The Department of Defence is not always preventing contractors without security clearance from accessing classified information due to holes in its primary industry vetting program, an audit has found.
The review of the Defence industry security program (DISP) also reveals that the department has been aware of the problems since late 2019, although it has only recently started to address them.
The DISP – which has been in place in one form or another since 1978 – is considered the primary security policy for Defence personnel, contractors, consultants and outsourced service providers.
It allows the department to “manage risk in the evolving security environment and provides confidence and assurance to Defence… when procuring goods and services from industry members”.
In the audit released on Monday [pdf], the Australian National Audit Office (ANAO) found Defence’s administration of the contractual obligations relating to DISP were only “partially effective”.
It was particularly critical of the department’s arrangements for monitoring compliance with contracted DISP requirements, which were described as “not… fit for purpose”.
“As at March 2021, Defence had over 16,500 active contracts with a total commitment of more than $202 billion,” the audit said.
“Defence does not know which of these contracts should, or do, require the contracted entity to have DISP membership. This situation limits the effectiveness of DISP as a security control.”
The report said Defence was unable to provide a “complete and accurate list of Defence contracts with DISP clauses” due to the lack of “specific mechanisms… to provide assurance”.
“Defence is therefore not able to provide complete and accurate information on the number or value of these contracts that have, or should have, a clause for DISP membership,” the audit said.
Analysis of Defence’s DISP master spreadsheet showed that 48 percent of applicants who had not yet been granted membership had contracts with Defence between July 2018 and December 2020.
The master spreadsheet contains records of DISP applications received after April 2019, when it took over from the Defence industry security management system (DISMS).
A small number of the contracts that were identified (770 of 20,460) had a “confidentiality flag indicating confidential subject matter or a contract that is producing a confidential output”.
The ANAO said that while not all contracts require DISP membership, the absence of an assurance mechanism means Defence has no way of checking whether membership is necessary.
“Defence therefore has limited assurance that security classified information and assets are accessed only by industry entities with the appropriate levels of DISP membership,” the audit said.
Issues already known
The audit also reveals Defence was already aware of the issues, having conducted a “limited review” of 131 DISP membership records – 12 percent of the DISP members at that time – in 2019.
The Defence review found nine instances where contractors were working on active projects with a security classification of secret or above without DISP membership.
“In nine instances, the contracts were still active and the entities had been working on the classified activities from between 16 months and 5.5 years, and in one instance possibly longer,” ANAO said.
“In September 2019, the reviewer reported these nine instances to the Defence Security Incident Centre as major security incidents.”
Two years later, only one of the nine entities has been granted DISP membership, while a further three have applied. Defence also took no compliance action.
At least some of the issues raised by the ANAO are down to the systems used for managing compliance, which have been described as “not fit for purpose”.
Defence stored DISP applications in a Microsoft SQL server database called DISMS prior to April 2019, while newer records are held in the DISP master spreadsheet.
The Defence Security and Vetting Service is currently seeking internal approval for a DISP CMS to better manage DISP membership.
While it has faced delays gaining approval, it expects an interim operating capability could be deployed as soon as January 2022.
The audit also uncovered a backlog in the approval of DISP applications, partially due to a decision to open the program to "any Australian entity interested in working with Defence" in April 2019.
The audit said Defence had put in place surge arrangements in January 2021 that have increased the rate of processing, but that preparations for the expansion of the program were “inadequate”.
Defence has been asked to “assure itself that its current contracts meet DISP requirements” and fully implement the DISP assurance activities outlined in the Defence Security Principles Framework”, to which it has agreed.