all Group Heads within the Department articulating the need for contract managers and security officers to complete the specified training. However, it was also acknowledged there is no current mechanism to determine if personnel had completed it.
- During the Committee’s public hearing, there was discussion about the demise of the foundational training previously provided by the Attorney-General’s Department and now outsourced to tertiary providers in the private industry. Babcock Australasia noted this training was previously provided by the Protective Security Training College and has moved towards ‘a more Cyber/Information Technology focus’. The AI Group also stated the quality and context of this training is at a lower standard than delivered previously and is more focused on administrative procedures and the training should be more focussed on risk and outcome rather than checklist based.
- If there are inconsistencies or conflicts between the requirements of the DISP and other security requirements as specified by contract managers, Defence works with industry to help resolve any issues:
… while DISP provides a floor, contract managers can quite legitimately add additional security requirements to deal with what they perceive to be the specific risks to their contracts.
… my people and my regional offices work with industry where they feel that there is a conflict between what is being asked of them by a contract manager and what is required under DISP.
… across large companies that are managing many contracts, having these bespoke bits to each contract can be somewhat frustrating, but they reflect – well, they should, in all cases, reflect – a security assessment done by the project that has resulted in specific additional requirements.
Assurance of compliance with DISP membership
2.16Defence enters approximately 25,000 new contracts a year. In relation to ANAO recommendation three that Defence assure itself that contracts meet DISP requirements, Defence submitted that:
- Defence has directed all contract managers to include DISP membership clauses where required in new contracts; determine if DISP clauses are needed in existing contracts; ensure contractors hold and maintain required levels of DISP membership; and confirm appropriate measures are being taken to address any potential DISP non-compliance.
- Defence is assessing enhancements to the My Procurements contracting tool to support Defence officials in determining if the scope and security risks associated with a procurement requires a successful tenderer to hold a DISP membership. My Procurements will also be reviewed to ensure clear guidance is provided to support Defence officials in incorporating appropriate DISP conditions in a resulting contract.
- Defence has included guidance in its Contract Management Framework to support managers in monitoring DISP membership compliance by their contractors throughout the term of the contract.
- At the hearing, MrStaines, First Assistant Secretary, Procurement and Contracting, Defence outlined the processes in which contract managers are required to consider DISP requirements, including procurement templates and a new online procurement application. Mr Staines advised that Defence had amended its procurement manual which is provided online with links to information about DISP and there are two key checkpoints in establishing a new contract when a contract manager must consider DISP requirements.
- A focus of discussion at the public hearing was in relation to how a risk-based assurance program could be designed and implemented without complete, accurate, and accessible records of contracts requiring DISP membership. Defence representatives acknowledged that Defence does not have full visibility of all contracts where DISP membership is mandatory. Dr Ioannou, Group Executive Director, ANAO stated:
… it wasn’t clear to us how you would design a proper risk based approach without good data integrity, if I could put it that way, and good access to your data.
2.19Mr West, Defence, outlined how Defence is working to close this gap, including by issuing a policy which has been circulated to everyone in Defence, and by writing to every group head and service chief asking them to review their existing contracts to ensure that any entity with a contract that has mandatory DISP requirements has commensurate membership. Defence representatives advised that gaps in DISP requirements and non-DISP memberships was ‘largely legacy contracts’ that were in place before DISP reforms. Mr West stated that this was not a growing problem because:
… in future people shouldn’t be able to approve contracts without considering this issue. But we do need to look at our long tail of existing contracts to ensure all contracts that have mandatory DISP requirements – or that, even if they’re not mandatory, we feel should be in DISP – are bought into the DISP.
2.20In relation to ANAO recommendation four that Defence ensure that supporting documentation for DISP membership is accurate, accessible and auditable, Defence submitted that:
- Defence has developed standard procedures for management DISP membership applications and assurance activities. A new DISP records management system that is compliant with Defence’s records management policy is in development and planned for introduction in 2nd Quarter of 2023.
- At the public hearing, Mr West, stated the customer resource management and engagement system (CRM) would reach initial operating capability by July 2023 and ‘will allow us to engage our customers online more in the future’.
- During the audit, the ANAO found no evidence that Defence had conducted random or targeted security checks or had a five year forward audit work program. The ANAO recommended that Defence fully implement the DISP assurance activities documented in the DSPF. In its submission, Defence responded that:
- Defence has implemented a DISP Assurance Framework that includes a range of review and audit activities, supported by an outreach engagement program to keep DISP members informed of their obligations. This includes advising Defence contracting authorities of DISP assurance outcomes.
- At the hearing, Mr West updated the Committee further and described Defence’s layered assurance process, including an annual report from industry with an attached desktop audit, a more in-depth review of 500 industry bodies every year, and a further 20 to 30 audits every year where Defence has identified requires additional work:
The audit program is set based on current defence capability priorities. Our No. 1 audit priority at the moment is shipbuilding companies, and we’ve conducted about half a dozen audits of shipbuilding companies this year. We also randomly select a number of DISP members, just to ensure that overall DISP compliance remains high. The last one, as I already mentioned, is that, when we identify specific problems in those annual desktop exercise we do, we then follow on with a deep-dive audit.
