CASE STUDY
IT Agency provides continuous support to KCM Consulting to sustain its DISP Accreditation.
Empowering KCM’s national team to comply with DISP Accreditation requires a special level of service and support. Read how the IT Agency tailors its engagement for these unique circumstances.
KCM Consulting is a boutique organisation providing specialist consulting services to the Capability Acquisition and Sustainment Group within the Australian Department of Defence.
Operated by ex-military professionals, KCM specialises in ensuring Defence resources, including complex weapon systems, are acquired and sustained effectively. By enhancing procurement efficacy, KCM plays a vital role in maintaining Australia’s national security.
Kent Murrells is the founder of KCM. He’s ex-military and has worked in the defence sector as a civilian since 2004. When he started KCM in 2012 he didn’t plan for the business to grow to its current size. He now employs 20 people who are all embedded within different Australian Government Defence departments around Australia.
“KCM is a vital part of the Australian Defence industry because we provide highly specialised procurement and logistics expertise to the Department of Defence,” says Kent.
“While Defence excels at acquiring the latest technology, it sometimes needs to engage specialist personnel from industry to sustain capabilities throughout their lifecycle. This means ensuring the spares, training, test equipment, maintenance plans and instructions, and support contracts, and all the other services required for ‘sustainment’ are continually available,” he explains.
KCM bridges this gap, ensuring equipment is acquired and sustained effectively during the setup phase and throughout its operational life. This ‘through life support’ includes coordinating the spares, maintenance and support, and training systems that are all essential to ensure the defence sector is able to use the products as effectively as possible.
“By aligning contracts, logistics, and support systems, our teams increase availability of capabilities to the war fighter to enhance Australia’s defence readiness. Ours is a niche area of expertise that ensures complex equipment remains operational, maximising the effectiveness and resilience of the Australian Defence industry,” says Kent.
The key challenge facing KCM Consulting is operating within the compliance framework of the Defence Industry Security Program (DISP).
DISP is an initiative managed by the Australian Department of Defence that ensures all organisations working with Defence meet strict security standards. It applies to the entire supply chain including manufacturers, contractors, consultants, and companies like KCM Consulting that wish to engage in Defence projects.
In 2022 Kent was leading KCM through the process of attaining DISP accreditation for Cyber. As he worked through the audit with the panel, he realised he needed the guidance and support of a cyber security specialist.
“I’d been going through the process of demonstrating the business had embedded levels of cyber security posture in place. But I’m not a cyber expert and due to the complexity of the process I soon realised I needed additional expertise. So, I reached out to Microsoft to see if they could make a recommendation, and they put him me in touch with the IT Agency.
“In a relatively short conversation, Ron and Richard explained what we needed to do to ‘uplift’ our cyber security approach, in a way that was scaled appropriately for the size and structure of our business,” recalls Kent.
Because the IT Agency specialises in applying complex cyber security and compliance approaches to small and medium size businesses, it understood that KCM didn’t need an enterprise-level ICT service. It just needed device management upgraded and enhanced, with cyber security policies and protocols in place, to ensure compliance with the panel.
“We had to ensure every device being used by our team was ‘uplifted’. This is what I call the process of taking any standard device and operating system and upgrading it to an environment where it can be used to communicate with DISP. For example, installing Windows 10 Pro for Business and enrolling the device in a centrally managed and secure environment such as Intune / Azure AD,” explains Kent.
“Ron and Richard got it straight away. Soon after engagement they’d scoped the uplift program, developed an implementation approach to get everything lifted up, all our devices enrolled, and everything in a tenant, along with the annual updates, patches and continuous evolution of the environment to maintain our compliance.
“The IT Agency team then carried me through the entire process – end-to-end – making it very easy for us to achieve our accreditation,” he says.
For those not familiar with DISP accreditation, let us explain.
For KCM Consulting and its team to communicate within the Defence ICT domain, it needs DISP accreditation. Owing to the nature of KCM’s work with Defence, it only needed ‘Official Sensitive’ level accreditation, but to achieve this meant Defence whitelisting the KCM domain, and ensuring all devices that are used in communication between industry and the Defence domain met a minimum level of accreditation by Defence cyber authorities.
For KCM Consulting, achieving cyber accreditation under DISP meant implementing the Essential Eight Framework. Developed by the Australian Cyber Security Centre (ACSC) it forms the baseline for cyber security compliance.
These are practical mitigation strategies that reduce cyber risk. And as a DISP member, KCM must implement and maintain the following measures on each device, workstation, system, or platform that’s used to communicate with Australian Defence:
· Application Control: to prevent unauthorised applications from executing.
· Patch Applications: to ensure software is up to date with security patches.
· Configure Microsoft Office Macro Settings: to block malicious macros.
· User Application Hardening: to disable risky or unnecessary features in browsers, like Flash or Java.
