Introduction

1.1 The Department of Defence (Defence) engages with industry to develop, deliver and sustain Australian Defence Force (ADF) capability and to meet its business requirements. As at 24 March 2021, Defence reported that it had 16,503 active contracts with a total commitment of $202.4 billion.⁷ These contracts were for a range of goods and services including: platforms and sustainment services; estate management; IT systems and support; inventory; research and development; and management consultancies.

1.2 Since 2016, Defence has sought to strengthen its collaboration with Australian defence industry. The 2016 Defence Industry Policy Statement set out that:

The Defence Industry Policy Statement provides the foundation to take the partnerships between Defence and industry to new levels of cooperation, with a focus on stronger, more strategic partnerships and closer alignment between industry investment and Defence capability needs. Initiatives in the Defence Industry Policy Statement will see the development of a technologically advanced, innovation‐driven and sustainable Australian defence industrial base, which is well placed to assist Defence in protecting Australia’s national interests.⁸

1.3 Under the Australian Government’s Protective Security Policy Framework (the PSPF)⁹, Defence is responsible for protecting its people, information and assets including through its contractual arrangements. The PSPF states that:

Non-government organisations that access security classified information may be required to enter into a deed or agreement to apply relevant parts of the PSPF for that information.¹⁰

1.4 To implement the requirements of the PSPF and the Australian Government Information Security Manual¹¹, Defence established the Defence Security Principles Framework (DSPF) in 2018.¹² The DSPF is both a key enterprise-level control for managing security risk and the primary security policy for Defence personnel, contractors, consultants and outsourced service providers. Under the DSPF, Defence Security Principle 16 – Defence Industry Security Program (DISP), states that:

DISP enhances Defence’s ability to manage risk in the evolving security environment and provides confidence and assurance to Defence and other government entities (either Australian or foreign) when procuring goods and services from industry members.¹³

1.5 Defence Security Principle 16 sets out the following expected outcomes:

Accountabilities and responsibilities for security risk management when procuring goods and services are understood and practised.

Security risks are effectively and efficiently managed between Defence and industry.

DISP:

• supports Defence’s agility in achieving value for money in procurement;
• provides effective and efficient mechanisms for certifying and accrediting industry’s security practices;
• enables increased access to security tools and information to strengthen industry security practices; and
• delivers confidence and assurance when partnering with industry, underpinned by proportional (risk based) oversight and compliance activities.^{14 15}

1.6 The DISP aims to support Australian businesses to understand and meet their security obligations when engaging in Defence projects, contracts and tenders. The Defence website states that the DISP is ‘essentially security vetting for Australian businesses’.¹⁶

The Defence Industry Security Program

1.7 The DISP is a long running program in Defence spanning several decades. Since at least 1978, Defence has had a documented security policy framework that incorporates the DISP. Since at least 2000:

• The principal purpose of the program has remained relatively unchanged, with a focus on: addressing the threat to Defence industry companies and others in the private sector who require access to national security classified material; and defining the mandatory minimum standards, policies and procedures to ensure the protection of classified material entrusted to Australian industry.
• The Defence Security and Vetting Service and its predecessors (Defence Security Branch and the Defence Security Authority) manage the DISP on behalf of Defence. The head of that organisational element within Defence has remained responsible for the design and administration of the DISP, with Defence personnel (as managers of contracts) responsible for implementing the requirements of the DISP within Defence’s contracted activities.

1.8 More recently, the criteria for industry entities to access the DISP have been adjusted. In April 2019, the Minister for Defence Industry announced that DISP membership would be opened to any Australian entity interested in working with Defence, rather than requiring a company to already have a contract with Defence. In addition, different levels of DISP membership based on security classifications were introduced. The Minister described these as ‘major reforms’ to the DISP and stated that:

The reforms will maximise the benefits to Australian businesses from the unprecedented investment in defence industry by the Australian Government while providing better security outcomes for Australia.

… the reforms would allow DISP members to easily access security information, guidance and services and enable them to become ‘Defence-ready’ by establishing the necessary security practices for tendering opportunities involving classified information and assets.¹⁷

1.9 In July 2020, Defence completed a review of the operation of the DISP which identified a number of issues including:

• a significant, and growing, backlog of applications with no ability to scale-up to manage the expected increase in applications and reaccreditation of existing participants;
• insufficient resourcing;
• poor DISP membership registry technology support, with low data quality to manage participant details and status;
• interdependencies in application processing and management contributing to increased processing times;
• no clear processes for managing and escalating participant non-compliance with DISP membership requirements; and
• an over emphasis on application processing with insufficient focus on assurance activities to ensure DISP members are continuing to meet security requirements.

1.10 The DISP Improvement Program is intended to address a number of shortcomings Defence identified in its review of the operation of the DISP.

1.11 In late 2020, Defence commenced implementation of the DISP Improvement Program Plan (see Figure 1.1 below) which is comprised of four streams of work that are to be delivered in three tranches in 2020–21, 2021–22 and 2022–23.

Figure 1.1: DISP Improvement Program projects by tranche

Source: Defence documents.

1.12 A timeline of events in the DISP that are relevant to this audit, is set out in Appendix 3.

Implementation of DISP in Defence’s contractual arrangements

1.13 The DSPF sets out the security requirements that industry entities must meet to obtain and maintain DISP membership. The DSPF states that:

Industry Entities (Entities) must hold an appropriate level of Defence Industry Security Program (DISP) membership when working on classified information or assets¹⁸; storing or transporting Defence weapons or explosive ordnance; providing security services for Defence bases and facilities; or as a result of a Defence business requirement specified in a contract.¹⁹

1.14 An industry entity may be exempt from DISP membership where the entity has an accreditation recognised under a Security of Information Agreement or Arrangement, or personnel are handling official information within Defence facilities and using Defence assets.²⁰

1.15 The application process for DISP membership is outlined at Appendix 4. The support provided to industry to obtain DISP membership and the timeliness of Defence’s processing of DISP applications is discussed in Chapter 2.

