Flaws in defence security vetting: report
The defence department has not properly managed security vetting for firms contracted to deliver projects worth more than $200 billion.
An auditor-general's report points to the absence of fit-for-purpose arrangements to monitor compliance with the Defence Industry Security Program.
It's designed to ensure entities understand and meet security obligations around department projects, contracts and tenders.
Its administration has been labelled partially effective or partially fit-for-purpose in the Australian National Audit Office report.
While there was a framework setting out DISP requirements, the way the program was administered didn't allow department to gauge its efficacy.
The department also hadn't established fit-for-purpose arrangements to monitor compliance security requirements.
It meant the department did not know which of its 16,503 active contracts, worth $202.4 billion, should or did require an entity to have security clearances under the program.
An internal 2019 review identified 13 contracted entities with a security classification of "secret" or above that didn't have DISP membership or associated security accreditations.
Of these, nine contracts remained active and contractors had been working on classified activities for between 16 months and five-and-a-half years.
These were reported as "major security incidents".
By June this year, one of the entities had been granted DISP membership while five had not applied.
The audit office found defence managers weren't given relevant information that would allow them to monitor compliance contracted entities' security requirements.
There was also no appropriate framework to deal with entities found not to be complying.
The department accepted the audit office's six recommendations to fix flaws in the program.
"The security of Defence's people, information and assets is vital to ensuring that Defence can deliver critical capabilities," it said in its response.
"In support of the secure delivery of these capabilities, Defence is working in partnership with defence industry to improve policies, practices and outcomes to securely deliver that capability."