Introduction

The Defence Industry Security Program (DISP) ensures that organisations handling sensitive Defence-related information meet stringent cyber security and information protection standards. DISP accreditation is mandatory for industry partners working with the Australian Defence Force (ADF) or other government departments. Organisations must adhere to the Defence Security Principles Framework (DSPF), guided by the Australian Cyber Security Centre (ACSC) and the Australian Signals Directorate (ASD).

At the heart of DISP’s cyber security requirements is the Essential Eight, a set of eight key mitigation strategies developed by the ACSC to address the most common cyber threats and vulnerabilities. While these controls are a starting point, achieving DISP accreditation necessitates a mature implementation of the Essential Eight. Organisations must implement these strategies at Maturity Levels 2 or 3 to ensure resilience against sophisticated cyber threats such as advanced persistent threats (APTs), ransomware, and data breaches.

This article outlines a practical approach for implementing the Essential Eight at the required maturity levels, ensuring compliance with DISP’s cyber security standards and laying the foundation for robust, long-term cyber resilience.

Understanding the Essential Eight for DISP Compliance

The Essential Eight is a prioritised set of cyber security mitigation strategies designed to help organisations protect their systems and data. These strategies address both the prevention of cyber threats and the mitigation of their impact if they occur. They are grouped into three main categories:

Preventing Malware Execution

• Application Control: Prevents unauthorised software from executing, ensuring that only trusted applications are run.
• Restricting Microsoft Office Macros: Prevents malicious macros from executing, which are often exploited in phishing and malware attacks.
• User Application Hardening: Focuses on the removal of unnecessary features, hardening applications to mitigate vulnerabilities commonly exploited by cyber attackers.

Limiting the Impact of Cyber Incidents

• Patching Applications: Ensures vulnerabilities in software applications are patched promptly.
• Patching Operating Systems: Keeps operating systems updated to prevent exploits of known vulnerabilities.
• Restricting Administrative Privileges: Minimises the risk of malicious actors gaining privileged access to systems.

Ensuring Data Availability & Recovery

• Multi-Factor Authentication (MFA): Secures access to systems by requiring additional authentication methods beyond just a password.
• Regular Backups: Ensures data can be recovered in the event of a cyber attack or system failure.

Source: Australian Cyber Security Centre – Essential Eight

Achieving DISP compliance requires organisations to implement the Essential Eight at Maturity Level 2 or 3, signifying a high level of preparedness and resilience against emerging cyber threats. Organisations must go beyond the basics to create an environment that is secure, adaptive, and compliant.

Implementing the Essential Eight for DISP Security Control Compliance

To ensure compliance with DISP’s cyber security standards, the Essential Eight must be implemented effectively across all aspects of an organisation's IT and security practices. Each strategy plays a critical role in protecting sensitive data and systems.

Application Control

Objective: Prevent the execution of unauthorised applications, reducing the risk of malicious software execution.

Implementation for DISP Compliance:

• Deploy Windows Defender Application Control (WDAC) or AppLocker to limit application execution to only approved software.
• Use application whitelisting to ensure that only known, trusted applications can run.
• Enforce code signing policies to ensure that applications are legitimate and free from tampering.

Maturity Level 2+ Requirements:

• Enforce application control at the kernel level so unauthorised applications cannot execute.
• Maintain a centralised system to approve and manage all applications.

Reference: ACSC – Application Control Guidelines

Restricting Microsoft Office Macros

Objective: Prevent the exploitation of macros in Office applications to stop malicious payloads.

Implementation for DISP Compliance:

• Disable macros by default in all Office applications unless explicitly required and digitally signed.
• Implement Group Policy settings to enforce these macro restrictions across the organisation.
• Maintain a whitelist of trusted macro-enabled documents and restrict macro activation to trusted users only.

Maturity Level 2+ Requirements:

• Ensure macros are completely disabled for all externally sourced documents.
• Restrict manual macro enabling to authorised personnel only.

Reference: ACSC – Macro Security Guidelines

User Application Hardening

Objective: Harden user applications to eliminate common vulnerabilities that attackers exploit.

Implementation for DISP Compliance:

• Disable Flash, Java, and outdated plugins that are common cyber attack targets.
• Enforce TLS 1.2 or higher for secure communications and disable weaker protocols.
• Implement restrictions on risky features, such as ActiveX controls, which are vulnerable to exploitation.

Maturity Level 2+ Requirements:

• Enforce security settings across all internet-facing applications.
• Enable automatic application updates to ensure vulnerabilities are patched promptly.