1.16 The security requirements that the industry entity is expected to meet as a DISP member increase with the sensitivity of the material being accessed. Figure 1.2 illustrates the relationship between the four DISP membership levels (entry level to level 3), the four security elements (governance, personnel security, physical security, and ICT and cybersecurity) and security classifications for information and assets.

Figure 1.2: Mapping DISP membership levels to security elements and security classifications

Source: Defence documentation.

1.17 The details schedule in Defence’s template contract is expected to capture if DISP membership is required, and if so, the level of membership required for each security element. For contracts requiring DISP membership, the conditions of contract should include a specific clause on obtaining and maintaining DISP membership (see Box 1 below). In addition to a clause on DISP membership, Defence contracts may include other security clauses, including clauses on accessing security classified information or accessing Commonwealth premises. Box 1 provides an example of a DISP clause in a contracting template.

Source: Defence documentation.

1.18 An example of how the DISP applied to the delivery of security vetting services by contracted service providers was provided by Defence in the context of the Joint Committee of Public Accounts and Audit’s inquiry into Auditor-General Report No.38 2017–18 Mitigating Insider Threats through Personnel Security. Defence advised the committee that in the case of companies that are contracted to provide positive vetting services, there is:

Due diligence through our contract requirements and through the requirements of them to report as DISP members. So the contract requirements are part of the industry security program, so they have reporting obligations to report against those requirements. And we have an audit and assurance program required under that industry program membership against your physical security, your information security, the delivery of your training and the requirements to meet those industry program mandatory requirements.²¹

1.19 Defence’s arrangements for monitoring compliance and managing non-compliance with DISP requirements are discussed in Chapters 3 and 4. Issues in relation to Defence’s management of compliance with DISP requirements and the management of industry security risk in Defence have been identified previously, through a review in 2017. The review included six recommendations that are relevant to this performance audit. On 20 June 2017, the Australian Government agreed to all of the recommendations from the review. Appendix 5 sets out the six recommendations and the status of their implementation.

DISP administration and budget

1.20 Within Defence, the Defence Security and Vetting Service (DS&VS) is responsible for administering the DISP, through its Defence Industry Security Office (DISO).

1.21 The DSPF sets out the roles and responsibilities of Defence (both DS&VS and Defence contract managers) and industry entities in the context of the DISP. These are outlined in Table 1.1 below.

Table 1.1: DISP roles and responsibilities — Defence and industry entities

Note a: The Defence Security Committee provides primary oversight of the DSPF. Control Owners are required to provide an annual report to the Defence Security Committee on each DSPF Principle and expected outcome for which they have responsibility.

Note b: In the context of managing DISP requirements, Defence defines contract managers as: ‘Defence personnel responsible for managing Defence contracts; this could include but is not limited to, Program Managers, Project Managers, Senior Project Officers, Project Officers or any other role with contract manager responsibilities’.

Source: ANAO analysis of Defence documentation, and Defence advice.

1.22 Table 1.2 below provides a summary of DS&VS’s actual expenditure and staffing levels attributed to managing the DISP during 2019–20 and 2020–21. Defence advised the ANAO in June 2021 that the DISP operating budget for 2021-22 is $6 million and additional funding is being sought through the Defence budget process.

Table 1.2: Defence Security and Vetting Service – actual expenditure and staffing levels for managing the DISP 2019–20 and 2020–21

Source: Defence documentation.

1.23 On its external website for the DISP, Defence advises that:

There is no direct cost associated with DISP membership (i.e. no membership fee), however, there will be costs associated with implementing and maintaining security measures to meet both initial and ongoing DISP membership requirements. These might include, for example, facility certification and accreditation, personnel security clearances, physical security measures.²²

Rationale

1.24 Defence has stated that its Defence Industry Security Program (DISP) ‘is essentially security vetting for Australian businesses’.²³ The DISP is a long-running program intended to support industry entities to understand and meet their security obligations when engaging in Defence projects, contracts and tenders. During its inquiry into Australian Government Security Arrangements, the Parliament’s Joint Committee of Public Accounts and Audit (JCPAA) questioned Defence about the compliance mechanisms Defence had in place to provide assurance that industry entities contracted to Defence are meeting their security obligations.²⁴ In its report on that inquiry, the JCPAA noted that: ‘Defence was not able to provide the level of confidence or assurance that the Committee required’.²⁵ This audit provides the Parliament with independent assurance of the effectiveness of Defence’s arrangements to manage security risks when procuring goods and services from industry through its implementation of the DISP.

Audit approach

1.25 The objective of the audit was to examine the effectiveness of Defence’s administration of contractual obligations relating to the Defence Industry Security Program (DISP).

1.26 To form a conclusion against the audit objective, the ANAO adopted the following high-level criteria:

• Has Defence established fit for purpose arrangements for administering contracted DISP requirements?
• Has Defence established and implemented fit for purpose arrangements to monitor compliance with contracted DISP requirements?
• Has Defence managed non-compliance with contracted DISP requirements?

1.27 The audit focussed primarily on Defence’s:

• administration of DISP as it relates to contractual obligations, including Defence’s communication of DISP requirements to industry and Defence contract managers, and relevant training and support; and
• monitoring and assurance activities for ensuring DISP members’ compliance with contracted DISP requirements, including any actions taken to address non-compliance with contracted obligations.