· Restrict Administrative Privileges: to limit admin access to those who require it.
· Patch Operating Systems: to ensure operating systems are current with security patches.
· Multi-Factor Authentication (MFA): to enforce MFA for remote access, privileged accounts, and critical systems.
· Regular Backups: to maintain secure, offline backups to ensure data recovery in case of incidents.
The IT Agency leads KCM through the process to get the accreditation
For KCM, which has 20 people operating in different states and centres across Australia, this a complicated and detail-oriented challenge.
The first step was to do a survey of all programs and applications already on the devices, review security implications for each, and identify any unsanctioned applications on each device.
“So, the first thing we did was to workshop which applications would be ‘whitelisted’ – i.e., the ones the Defence clients needed to use to support remote access and also business operations. We needed to get everything back ended into a baseline of essential services, which were mostly Microsoft or Citrix based.”
“When you start a process like this, you have no idea what applications people have on their devices for personal use. This was a learning curve in itself! But anything that wasn’t essential for work had to be removed. So, the IT Agency support team went into each device, uplifted the operating system and all applications. Once this was done, all the devices were rolled back into the tenant,” explains Kent.
Fully managed IT Services and Support
Once DISP Accreditation was secured, the IT Agency then had to ensure KCM continued to enjoy optimal IT performance in line with its accreditation requirements. To do this, the IT Agency delivered whole of business IT Services and Support, which were coordinated and delivered by the IT Agency team.
This service includes a remotely managed staff onboarding process that ensures all laptops and devices are purchased, set up within the DISP compliant environment, and shipped to new staff. IT Agency also coordinates all our ongoing licensing, device patching and security baseline management requirements.
“The outcome of this fully managed service is a streamlined business where IT spend is optimised and DISP compliance is continually maintained. With IT Agency managing this process for us, we enjoy considerable cost savings of buying all hardware in bulk, with our licensing fully optimised,” explains Kent.
The IT Agency manages KCM’s application whitelisting, backup, anti-spam and security baselines for a fixed monthly fee. This arrangement gives the business budget certainty and peace of mind.
IT services and support are delivered as required, which includes all procurement, set-up, and deployment of devices, along with ongoing maintenance and support. This means that if any staff member has a problem, they can contact IT Agency’s Support team, and their issue will be resolved as quickly as possible.
Ongoing Cyber Security Support
With the marked uptick in cyber threats, firms like KCM need to rely on secure systems to exchange sensitive information and maintain seamless operations. Without proper safeguards, malware embedded in files can go undetected for years, potentially leaking critical Defence data.
IT Agency ensures all ICT systems are hardened, compliant, and resilient, enabling Defence industry organisations to operate securely while protecting classified information. Their services are essential for safeguarding national security and supporting Defence business continuity.
“As part of the DISP accreditation we must prove we’re doing regular patching and updates, in line with the changing Essential 8 controls. So, the IT Agency’s application whitelisting service prevents any unsanctioned application from running,” explains Kent.
This is an essential service for organisations operating in the defence sector because it ensures a robust, cyber-compliant ICT infrastructure that’s critical for meeting DISP guidelines.
Optimising IT in a fully compliant environment
Part of the DISP accreditation involved ensuring the connected core has the correct cyber security protocols. KCM needed to have a Defence accredited back-up provider, who was Australian based with no offshore data storage facilities.
AvePoint was chosen for cloud backup and data protection. As well as being an Australian-based organisation, AvePoint integrates data security, governance, and resilience to provide complete protection.
Accreditation is only achieved and maintained if all service providers meet the strict DISP protocols, so the IT Agency arranges and maintains all relationships with KCM’s vendor partners and ensures all SaaS solutions are put into the Microsoft Tennant.
These include Australian-based data storage facilities, Microsoft 365 for the Enterprise Office Suite, and ProofPoint for email security.
“Without the IT Agency, KCM would not have been able to achieve and maintain its DISP accreditation for Cyber,” says Kent.
With the IT Agency, KCM is enjoying a long term and proactive relationship
“Ron has been instrumental in leading the relationship. He quickly understood what we wanted to achieve and delivered the uplift effectively, staying within a budget we could afford. Recently, we faced a spam issue, but one quick call and Ron had it sorted out immediately.
“The service is continuously evolving and updating, ensuring it stays relevant and effective. We’ve tested the market through tenders and even tried local businesses, but we’ve stuck with the IT Agency.
“Even though they’re in Sydney and we’re in Canberra, they consistently deliver the right level of service every time, and their support is seamless.”
Kent Murrells, Founder and Director, KCM Consulting.
Read our latest blogs for unique insights to the technology sector.
On these pages we share our expertise and knowledge with you to ensure everyone enjoys an effective outcome from their IT initiatives.
