Defence contractors are working on projects involving highly classified data without having the adequate security clearance due to assurance issues with the department’s security vetting program, an audit has found.
The inquiry found that Defence has been aware of these problems for at least two years but is yet to rectify them, and that at least nine contractors actively working on classified Defence programs in recent years did not have the required security accreditation, with the department blind to these issues.
The Australian National Audit Office (ANAO) on Monday tabled its report on the Defence Industry Security Program (DISP), which helps local businesses to understand and meet their security obligations when engaging on Defence projects, contracts and tenders.
The DISP is “essentially security vetting for Australian businesses”, with companies granted membership once they are determined to be compliant, a process that takes at least six months.
Defence is a significant spender on IT and tech projects, and has total commitments across more than 16,500 contracts worth more than $202 billion. These contracts include for work relating to platforms and sustainment services, IT systems and support and research and development.
Since April 2019, more than 650 companies have been awarded DISP membership, which is required for work on classified information or assets.
The ANAO found that Defence’s administration of the DISP “does not enable [it] to gain assurance that the program is effective”, and the department “has not established fit for purpose arrangements to monitor compliance with contracted DISP requirements”.
Defence cannot identify which of its active contracts require the contracted company to have a DISP membership, which limits the effectiveness of the program as a security control, the audit office found.
“Defence advised the ANAO that it does not have any specific mechanisms in place to provide assurance that the appropriate ‘core’ DISP contract clauses are included in Defence contracts that require DISP membership under Defence security policy,” the ANAO report says.
“Defence is therefore not able to provide complete and accurate information on the number or value of these contracts that have, or should have, a clause for DISP membership. There is no evidence that Defence has subsequently checked, or assessed the risk, across its population of current contracts, that industry entities are accessing security classified information and assets without holding the appropriate levels of DISP membership.”
The ANAO analysed 1092 applicants for DISP membership and found that 873 of these applicants had not been granted the accreditation but had received contracts from Defence. Of these, 419 DISP applicants had won more than 20,000 contracts at a value of $22 billion. Nearly 1000 of these contracts had a confidentiality flag.
This issue has led to companies without DISP membership accessing classified data, the ANAO found.
“Defence has limited assurance that security classified information and assets are accessed only by industry entities with the appropriate levels of DISP membership. Further, a Defence review has identified that the risk of industry entities accessing highly security classified information and assets without DISP membership has been realised,” it said.
The watchdog also found that Defence has been aware of this issue for several years but has done little to address it.
A review in April 2019 of 131 DISP membership records found that 13 entities contracted to work on Defence projects with security classification of “secret” or above did not have DISP membership.
The ANAO found that nine of these contracts are still active, and only one of the companies have since obtained DISP membership, with five still not having even applied.
“There is no evidence that Defence has assessed the risks associated with the nine entities’ historical or ongoing access to sensitive and security classified assets and information without appropriate levels of DISP membership,” the ANAO report said.
Defence has also continued to enter into new contracts with these entities despite them not having obtained the DISP membership, the audit office found.
The latest audit comes just weeks after another critical ANAO report on Defence’s contracting practices. The previous audit found that IBM representatives were present and involved in decisions at several meetings related to a major Defence information technology project which lead to it receiving contract amendments worth nearly $500 million.
The audit found that while Defence’s administration of the enterprise resource planning program was “largely effective” there are scope for improvements in terms of governance arrangements around the management of probity and the management of conflicts of interest in decision-making.
The ANAO recommended that Defence assure itself that its current contracts meet DISP requirements, establish a documented framework for managing non-compliance with it, and review its suite of contracting templates, among others. Defence agreed to all of the recommendations.
Labor’s defence spokesperson Brendan O’Connor and defence industry spokesman Matt Keogh said the report raised “serious concerns” about the oversight of the DISP program.
“It is not clear whether Defence has taken appropriate action in response to identified non-compliance with its security policy,” they said. “Labor has concerns that this lack of oversight from the government is causing a security risk for Defence.
“We know from speaking to Defence industry that there are concerns about the processing timeframes and the impact it is having on their ability to fulfil contracts.
“The Morrison-Joyce Government needs to address these issues, and ensure DISP is safe, secure and timely.”
Do you know more? Contact James Riley via Email.