1.28 The audit did not:

• assess the decisions made by Defence officials regarding the level of DISP membership required during tendering and contract establishment processes;
• assess the effectiveness of Defence’s DISP membership assessment process (that is, the process supporting the decision to grant membership), or re-assess decisions to issue DISP membership; or
• test specific contracts to confirm that contracted DISP membership requirements had been addressed, due to limitations in Defence systems and processes discussed further below.

Audit methodology

1.29 The audit involved:

• a review of documentation held by the department, including policies, processes and procedures;
• discussions with relevant departmental staff and industry stakeholders; and
• analysis of Defence data.

1.30 The ANAO planned to review a statistically valid sample of Defence contracts as part of this performance audit, to assess whether contracts that require DISP membership include an appropriate DISP clause, that the contractors engaged for those contracts have DISP membership, and that the contractor’s DISP membership for those contracts is at the appropriate level. For this purpose, the ANAO sought from Defence a list of current contracts that included a clause requiring the contracted industry entity to hold a DISP membership. However, Defence was unable to provide a complete and accurate list of contracts that included a DISP requirement, to enable the selection of a statistically valid sample for ANAO review.

1.31 The audit was conducted in accordance with ANAO Auditing Standards at a cost to the ANAO of approximately $400,712.

1.32 The team members for this audit were Natalie Whiteley, Kim Murray, Song Khor, Clyde Muthukumaraswamy and Sally Ramsey.

3.1 This chapter examines whether Defence has established and implemented fit for purpose arrangements to monitor compliance with contracted DISP requirements. The ANAO examined:

• the monitoring and assurance activities that had been established by Defence to assess industry entities’ compliance with contracted DISP requirements; and
• how Defence’s contract managers were made aware of the outcomes of DISP compliance monitoring and assurance activities, to inform the effective management of contracts with DISP requirements.

3.2 As outlined in Table 1.1, the Defence Security and Vetting Service (DS&VS) is responsible for administering the DISP, through its Defence Industry Security Office (DISO). Defence contract managers are responsible for assessing and managing project security risk. Defence contract managers therefore have a shared responsibility, with the contracted parties, for monitoring and ensuring compliance with the security risk management arrangements in contracts.⁵⁰

Has Defence established effective monitoring and assurance processes to assess compliance with contracted DISP requirements?

3.3 To effectively monitor compliance with contracted DISP requirements, Defence needs to be able to identify which of its current contracts:

1. must, in accordance with the Defence Security Principles Framework (DSPF), require the contracted entity to hold DISP membership; and
2. include such a requirement.⁵¹

3.4 To assess whether Defence has established effective processes to monitor compliance with contracted DISP requirements, the ANAO examined if Defence has:

• a complete and accurate list of existing contracts that include DISP requirements;
• assurance mechanisms in place to confirm that DISP clauses are included in contracts as required;
• a fit for purpose system to maintain DISP membership records; and
• a compliance and assurance framework in place to assess industry entities’ compliance with DISP requirements.

Completeness and accuracy of Defence’s list of contracts with DISP requirements

3.5 Defence was unable to provide the ANAO with a complete and accurate list of Defence contracts with DISP clauses.

3.6 As discussed in paragraph 1.30, for the purposes of audit sampling, the ANAO sought from Defence a list of current contracts that included a clause requiring the contracted industry entity to hold DISP membership. In response to the ANAO’s request, Defence developed a spreadsheet of contract data by cross-referencing the Australian Business Numbers of current DISP members⁵² with AusTender data. Table 3.1 below provides a summary of DISP contract data Defence provided to the ANAO in November 2020.

Table 3.1: Number and value of contracts with DISP members (granted membership since April 2019) — July 2018 to November 2020

Note a: The figures in this column differ from the figures of 16,503 active contracts with a total commitment of $202.4 billion as at 24 March 2021 (see paragraph 1.1). The figures in paragraph 1.1 represent all active contracts in Defence as at 24 March 2021, while the figures in Table 3.1 represent total Defence contracts between July 2018 and November 2020.

Source: Defence.

3.7 The data provided by Defence was assessed by the ANAO as being neither a complete or accurate representation of the contracts that included DISP clauses, because:

• The data may include contracts held by a DISP member, where there may not be a DISP requirement clause. That is, Defence was unable to filter the data to show contracts with DISP clauses and without DISP clauses.
• The data only includes contracts with DISP members that had been granted membership since April 2019. At the time the data was collated Defence records indicated that there were a further 312 entities with DISP memberships granted prior to April 2019 that had active Defence contracts.
• AusTender data does not include contracts below $10,000 nor contracts that have a high level of security classification.
• The data does not include contracts that include a DISP membership clause but the contractor has not been granted, or applied for, DISP membership.

3.8 A review of DISP membership records undertaken by DISO in 2019 identified shortcomings in Defence’s contract management practices and record keeping, including instances of Defence contract managers failing to:

• maintain accurate records of active projects and contracted industry entities;
• adhere to Defence security policy requirements;
• communicate contract changes (for example, commencements, extensions and closures) across Defence functions; and
• confirm DISP membership before engaging industry entities in security classified projects or activities.

3.9 The 2019 review was unable to obtain accurate records of all Defence contracts involving DISP members or applicants. The review was limited to industry entities for which Defence had DISP membership data, and the report stated that it was likely that Defence had many contracts with DISP requirements that were not visible to Defence’s Security and Vetting Service.