The assurance program has matured considerably since it was ordered by the ANAO, and that audit program is approved annually by the Defence Security Committee. It was only reapproved for next year last month. That sets those priorities about what we’re going to audit. Next year the focus of the audit process will be AUKUS related companies.
Managing DISP non-compliance
2.24The ANAO examined the effectiveness of Defence’s arrangements to manage identified non-compliance with contracted DISP requirements. In its report, the ANAO stated that a Defence internal review in 2019 found 13 instances of industry entities had been contracted to work on Defence activities with a classification of SECRET or above without DISP membership. In nine of the instances, ‘the contracts were still active and entities had been working the classified activities from 16 months to 5.5 years’. In summary, the ANAO stated ‘that Defence: has realised security risk; and has procured goods and services without DISP requirements having been met’.
2.25Further, the ANAO found that in these nine instances, Defence’s response to industry entities was administrative and Defence had not adopted a risk-based compliance approach or pursued any actions available under the DSPF. The DSPF provides that Defence will work with an entity to seek an informal resolution; however, if an informal approach is unsuccessful, an escalation pathway may include limiting, downgrading, suspending or terminating membership.
2.26In its submission in relation to ANAO recommendation six that it establish a documented framework for managing non-compliance with DISP requirements along with escalation pathways, Defence outlined that:
- Defence has updated Defence Security Principles Framework Control 16.1 - Defence Industry Security Program guidelines to establish an escalation pathway for non-compliance. Defence has clarified how contract managers should manage contractor non-compliance and is progressively amending its engagement arrangements with universities to manage instances of DISP non-compliance.
- At the hearing, Defence representatives elaborated on the escalation pathway when Defence uncovers elements of non-compliance. Defence begins with an extended process of working with an entity on remediating the non-compliance ‘because our goal is to keep all companies in DISP because of the bubble of protection it provides around industry’. If extended and deliberate noncompliance or serious security breaches persist, Defence will look to downgrade or remove entities from DISP membership. Ms Perkins, Defence, referred to the new process to remove entities from the DISP beginning in December 2022:
We are at the end stages now and are corresponding at ministerial level on a process by which we will start to notify companies that their continued noncompliance will result in their removal from the program. We anticipate that the first tranche of removal from the program will occur in the next week or so.
Committee comment
2.28The Committee notes Defence’s advice that it has implemented and closed four of the ANAO’s recommendations. Two further actions were being finalised and expected to be resolved early in 2023 which would allow the audit to be formally closed by Defence. As Defence had not fully completed implementation of all ANAO’s recommendations the Committee therefore recommends that Defence report back to the Committee outlining its implementation outcomes following the Defence Audit and Risk Committee closure of the report.
2.29The Committee acknowledges and commends the work that Defence has completed since 2019 in significantly boosting resources devoted to DISP administration generally, and in particular for reforming the information and training available to contract managers to ensure compliance with the DISP. The Committee notes with approval advice regarding the evolution of training delivery during the COVID pandemic and the offering of both in-person and virtual options, as well as the industry roundtables that have been established. It is welcome that the contracting templates and online procurement manual with links to educational documents have been updated to assist contract managers to provide a more robust DISP.
2.30The Committee considers that appropriately trained and qualified security managers, and Defence contract managers, are a primary pillar in the success of the DISP and is vital in both assisting Defence and industry in the compliance and assurance process. The Committee notes that Defence is striving to achieve a training program that ensures the administrative compliance requirements of the DISP are being completed appropriately by both industry and Defence contract managers. In addition, having different levels of training that builds on the basic foundational and practical course outcomes is appropriate, as outlined by Defence in the hearing.
2.31Nevertheless, the Committee is concerned by the clear evidence of industry concern with the quality of the training and the loss of the previous AGD auspices security professionals training. Submitters were sensible, thoughtful, considered, and constructive. If properly crafted and informed by industry feedback, Defence’s annually refreshed training programs would alleviate industry concerns around the generalist nature of the current training offering and build a deeper knowledge base and experience level within Defence contract managers.
2.32The Committee agrees with the ANAO that it is difficult to achieve success from an assurance perspective when the foundational dataset that underpins the requisite program is lacking reliability and detail. The Committee was concerned by the undesirable fact that Defence was unable to ascertain how many contract managers across the enterprise require DISP training, and then provide assurance the training has been completed. Modern human resource management systems are capable of tracking required training proficiencies attached to positions, provided the initial liability for training has been identified within each level and across the workforce.
2.33The Committee notes Defence’s layered program of assessing assurance of compliance with DISP, including annual reports from entities, desktop audits, and deep-dive audits when issues are identified. The audit program is approved by the Defence Security Committee annually and the Committee appreciates Defence’s advice that this program has matured considerably since the ANAO report.
