Understanding and meeting DISP information and cyber-security requirements

DISP ready information security strategies to quickly increase compliance and cyber resiliency

Addressing supply chain security vulnerabilities

The supply chain brings a network of interrelated companies, services, and products in combination to transform raw materials and information into goods and expertise used to deliver to a final user or consumer.

Given the scale, breadth, and complexity of bringing so many different things together, the risks that a supply chain presents can be difficult to define and manage. There are so many different interactions and inputs, that an interruption at one point may ripple out to have global impact.

The complexity and the associated risks mean that supply chains present a significant potential impact to sovereign capability and national security. So much so, that the Australian Productivity Commission (PC) released a significant Interim Report in March 2021 on Vulnerable Supply Chains. While this interim report focuses on global supply chains as a whole (and Australia’s resilience to disruptions in these chains), many of the principles apply equally to any sector of the economy, including the Defence supply chain.

The industries and businesses that supply into this complex chain present both risks and challenges at the same time as they provide important input to capability. Government services, including Defence need to always be operational and maintain a state of readiness to respond to security and safety emergencies.

Understanding Supply Chain Risks

Some of the major cybersecurity related issues within the Defence Supply chain include:

• Increased Cyber Risk: The number, effectiveness and motivation of cyber actors to interrupt or attack supply chains has increased since the turn of the century. Small supply chain members are increasingly unable to protect themselves from these advanced threat vectors;
• National sovereignty: Modern Defence systems may have technologies from multiple countries with different requirements for the control of information across the supply chain.
• Siloed data storage: Storing all of your supplier, inventory, and procurement information in different systems can cause inefficiencies and errors;
• Data/IP security & compliance concerns: Almost half of network security professionals report at least one breach during the last year. Technology that is not secure, or that does not control access securely, increases the odds of a data breach. This is particularly concerning for the A&D industry, as suppliers and buyers must share information while at the same time complying with regulations covering sensitive data;
• System integration challenges, both internally & externally: Lack of integration between buyers and suppliers frustrates everyone, and can lead you to fall back on less secure, less efficient means of communication; and
• File size limits: The information that suppliers and buyers exchange can come in very large files. Attachment sizes can be a huge problem if you are using email and can even compromise your supply chain efficiency if you are using automated systems that aren’t specifically meant for collaboration.

Without a robust and resilient supply chain, the ability for the Australian Defence Organisation to do this effectively could be dramatically impacted – thus the need to manage the risks of disruption or compromise across the Defence supply chain is clear.

Securing Supply Chains: The Defence Industry Security Program (DISP) 

What is DISP, and why is it important?

The Defence Industry Security Program (DISP) exists to help businesses to address the risks associated with providing services, products, or capability to the Australian Defence Organisation, either directly or indirectly.

Managed by the Defence Industry Security Office (DISO), the intent of the program is to both guide and assess the businesses that may form part of a complex supply chain for Defence. DISP guidance and assessment encompasses processes, procedures, information technology (IT) and cyber security, physical security, and personnel security.

DISP forms part of broad risk management across the complexities and challenges that Defence needs to operate within, in delivering their objectives. It also helps to apply the experience and expertise that Defence has in operating in complex and security-conscious environments, helping Australian businesses improve their security.

By helping to secure businesses across the supply chain, Defence can improve the resilience, security, and assurance of its sourcing arrangements.

What is required?

There are four key categories that DISP assesses:

1. Personnel Security
2. Physical Security
3. Information & Cyber Security
4. Security Governance

Each of these can be assessed for a level of membership, with assessment of each customisable to suit the scenario. The higher the level applied for, the more rigorous and complex the process becomes for assessment and approval.

There are four levels of membership for each of the categories within DISP, mapping to Australian Government Security Classifications:

Entry Level = OFFICIAL/OFFICIAL: Sensitive
Level 1 = PROTECTED
Level 2 = SECRET
Level 3 = TOP SECRET

What are the benefits?

DISP membership conveys significant benefits to a business operating in this space, including:

• Access to knowledge, training, advice, and analysis on security trends, threats, and mitigations to improve security planning and practices;
• Ability to engage with Defence and other providers, to add value within security constraints;
• Access to Defence Security services that enable you to be ready to respond when responding or delivering contracts and tenders;
• At higher membership levels, the ability to sponsor and maintain Australian Government security clearances for your own personnel; and
• Improved security resilience and cyber worthiness through strengthened information systems, security practices, and education.

Who’s eligible?

Any Australian business looking to become part of the Defence supply chain is able to apply for DISP membership.

Membership is mandatory for certain activities, but it is not required for all circumstances. There are significant benefits to the DISP membership, so it is highly recommended that it be considered as part of a business if the intent it to work with Defence.

This application process can be quite in-depth and requires businesses to prove their processes and systems are capable of meeting Defence security requirements.

One of the key considerations of DISP is how to manage and secure information. The Information and Cyber Security category is critical, requiring the IT systems used by a business to meet a number of security criteria. However, the security criteria, security controls, and system documentation required for IT systems can be complex and challenging to create and maintain.

DISP Ready Information Security 

While imperative for security, the level of compartmentalised access and sharing controls required by DISP for sensitive/classified information collaboration is costly and difficult to achieve for many existing or prospective Defence Industry organisations. The larger companies, with this type of capability, use their own individual solutions that are difficult to maintain, complicated and differ in quality.

Ready to deploy software as a service can provide these capabilities out of the box to immediately increase compliance and cyber resiliency cost effectively and with less resources.

Kojensi is a proven and accredited platform for classified information collaboration and sharing that enables productivity, while managing the level of compliance and security of information required by DISP. It provides a simple and secure cloud-based collaboration and storage for files and documents up to and including Australian Government PROTECTED information. 

Kojensi enables information owners to set and enforce strict security controls over information, using Attribute Based Access Control (ABAC). It provides access based on a user’s organisation, nationality, clearance, and compartmentalisation of information. Users can share information securely between multiple organisations, at multiple classifications, and across different jurisdictions - while meeting compliance and security requirements.

With Kojensi, businesses that are part of the Defence supply chain can easily separate sensitive or classified Defence information from their corporate systems, helping to immediately meet criteria for the Information & Cyber Security required for DISP membership.

Going to Land Forces 2021?  Visit archTIS in booth # 2A16 to learn more.