3.10 ANAO testing confirmed that Defence does not have a source of relevant contract data to support DISP assurance activities, nor does it capture information about DISP membership requirements in contracts in any of its corporate systems that hold contract or supplier data.⁵³

3.11 The Defence Security and Vetting Service has identified the following high level requirement for a DISP Customer Relationship Management System, for which it is seeking internal approval (discussed further in paragraphs 3.32 and 3.64):

At every stage in the assessment and review of a DISP entity, information regarding the contracts the entity has with Defence is critically important. The number, value and nature of these contracts impacts the level of risk the entity poses to Defence and the type of controls that must be in place to manage that risk.

Assessment of DISP membership requirements in Defence projects audited by the ANAO since July 2019

3.12 The ANAO, in the course of its audit work, has had access to a number of contracts that Defence has established with industry. As Defence was unable to provide a complete and accurate list of Defence contracts with DISP clauses, the ANAO examined whether the threshold DISP requirement relating to DISP membership had been met in four contracts from recent performance audits. The four contracts reviewed by the ANAO were the:

• Offshore Patrol Vessels Acquisition Contract (signed 31 January 2018) with Luerssen Australia Pty Ltd.
• Land 400 Phase 2 Combat Reconnaissance Vehicles Acquisition Contract (signed 9 August 2018) with Rheinmetall Defence Australia Pty Ltd.
• Submarine Design Contract (signed 1 March 2019) with Naval Group Australia.
• Evolved Cape Class Patrol Boat Acquisition Contract (signed 30 April 2020) with Austal Ships Pty Ltd.⁵⁴

3.13 DISP membership was a requirement in each contract. In respect to the four contracts, two of the prime contractors (Naval Group and Rheinmetall Defence Australia Pty Ltd) have held DISP membership since the contract was signed, and one (Luerssen Australia Pty Ltd) obtained membership nearly 3.5 years after the contract was signed. Defence records show that Austal Ships Pty Ltd has applied for, but not yet been granted, a new DISP membership. Austal was previously granted DISP membership in August 2001. Appendix 7 sets out the results of the ANAO’s review of compliance with the DISP membership requirements in the four contracts.

Assurance mechanisms to confirm that DISP clauses are included in required contracts

3.14 Defence advised the ANAO that it does not have any specific mechanisms in place to provide assurance that the appropriate ‘core’ DISP contract clauses are included in Defence contracts that require DISP membership under Defence security policy. Defence is therefore not able to provide complete and accurate information on the number or value of these contracts that have, or should have, a clause for DISP membership.⁵⁵

3.15 Further, notwithstanding the findings of Defence’s limited scope Defence Industry Security Management System (DISMS) remediation activity⁵⁶, there is no evidence that Defence has subsequently checked, or assessed the risk, across its population of current contracts, that industry entities are accessing security classified information and assets without holding the appropriate levels of DISP membership.

3.16 The ANAO analysed the 1,092 applicant entries in Defence’s DISP Master Spreadsheet as at 18 January 2021, and matched 873 applicants who had not yet been granted DISP membership with AusTender contract notices between July 2018 and December 2020. The ANAO found that:

• 419 of the 873 DISP applicants (48 per cent) had 20,460 contracts with Defence with a value of $22 billion.
• Of these 20,460 contracts, 770 (with a value of $3.3 billion) had a confidentiality flag⁵⁷ indicating confidential subject matter or a contract that is producing a confidential output.

3.17 While not all of these contracts may require DISP membership in accordance with the DSPF, Defence does not have an assurance mechanism in place to check that these contracts have a clause for the contractor to hold DISP membership. Defence therefore has limited assurance that security classified information and assets are accessed only by industry entities with the appropriate levels of DISP membership. Further, a Defence review has identified that the risk of industry entities accessing highly security classified information and assets without DISP membership has been realised (this is discussed further in paragraphs 4.10 and 4.11).

3.18 With limited visibility of the population of contracts that include DISP memberships (as discussed above) and no specific assurance mechanisms in place to assess whether, where required by Defence policy, the mandatory clauses for DISP membership are included in current Defence contracts, Defence is constrained in its ability to gain assurance that:

• all Defence contracts that should include a clause requiring the contracted industry entity to hold DISP membership, do so in accordance with the Defence Security Principles Framework⁵⁸;
• contracted entities hold the appropriate DISP membership levels for their contract/s with Defence⁵⁹; and
• security classified information and assets are being accessed only by contracted entities with the appropriate levels of DISP membership.

3.19 Defence identified this limitation in its data in November 2019 and has not yet addressed it.

3.20 As Defence has identified DISP as a security risk control under the DSPF, there would be benefit in Defence establishing the means to obtain assurance that DISP requirements are met for all active contracts. There would also be benefit in Defence reviewing its current contracts to determine if DISP requirements have been met.

Tracking DISP memberships

3.22 Defence requires complete, accurate, and readily accessible records of DISP members to effectively assess contracted entities’ compliance with contracted DISP requirements. During this audit, Defence stored its DISP membership records across two information management systems (see Table 3.2 below).

Table 3.2: DISP membership record systems

Note a: Between August 2019 and October 2020, Defence reviewed its DISP membership data stored in the DISMS. Some of the findings are discussed in the paragraphs below.

Note b: As discussed in Chapter 2, in April 2019 Defence opened DISP membership to any Australian corporate entity that wishes to apply, and not just entities with an existing Defence contract.

Source: Defence documentation.

