Built to pass the supplier security bar.
Cybersecurity designed for DISP members, defence primes and subcontractors, and government suppliers, where the standard is set by procurement, not marketing.
Selling to government and defence changes the cyber bar overnight.
Once you take that first contract, the security expectations are no longer optional. The pattern repeats across every supplier we work with.
DISP membership obligations
The Defence Industry Security Program (DISP) is the gate. Members must maintain a defined security posture, evidenced, with annual reaffirmation and incident reporting obligations.
Essential Eight as a procurement gate
For many Commonwealth contracts, evidence of Essential Eight Maturity Level 2 (or higher) is now a prerequisite. The right plan delivers it on time, not in panic before tender close.
Controlled and classified information
The information that came with the contract came with conditions. Mishandling controlled or classified material is the contract-ending kind of incident, and the regulator notifies your customer.
Subcontractor and supply-chain risk
Your customer audits you as their supplier; you are now audited as the supplier of your own suppliers. The whole chain has to hold.
DISP, Essential Eight, ISM and the cyber clauses in your contract.
Government and defence suppliers in Australia carry a stack of obligations on top of the usual ones: DISP membership, Essential Eight maturity targets, alignment to the ASD/ACSC Information Security Manual (ISM), and the security obligations baked into the specific contract. We build a program that answers each of them with evidence.
What we map to
The frameworks that matter for suppliers
- ✓Defence Industry Security Program (DISP), Entry to Level 3
- ✓Essential Eight Maturity Level 2 or 3, evidenced for procurement
- ✓ASD / ACSC Information Security Manual (ISM) alignment
- ✓Privacy Act and Notifiable Data Breaches scheme
- ✓Customer-specific cyber clauses in your tender response
- ✓SOCI Act (where applicable to your sector)
A program built to pass the toughest procurement.
Six controls, mapped to DISP, ISM and your customer’s specific cyber clauses.
A documented posture against every DISP requirement
We map your environment to the four DISP categories (governance, personnel, physical, ICT), close the gaps and prepare the evidence pack you need for membership and reaffirmation.
Sequenced uplift to ML2 or ML3, with proof
Practical, sequenced uplift to your target maturity, measured against the ACSC framework. The artefacts hand to a tender evaluator without rework.
Configuration aligned to the ISM, not invented
Identity, device, network and data controls configured to match ISM expectations, with the mapping documented clause-by-clause so audit becomes a reading exercise, not an investigation.
Phishing-resistant MFA, PAM, full audit trail
FIDO2 for high-privilege roles, Entra PIM for cloud admin activation, Delinea for brokered access and session recording. Every privileged action is traceable to a named individual.
The right data on the right device, segmented
Sensitivity labels, DLP and segmentation so controlled and classified information stays on the right systems, with the right people, on the right devices.
Your supplier security becomes part of your customer answer
A defensible supplier-assurance baseline, refreshed at the cadence your customer expects, so your supply chain answer travels with you into every tender.
A supplier posture that passes scrutiny and wins work.
- Tender-ready evidence pack, on demand
- DISP audit answers, documented
- Essential Eight ML2 or ML3 posture with measurement
- ISM alignment, mapped clause-by-clause
- Customer cyber clauses answered with confidence
- Cyber insurance answers you can stand behind
Cyber posture, ready for the toughest procurement.
Designed once, evidenced for every tender. Senior advice, scoped engagements, no managed-service lock-in.
Questions defence and government suppliers ask before they engage.
Straight answers, no hedging.
What is DISP and do we need it?
The Defence Industry Security Program. For most companies tendering to Defence at any scale, membership is the gate. We take you through Entry to Level 1, 2 or 3, depending on the work you do.
What Essential Eight maturity do we need?
It depends on the specific contract. Many Commonwealth tenders now name ML2 as the minimum, with critical work expecting ML3. We assess where you sit and lift you to the target with evidence.
Do we need to align fully to the ISM?
Not always all of it. The ISM is risk-based and applies to controlled information. We map the controls that apply to you, configure them, and document the mapping for your customer.
How do you handle classified or controlled information?
Carefully, and with the right segmentation. Classified work has specific environment requirements; controlled information has DLP and labelling expectations. We design the architecture so neither leaks into the wrong place.
What about ITAR or controlled exports?
We work to the controls that apply to you. The cyber configuration is one part; the operational controls (personnel, physical, documentation) sit alongside it. We deliver the cyber part with audit-ready evidence.
How long does DISP preparation take?
Most suppliers can reach a defensible DISP Entry posture in 8 to 16 weeks. Level 1 to 3 takes longer and depends on your starting point. We always assess before quoting.