2.34In relation to non-compliance with contracted DISP requirements, Defence is constrained in its ability to identify non-compliance due to not having full visibility of all the contracts where DISP is mandatory. The Committee considers the number of DISP entities contracted to work on defence activities with a classification of SECRET and above that did not have DISP membership (from the 2019 Defence internal review), was disturbingly high while acknowledging Defence’s assurances that this is a ‘legacy issue’ of older contracts. The Committee notes the efforts by Defence, such as through requiring all group heads and service chiefs ensure entities have DISP membership to an appropriate level, to close this gap on compliance.
2.35The Committee notes that Defence had updated its guidance to establish escalation pathways for non-compliance with DISP membership. Defence was also finalising a process for escalation following continued noncompliance or serious security breaches which will result in entities being removed from the DISP.
2.36The Committee recognises that Defence is a very large enterprise with a large number of contracts with industry with approximately 25,000 new contracts per annum. Since the ANAO report, Defence has worked to improve its DISP compliance assurance processes and its training and engagement with contract managers and industry. However, the Committee maintains that a structured risk-based assurance program cannot be robust if there is limited data to assess which contracts have DISP requirements and which contract managers enter and manage contracts with DISP requirements.
2.37The Committee notes Defence’s improvement in providing compliance assurances for new contracts; however, it must also close the gap on providing compliance assurances for longer term contracts. The Committee also observes that there is a practical difference between committing expenditure via a new contract and making payments pursuant to a contract entered into. In line with the provisions and principles arising from the PGPA Act and Financial Management Act Defence’s systems and financial delegations do not appear to distinguish between those two quite different activities. Members of the Committee are aware that some agencies are adjusting their internal processes and delegations to recognise that procurement and contract execution is a different and specialised skillset and that not everyone with a financial delegation should necessarily be entering into contracts. This is something Defence may wish to further consider in order to further improve its procurement and contract management activities.
2.38The Committee notes the rollout of the CRM system has been delayed and is estimated to be ready in July 2023. The Committee notes this system is expected to provide DISP membership data to contract managers so they may consider the level of security maturity of a DISP entity before proposing procurement to a delegate. The system may also provide a feedback loop to contract managers when security incidents are reported.
2.39The Committee recommends that Defence report back on the performance of the new CRM system following its release and how it assists with handover in knowledge management and the DISP membership compliance regime.
2.40The Committee recommends the Department of Defence provide written advice to the Committee within six months of the tabling of this report detailing the implementation of the CRM system, how it assists with knowledge management and engagement with DISP entities, and its ability to recall accurate, auditable, and accessible data on DISP entities.
2.41The Committee considers that Defence should listen and pay further attention to this feedback and be open to revamping the training to address industry’s needs. To do this effectively, a structured mechanism is needed so that industry feedback and concerns can more directly impact future training.
2.42The Committee recommends the Department of Defence listen more carefully to industry concerns raised via this inquiry regarding the quality of DISP security training including for APS staff and embed a structured, transparent mechanism to ensure industry feedback directly informs continuous improvement to ensure training meets industry’s reasonable expectations.
2.43Noting the importance of the DISP and the inherent link to national security, the Committee will continue to take an active interest in Defence’s further improvements to DISP administration in line with its role on behalf of the Parliament. The Committee recommends the following actions to occur at six and twelve months respectively.
2.44The Committee recommends the Department of Defence implement systems which regulate and audit DISP compliance, and:
- Within six months of this report being tabled in Parliament, outline in writing to the Committee how all six recommendations of the ANAO in Auditor-General Report No. 4 of 2021-22 have been fully implemented, and any actions which remain outstanding.
- Within twelve months of this report being tabled in Parliament, report back in writing to the Committee on its progress in further improving DISP related compliance and audit systems and provide reliable data estimates of:
- the number of contracts that require DISP membership and the classification levels required
- the number of contracts which did not, but were identified as requiring DISP membership, the classification levels required, the dates the contracts were entered into, and any action taken to address these
- the number of contract managers that manage contracts with mandatory DISP membership
- the number of these contract managers who have received training in managing contracts with DISP memberships and how many contract managers lack required training
- what ongoing mechanism is in place to ensure staff receive the required training in the future
- how Recommendation 2 of this report has been implemented
- how the new CRM system is working
- audit results of an appropriately sized statistically reliable sample of contracts to demonstrate assurance that those requiring DISP clauses have them included
- the number of contracts that triggered a non-compliance escalation pathway, and the actions taken, or penalties imposed, and
- advice at that time as to the Department’s future approach to DISP audit and assurance.
Mr Julian Hill MP
ChairDefence Subcommittee14 June 2023
Hon Shayne Neumann MP
ChairJoint Standing Committee on Foreign Affairs, Defence and Trade14 June 2023