Reviews of DISP membership data

3.23 Between August 2019 and October 2020, Defence reviewed DISP membership data stored in the Defence Industry Security Management System (DISMS).⁶⁰

3.24 The review identified completeness and accuracy issues for the validity of over 900 DISP memberships for current contracts and subcontractors providing a range of services to Defence, including security vetting, psychological assessments, and outsourced security guard services to Defence sites nationally.⁶¹ Defence identified ‘significant data quality issues that had been on-going for over a decade’ and that the ‘DISMS was poorly maintained and administered, resulting in significant issues with data integrity, confidentiality and accessibility’. Through this review activity, Defence concluded that it had a systemic problem with maintaining accurate records in DISMS.

3.25 In December 2019, Defence reported to the enterprise-level Defence Security Committee that the data remediation activity had reduced the number of ‘in progress’ DISP applications recorded in DISMS from 131 to zero, and that it had identified and reported nine major security incidents. Defence’s report from the remediation activity does not specifically identify how Defence resolved all of the 131 ‘in progress’ DISP membership applications, however the report identifies that:

• eight applications were test applications, and were deleted;
• 13 applications had been correctly processed and required an update of the applicants’ membership status in DISMS; and
• 103 applications had discrepancies (including missing supporting documentation and lapsed contract dates), which resulted in various actions by Defence including the applications being denied, and the reporting of major security incidents.

3.26 Further, the committee was advised that: ‘the remaining aspect of the data remediation projects is to confirm all 600 active (green) DISP memberships have the appropriate level of membership for the projects they are working on.’⁶² Defence has since completed further work to remediate the active DISP membership data in DISMS however it did not confirm that all active DISP members in DISMS had the appropriate level of membership for the projects they are working on.

3.27 Until April 2021, the information held in DISMS remained important to Defence for identifying which DISP members had not reapplied for DISP membership by the April 2021 deadline.⁶³

3.28 Defence advised the ANAO that as of 23 February 2021, 46 of the active (those with current Defence contracts) pre-reform DISP members had not applied for DISP membership under the new program. Defence further advised the ANAO in March 2021 that:

DISO is undertaking another round of direct engagement with each of the remaining 46 companies to encourage their application into the reformed DISP. DISO will contact each listed contract/project manager to advise them of the entity’s non-compliance with Defence security policy for any active pre-reform entities who fail to re-apply to the program before the deadline. Pre-reform membership will no longer be recognised after 9 April 2021, unless the entity is undergoing current DISP processing.

3.29 The ANAO requested that Defence provide a further update of the figures in paragraph 3.28. In August 2021, Defence informed the ANAO that:

The limitations of the current spreadsheet-based tool does not enable a retrospective point in time assessment as at 10 April 2021.

However, DISO can advise current details of outstanding entities under the old DISP membership. As of 09 August 2021, there are 25 entities who were sent a reminder notice by email, but have not yet applied for DISP membership.

Updated status:

• 25 still to apply (the list of entities will be shared with CASG [Capability Acquisition and Sustainment Group] to verify DISP requirements).
• 21 have applied:
  • 8 granted DISP membership
  • 5 in uplift
  • 6 are completing membership processing
  • 1 inactive (the entity applied but has been non-responsive for over 75 days)
  • 1 withdrawn.

3.30 The ANAO also sought advice from Defence on its posture on managing contracts with DISP members whose memberships are no longer recognised. Defence advised the ANAO in June 2021 that:

Defence relies on industry entities to provide details for current contracts. Defence relies on Defence contract managers to verify these details to support the DISP membership level being sought. As of January 2021, Defence commenced queries of AUSTENDER to also verify current contract details to support DISP membership levels being sought.

DISO has conducted several data remediation activities on DISMS to ensure the transition into the new program can be as seamless as possible and any relevant gaps can be identified, and relevant measures to mitigate the risks can be implemented.

One of the activities that was discussed whilst working on the ‘DISP Data Remediation Project’ was to “contact each listed contract/project manager to advise them of the entity’s non-compliance with Defence security policy for any active pre-reform entities who fail to re-apply to the program before the deadline [9 April 2021]”. Due to the lack of relevant data on DISMS, we were unable to perform this particular task.

Instead, multiple steps were taken to contact all extant members from the ‘old DISP program’ over the two year transition period, with a reminder to re-apply to the then ‘new DISP’. A dedicated team was assigned to contact all DISP members listed in DISMS, and to provide any support to entities that re-applied as a direct result of the outreach activities.

3.31 In July 2020, a review (by Synergy Group Australia) into Defence’s management of the DISP stated that Defence’s systems for managing DISP memberships are not fit for purpose and that this carried risk associated with the ongoing confidentiality, integrity and availability of the data. In February 2021, the First Assistant Secretary, Defence Security and Vetting Service, advised the Associate Secretary that DISO is ‘missing all or most of the capability’ necessary for effective DISP information management and reporting’. Appendix 6 provides a summary of DISO’s required capabilities as advised to the Associate Secretary in February 2021.

3.32 As discussed in paragraph 3.11, the Defence Security and Vetting Service is seeking internal approval for a DISP Customer Relationship Management System. It plans to address the issues identified with its management of DISP membership through the development of that IT system, which is discussed further in paragraph 3.64. In June 2021, Defence informed the ANAO that:

Delays in achieving Gate 0 and 1 approvals will impact the implementation date for the CRM. The current projection is for an Interim Operation Capability to be deployed in late January 2022, but this is likely to slip further.

Availability of DISP application records

3.33 The ANAO requested the following documentation for contracts with a DISP requirement, or for contractors with DISP membership for the last two years:

• completed forms notifying DISO that a contract contains a DISP clause;
• security incident reports;
• foreign ownership change forms; and
• contact reports.

