Practice Area
We translate Australia's most demanding defence compliance requirements into clear, actionable pathways. From Department of Defence cloud onboarding, through the Defence Digital Group and Joint Capabilities Group delivery environment, to achieving Authority to Operate. With AGSVA clearance and 10+ years inside the process, we know exactly where the complexity lives.
The Problem
Achieving Authority to Operate inside the Defence environment is not just a documentation exercise. It requires navigating overlapping stakeholder structures, undocumented expectations, and a process where the rules are rarely written down in one place. Most organisations encounter the same friction points, and most of them are avoidable.
The second problem is what happens after an ATO is granted. Artefacts are archived, monitoring obligations are deprioritised, and when re-accreditation arrives, the organisation is back to square one, facing the same effort, the same cost, and the same timeline pressure as the first time.
Stakeholder confusion
DCIAB, DDG, and JCG each play a distinct role in the accreditation process, but the boundaries between them are rarely explained. Engaging the wrong body at the wrong stage costs time and credibility.
Divergent process expectations
Processes are often fragmented: Defence Digital Group assurance requirements and Joint Capabilities Group delivery constraints do not always align in practice. Without experience across both domains, organisations frequently produce accreditation documentation that satisfies one pathway while failing to fully meet the other.
Invisible timelines
Published timeframes for accreditation do not exist. Signature cycles routinely run one to two months. Without visibility into where a submission sits and why, projects stall and budgets blow out.
Rework at re-accreditation
ATO is treated as a finish line rather than an ongoing posture. Artefacts are data-dumped after approval, monitoring lapses, and when re-accreditation arrives the organisation faces the full effort again from scratch.
The ATO Pathway
Authority to Operate is not a single document; it is the outcome of a structured accreditation process that demonstrates your system meets Defence's security requirements. Each step builds on the last, and gaps at any stage create delays.
We have supported enterprise and Defence-aligned programs through the full accreditation lifecycle, from initial design reviews through to Authority to Operate milestones. Rather than over-engineering responses, we focus on producing documentation and evidence that are proportionate, defensible, and aligned with Defence assurance requirements.
Define what is in scope for accreditation: systems, data classifications, user types, and network boundaries. Getting this right early prevents scope creep and rework.
Map your current state against the applicable ISM controls and PSPF requirements. We identify gaps, prioritise remediation, and build a realistic treatment plan.
We write to the standard, not around it. Produce the full accreditation pack including System Security Plan (SSP), SSP-Annex, Incident Response Plan, Continuous Monitoring Plan, Security Risk Management Plan, and supporting evidence.
Submit the accreditation package to DCIAB's Assessment and Authorisation team. They review the documentation, coordinate stakeholder sign-off across Defence Digital Group and Joint Capabilities Group, respond to findings, and brief up to the DCIAB CISO for final authorisation.
Once the DCIAB CISO signs off, Authority to Operate is achieved. We help you establish the ongoing compliance posture, including continuous monitoring, annual reviews, and change management processes to maintain accreditation.
Scope of Practice
Blackwell & Stone supports organisations across the full accreditation lifecycle, from assessing readiness and identifying delivery risks, through developing the artefacts required for accreditation, to maintaining continuous assurance so that re-accreditation becomes a predictable process rather than a costly remediation exercise. Our three offerings align directly to each stage of that lifecycle.
A structured assessment of your organisation’s readiness to achieve and maintain Authority to Operate. We identify accreditation risks, governance gaps, stakeholder engagement deficiencies, and artefact maturity issues, assessing both Defence engagement pathways and documentation readiness.
The outcome is an executive-level readiness report with prioritised remediation actions, delivery risks, and a clear pathway to accreditation before significant effort is invested in documentation or submissions.
End-to-end delivery of Defence accreditation artefacts and supporting governance activities. We develop and align the full documentation suite including the System Security Plan (SSP), SSP-Annex, Incident Response Plan (IRP), Continuous Monitoring Plan (CMP), Security Risk Management Plan (SRMP), and supporting evidence packs, against ISM and PSPF requirements.
We also coordinate stakeholder engagement, accreditation activities, and DCIAB submissions, either as a fully managed service or alongside your internal team.
A retainer-based assurance service that maintains accreditation artefacts as living governance controls throughout the lifecycle of your environment. We provide ongoing SSP and SSP-Annex maintenance, ISM change impact analysis, annual artefact uplift, and accreditation readiness reviews, ensuring documentation remains current, audit-ready, and aligned with operational change.
The result is a predictable re-accreditation process without the cost, disruption, and resource burden of large-scale remediation efforts.
How We Work
Every organisation approaches this process differently; some need us to own it entirely, while others have capable teams that need a clear expert alongside them. Both models deliver the same outcome.
We lead the process end to end.
We sit alongside your team and build capability.
Why Blackwell & Stone
Our principal holds an AGSVA security clearance and has spent over a decade advising organisations navigating the Defence compliance environment, working within the Defence Digital Group and Joint Capabilities Group delivery structure. We have supported enterprise clients in achieving Authority to Operate, and we understand what DCIAB's Assessment & Authorisation team actually needs to see to brief up to the DCIAB CISO.
Whether you're at the start of a Defence cloud project or mid-way through an accreditation that has stalled, we can help you find the fastest path forward.