Reference: ACSC – User Application Hardening Guidelines

Patching Applications and Operating Systems

Objective: Regularly update all systems to protect against known vulnerabilities.

Implementation for DISP Compliance:

• Apply patches within 48 hours of release for critical vulnerabilities in both operating systems and applications.
• Use vulnerability scanning tools (e.g., Nessus or Microsoft Defender for Endpoint) to identify unpatched systems.
• Automate patch deployment wherever possible to ensure timely updates.

Maturity Level 2+ Requirements:

• Automate patch management so that all critical systems are updated in real time.
• Remove unsupported software to reduce the attack surface.

Reference: ACSC – Patch Management Guidelines

Restricting Administrative Privileges

Objective: Minimise the risk of privileged access being exploited by attackers.

Implementation for DISP Compliance:

• Use Privileged Access Management solutions to control and monitor administrative account access.
• Implement Just-in-Time access for privileged users, granting access only when necessary.
• Maintain strict audit logs of all privileged access activities.

Maturity Level 2+ Requirements:

• Isolate admin accounts from regular user accounts.
• Grant privileged access only for specific, short-term tasks.

Reference: ACSC – Administrative Privileges Guidelines

Multi-Factor Authentication (MFA)

Objective: Secure access to systems and sensitive data by requiring more than one form of authentication.

Implementation for DISP Compliance:

• Implement MFA for all privileged accounts and ensure remote access is protected.
• Use conditional access policies to enforce MFA based on risk factors (e.g., location, device).
• Disable legacy authentication methods such as basic authentication or SMS-based MFA.

Maturity Level 2+ Requirements:

• Encrypt MFA tokens and store them securely.
• Monitor login attempts for suspicious behavior and trigger alerts for anomalies.

Reference: ACSC – MFA Guidelines

Regular Backups

Objective: Ensure that critical data can be restored in the event of a cyber attack, natural disaster, or system failure.

Implementation for DISP Compliance:

• Apply the 3-2-1 Backup Rule (three copies, two different storage types, one offsite).
• Encrypt backups using AES-256 encryption to prevent unauthorized access.
• Regularly test the restoration process to verify data recovery speed.

Maturity Level 2+ Requirements:

• Make backups immutable to prevent ransomware encryption.
• Store backups in a separate, physically secure location.

Reference: ACSC – Backup Guidelines

Conclusion: Strengthening Cyber Resilience through the Essential Eight for DISP Accreditation

Achieving DISP accreditation is a critical milestone for organisations in the defence sector, ensuring they meet the highest standards of cyber security and protect sensitive Defence information. The Essential Eight provides a strong foundational framework, but to truly meet the rigorous demands of DISP Security Control Compliance, organisations must implement these strategies at Maturity Level 2 or 3. This not only demonstrates adherence to the Defence Security Principles Framework but also establishes a culture of continuous improvement and resilience in the face of evolving cyber threats.

By properly implementing the Essential Eight, organisations can protect themselves from a range of cyber risks—from ransomware attacks and data breaches to sophisticated threats such as advanced persistent threats (APTs). The focus on patching, application control, and administrative privilege restrictions forms the backbone of a strong security posture, while MFA and regular backups ensure that critical data remains available, even in the event of an attack.

The key to DISP compliance lies in integration—treating these controls as interconnected elements of an overall security strategy rather than isolated tasks. This cohesive approach not only helps organisations pass DISP assessments but also fosters long-term sustainability and security maturity.

Organisations aiming for Level 3 maturity should continually assess their cyber resilience through routine testing, continuous monitoring, regular penetration testing, and comprehensive staff training. For those assessed at Level 1, developing a robust Uplift Action Plan to align practices with DISP’s Level 2 or 3 requirements is vital.

Ultimately, DISP accreditation is not a one-time achievement but a journey of continuous improvement in securing Defence-related information. By integrating the Essential Eight, organisations strengthen their internal cyber defences and contribute to the overall resilience of Australia’s national security.

As we move forward in an increasingly digital world, cyber resilience must be a core value for any organisation involved in the Defence sector. With a strong foundation in the Essential Eight and a commitment to ongoing improvement, organisations can confidently meet the challenges posed by modern cyber threats, protect sensitive information, and achieve and maintain DISP accreditation.

Coming next month: In Part 2 of our DISP accreditation journey, we’ll dive into Personnel Security, exploring how to ensure your workforce meets the high standards set for Defence-related projects, including security clearances, vetting, and compliance with AGSVA requirements.