3.34 In November 2020, Defence informed the ANAO that: ‘it is likely to take weeks to get a response [to the ANAO] as this requires manual checks across thousands of documents’.⁶⁴

3.35 In June 2021, Defence advised the ANAO that: ‘Defence clarifies that all DISP-related records are stored in Objective centrally. Defence advice to ANAO was that it would take considerable time to review the over 1000 individual entity files’.

3.36 Defence’s records management policy states that:

Effective records management will support Defence in maintaining authoritative information that has integrity and is accessible, auditable, accurate, reliable, complete, and of high quality …

… Defence records must be stored in a way that preserves their authenticity, reliability, discoverability, accessibility, quality, usability, and security for as long as needed.

3.37 The difficulty encountered in accessing DISP membership records, and the inaccuracies observed in forms recording contracts’ DISP membership requirements, is inconsistent with the aims and expectations of Defence’s records management policy and raises questions regarding the quality of the data used to support Defence’s targeted assurance activities for DISP and the veracity of the upwards reporting to the Defence Security Committee (discussed in paragraph 3.57).

Compliance and assurance framework to assess industry entities’ compliance with DISP requirements

3.39 A key purpose of the DISP is to provide Defence with assurance that industry entities are effectively managing security risks (see paragraph 1.5). To obtain this assurance, Defence requires efficient and effective processes and systems for monitoring compliance with contracted DISP membership requirements.

3.40 Defence informed the ANAO in February 2021 that despite the DISP being a long running program spanning several decades, prior to the establishment of DISO in August 2019 there was no assurance framework in place.

3.41 As discussed in Chapter 1, a 2017 review made six recommendations relevant to the DISP. One of the recommendations was that Defence ‘enhance security assurance to assess DISP members’ security performance and compliance with self-reporting obligations’. At the direction of the Australian Government, Defence established DISO in August 2019 to undertake these and other functions.

3.42 In February 2021, the First Assistant Secretary, Defence Security and Vetting Service, assessed and advised the Associate Secretary that DISO is ‘missing all or most of the capability’ for DISP assurance, including for risk-informed reassessments of approved participants to confirm ongoing suitability and capability, cyber assessment and independent risk assessment revalidation for members with DISP security levels 1-3, and targeted deep dives.

3.43 In July 2020, a review (by Synergy Group Australia)⁶⁵ of Defence’s management of the DISP had assessed that:

• whilst the DISP participation application and initial assessment process has been in place for several years, ongoing assessment and assurance of participants of their ongoing suitability is less mature;
• initial DISO ‘audit’ results indicate DISP participants are not managing Defence’s security risk in accordance with the DSPF or to the standard required⁶⁶; and
• Defence has few mechanisms in place to provide adequate assurance that industry entities are complying with DISP obligations.

3.44 Defence advised the ANAO that it is seeking to address these issues as part of its DISP Improvement Program. In June 2021, Defence advised the ANAO that:

As part of the implementation of the DISP Improvement Program, Defence has brought forward the planned Tranche 2 activity ‘DISP Assurance Model’. The DISP assurance model was developed from April to June 2021 and describes the integrated assurance framework for DISP members through application and membership stages. Key components of the membership assurance model include:

• An Annual Security Report assessment process (implemented).
• A risk-based methodology for selecting members for more active assurance review: Ongoing Suitability Assessment and ‘deep-dive’ audit (implemented).
• An Ongoing Suitability Assessment (OSA) process that forms the basis of regular, ‘rolling’, assessment of continued compliance with DISP requirements (currently being piloted with initial group of 10 DISP members). It is anticipated the OSA pilot will be completed and move into full implementation in the September 2021 quarter.
• Deep-dive audits of those members identified as meeting key audit criteria (implemented, with 2021/22 audit plan undergoing final approval by CSO).

Ongoing improvement and enhancement of these assurance activities will be developed as a part of the analysis and continuous improvement activities in DISO.

3.45 Defence’s current assurance framework for the DISP, as set out in the Defence Security Principles Framework (DSPF)⁶⁷, comprises five core elements supported by five categories of assurance activities. Table 3.3 below sets out, as at August 2021: the activities undertaken for each element; and a summary of the ANAO’s assessment of Defence’s current assurance activities for the DISP against the approved assurance framework in the DSPF control document. In summary:

• Defence does not have a detailed implementation plan for how it will implement the DSPF requirements.⁶⁸
• The assurance activities conducted to date provide limited assurance in regards to the four entities that have been reviewed to date⁶⁹, and no assurance in regards to the entire population of DISP members.

3.46 As outlined in Table 3.3, Defence has made limited progress in implementing the suite of assurance activities documented in the July 2018 DSPF. Implementation remains at a very early stage, three years after the DSPF was introduced.⁷⁰

Are Defence contract managers provided with relevant information to help manage contractors’ compliance with contracted DISP requirements?

3.48 To assess whether Defence contract managers are provided with relevant information to help manage contractors’ compliance with contracted DISP requirements, the ANAO reviewed if:

• DISO provides contract managers with appropriate advice regarding the findings of the assurance activities conducted on DISP memberships;
• Defence collates and shares other relevant compliance data with contract managers; and
• Defence contract managers have access to data on industry entities’ DISP memberships.

DISO advice to contract managers regarding the findings of the assurance activities conducted on DISP memberships

3.49 On its external website for DISP, Defence advises that in relation to its assurance activities:

Our audit reports are also sent to relevant Defence contract managers. These contract managers will determine whether any contractual requirements have not been met, and make a decision on whether any contractual penalties apply.

3.50 In its document specifying the high level requirements for a new IT system to support the DISP⁷¹, Defence noted that a current limitation of its tools and processes was that: ‘findings from assessments and audit are not always passed through to the contract managers’.

3.51 As outlined in Table 3.3, Defence’s activities to support the DISP assurance framework in the July 2018 DSPF remain at a very early stage⁷², three years after the DSPF was introduced. In consequence, there is little in the way of results from these activities to date for Defence to report to its contract managers, to assist them in managing contracted DISP requirements.

3.52 There is evidence that the results of Defence’s ‘deep dives’ of four DISP members⁷³ have been distributed to senior Defence leaders at the Group Head level. In June 2021, Defence informed the ANAO that it intends to provide routine reporting from its DISP compliance and assurance activities to contract managers.

3.53 In April 2020, Defence committed to biannual reporting of DISO’s audit findings to the Defence Security Committee. Defence informed the ANAO in February 2021 that the biannual reporting has not occurred due to increased priority on processing DISP membership applications:

An Audit Insights Report is currently being drafted, although it will likely be sent to DSC members ‘out of session’. Priority to process DISP applications has been impacted by several factors, including developments undertaken through the DISP improvement program and COVID-19.

Collating and sharing of other relevant compliance data with contract managers

3.54 Under the DSPF, industry entities that are DISP members must report security incidents or foreign contact.⁷⁴ As part of its intelligence-led assurance program and in accordance with the DSPF, DISO is to ‘assess industry security incident, fraud and contract reports’.

3.55 The 2017 review (see paragraph 1.19) found that Defence capability managers and contract managers were not consistently accessing threat information to inform project and contractual security requirements and assurance activities. In relation to security incidents, the review found that:

• data to support an enterprise-level assessment of industry security risk, such as the number and nature of DISP members and of DISP security incidents, was either not available or not reliable; and
• Defence’s capacity to analyse metrics from contract and incident reports to identify trends and patterns is constrained by the limitations of existing information systems.

3.56 Defence advised the ANAO in January 2021 that DISO is notified by the Security Incident Centre⁷⁵ of security incidents involving DISP companies and that the process has been ‘ad-hoc on an as-needs basis’ while the Security Incidents Centre re-established monthly reporting, which was expected to resume for 2021. The monthly reporting has not occurred. Further, Defence records provide no evidence that:

• security incidents involving DISP members have been shared with relevant contract managers;
• Defence has analysed security incidents involving DISP members to identify trends; and
• Defence communicating these trends to the relevant business areas.

3.57 Security incident data is reported quarterly to Defence’s Security Committee. The data is at a high level and not categorised by DISP membership. Defence’s current IT systems do not support the analysis or collation of security incident data for DISP members, and analysis of security incidents is manually intensive.⁷⁶

Security incident data provided to DSPF control owners

3.58 As part of the 2019–20 DSPF reporting process, the Defence Security and Vetting Service provided security incident data to ‘control owners’ to support their assessments.⁷⁷ The data was obtained through Defence’s security incident reporting forms. The results of the 2019–20 DSPF reporting process were reported to the Defence Audit and Risk Committee in December 2020. The briefing presented to the Committee stated that:

• Some control owners observed that ‘the volume of security incident data provided was overwhelming’.
• The Defence Security and Vetting Service advised the Committee that it was:

… undertaking a security incident management project where one of the deliverables will better align the security incident categories to the DSPF Controls going forward. This is expected to improve reporting and better tailor the data provided to Control Owners in the future including trend analysis, however there will continue to be a need for manual review of data to some extent.⁷⁸

• Control owners had requested that security incidents under their controls be reported to them on a quarterly basis to support proactive review, oversight and assurance. Defence Security and Vetting Service advised the Committee that quarterly reporting was expected to be rolled out in Quarter 4 of 2020.

3.59 Defence advised the ANAO in February 2021 that in relation to the quarterly reporting:

Due to the complex nature of the format of the Control Owner reporting, a quarterly frequency is not currently achievable. On final implementation of the Security Incident Reform Project (expected to be functional for the 2021–22 Financial Year) the composition of Control Owner reporting will undergo review with the aim to become more efficient allowing for increased frequency of Control Owner reporting. In the interim, monthly reports to the Group Executive Security Advisors have undergone considerable redevelopment and will be recommencing as of February 2021. The reports will be provided to each of the Group and Service’s ‘Executive Security Advisors’ within the first two weeks of each month thereafter who will work with relevant Control Owners.

3.60 In June 2021, Defence advised the ANAO that it still did not have the capacity to produce quarterly reporting.

Contract manager access to data on industry entities’ DISP memberships

3.61 As discussed in Chapter 2, implementation of the Defence Security Principles Framework relies on Defence contract managers, who are expected to include the appropriate DISP clauses in required Defence contracts. As part of this process, contract managers are required to determine what, if any, levels of DISP membership an industry entity should hold for any given contract, and include that membership requirement in the contract.

3.62 Defence contract managers do not have visibility of Defence’s DISP membership data, and must request this information from the DISP administration team. Defence has identified that this adds a degree of complexity and inefficiency to implementation of the DISP that Defence is seeking to address as part of its DISP Improvement Project.

3.63 Risks relating to Defence contract managers’ lack of understanding of the DISP and expectations regarding DISP membership, were highlighted in a September 2020 review by Defence internal audit (see Box 3 below).

Note a: ANAO comment: under the DSPF, the Defence project manager (the definition of which includes Defence contract managers) is responsible for the security of all aspects of the project, including managing all outsourced risks. Source: Defence Security Protective Framework, Control 11 – Security for Projects, p. 10.

Source: Defence documentation.

3.64 Defence is planning to implement improvements to the information shared with contract managers through the Defence Security and Vetting Service’s proposed new IT system to manage the DISP. In its document specifying the high level requirements for the new system, DISO notes that:

The system will assist Contract Managers manage the risk of their contracts, by providing an accurate assessment of the level of security maturity of a DISP entity at a point in time, and alerts when incidents are logged or circumstances change.

3.65 In a February 2021 briefing to the First Assistant Secretary, Defence Security and Vetting Service, DISO advised that it was scoping and refining requirements for the system. In June 2021, Defence informed the ANAO that:

Delays in achieving Gate 0 and 1 approvals will impact the implementation date for the CRM. The current projection is for an Interim Operation Capability to be deployed in late January 2022, but this is likely to slip further.

Appendix 1 Department of Defence response

Appendix 2 Performance improvements observed by the ANAO

1. The existence of independent external audit, and the accompanying potential for scrutiny improves performance. Improvements in administrative and management practices usually occur: in anticipation of ANAO audit activity; during an audit engagement; as interim findings are made; and/or after the audit has been completed and formal findings are communicated.

2. The Joint Committee of Public Accounts and Audit (JCPAA) has encouraged the ANAO to consider ways in which the ANAO could capture and describe some of these impacts. The ANAO’s 2021–22 Corporate Plan states that the ANAO’ s annual performance statements will provide a narrative that will consider, amongst other matters, analysis of key improvements made by entities during a performance audit process based on information included in tabled performance audit reports.

3. Performance audits involve close engagement between the ANAO and the audited entity as well as other stakeholders involved in the program or activity being audited. Throughout the audit engagement, the ANAO outlines to the entity the preliminary audit findings, conclusions and potential audit recommendations. This ensures that final recommendations are appropriately targeted and encourages entities to take early remedial action on any identified matters during the course of an audit. Remedial actions entities may take during the audit include:

• strengthening governance arrangements;
• introducing or revising policies, strategies, guidelines or administrative processes; and
• initiating reviews or investigations.

4. In this context, the below actions were observed by the ANAO during the course of the audit. It is not clear whether these actions and/or the timing of these actions were planned in response to proposed or actual audit activity. The ANAO has not sought to obtain assurance over the source of these actions or whether they have been appropriately implemented.

Improvements to Defence’s contracting suites

5. The audit reviewed Defence’s three main contracting suites to assess whether DISP requirements were clearly defined (see paragraphs 2.11 to 2.12). The ANAO found that there were opportunities for the templates to more clearly define contractual requirements, by:

• including a mandatory clause specifying if DISP membership is, or is not, required;
• requiring the contract drafter to specify the level of DISP membership the industry entity must hold for each of the four security elements of the DISP; and
• referencing current security policy.

6. Defence informed the ANAO that these findings have highlighted inconsistencies between various contracting templates, that it would review the use of DISP requirements across the contracting templates, and seek improvements through having a common DISP requirement clause across the various contracting suites.

Improvements to raising contract managers’ awareness of the use of DISP membership clauses in contracts

7. The audit identified shortcomings in the application of DISP requirements in Defence’s active contracts by its contract managers, and a need for clearer guidance to help Defence contract managers navigate the DISP throughout the procurement lifecycle (paragraphs 2.12 to 2.22).

8. Defence informed the ANAO that it has made two improvements to address the shortcomings in contract managers’ awareness of the use of DISP membership clauses in contracts.

• Defence is developing a web-based application to assist Defence contract managers through the procurement approval process, called ‘My Procurements’. The aim of this application is to enable consistency of approach and compliance with processes and policies across Defence. Defence advised the ANAO that contract managers are now prompted to consider DISP requirements when using My Procurements to complete the procurement approval process. My Procurements is scheduled to be rolled out across Defence at the end of 2021.
• Defence plans to update the Defence Procurement Policy Manual⁸⁴ to include a new contracting requirement that Defence officials must consider DISP and the appropriate level of DISP membership in the procurement process.

Appendix 3 Timeline of events

Figure A.1: Key dates in the history of the Defence Industry Security Program

Source: Defence documentation.

Appendix 4 Summary of the DISP application process

1. The diagram below provides a simplified representation of the DISP application process as at March 2021.

Figure A.2: Summary of the DISP application process

Source: Defence documentation.

Appendix 5 2017 Review – Status of Recommendations

1. A 2017 review made recommendations to mitigate Defence industry security vulnerabilities and provide greater levels of assurance to government. On 20 June 2017, the Government agreed to all the recommendations from the review.

2. In October 2018, the Defence Security and Vetting Service provided a brief to the Defence Secretary and Chief of the Defence Force on the status of the updated Defence Industry Security Program. Table A.2 outlines the status of the recommendations reported in the 2018 brief and the ANAO’s assessment of Defence’s implementation of the six review recommendations relevant to this performance audit.

3. The approach used by the ANAO to assess the implementation status of the six selected recommendations is set out in Table A.1.

Table A.1: ANAO categorisation of implementation status

Source: ANAO.

Appendix 6 DISO required capabilities

1. In February 2021 the First Assistant Secretary, Defence Security and Vetting Service, advised the Associate Secretary that DISO is ‘missing all or most of the capability’ necessary for effective DISP information management and reporting’.

2. The capability requirements identified by Defence as requiring attention are summarised in Table A.3 below.

Table A.3: Defence Industry Security Office (DISO) required capabilities

Note a: The First Assistant Secretary, Defence Security and Vetting Services, advised the Associate Secretary in December 2020 that DISO would need to process an expected volume of 750 DISP membership applications a year (at a cost of approximately $10,000 per application) and the delivery of ‘enhanced membership management’.

Source: Defence documentation.

Appendix 7 Compliance with DISP membership requirements for the four contracts reviewed by the ANAO