Key Takeaways
- CSM v4 has been the mandatory cyber assurance framework for DEFCON 658 contracts since 3 December 2025. It sits on top of Cyber Essentials, not in place of it.
- Cyber Essentials is required for all Cyber Risk Profile Levels (0 – 3) under CSM v4. You cannot pass your Supplier Assurance Questionnaire without it.
- DEFSTAN 05-138 Issue 4 is the control framework behind CSM, and it maps directly onto Cyber Essentials so evidence can be re-used.
- Primes carry flow-down liability under DEFCON 658. Your sub-supplier’s Cyber Essentials status is your commercial problem too.
- The Danzell update to Cyber Essentials goes live on 27 April 2026, raising the bar on MFA, patching and cloud scope which changes what “good” looks like inside a CSM v4 SAQ.
There is a persistent misconception across the UK defence supply chain that the Cyber Security Model (CSM v4) has replaced Cyber Essentials. It hasn’t. Since CSM v4 became mandatory in December 2025, some defence SMEs have quietly dropped their Cyber Essentials renewals on the assumption that the new framework covers the same ground. That assumption costs contracts. Cyber Essentials is the foundation layer inside the MOD’s Cyber Security Model and treating the two as alternatives is a fast way to fail a Supplier Assurance Questionnaire (SAQ), lose a bid, or expose your Prime under DEFCON 658. This post explains how the two fit together, what each risk profile demands, and where defence suppliers most often come unstuck.
What CSM v4 Is And Why It Changed the Game
The Cyber Security Model is the Ministry of Defence’s risk-based method for assuring cyber security and resilience across its supply chain. It is mandated through DEFCON 658, the Defence Condition that flows contractual cyber obligations down from Prime to Sub-contractor, and it is underpinned by Defence Standard 05-138 Issue 4, the control framework that specifies what suppliers must actually do.
CSM v4 went live on 3 December 2025 following Industry Security Notice 2025/07. Earlier versions focused on protecting specific MOD Identifiable Information inside a contract. CSM v4 moves the focus to organisational security and resilience. Your whole business is in scope, not just the team delivering the MOD work.
Every contract carrying DEFCON 658 now triggers a Risk Assessment by the buyer and a SAQ from you, both submitted through the Supplier Cyber Protection Service portal. Inside that framework, Cyber Essentials plays a specific and non-negotiable role.
Where Cyber Essentials Sits inside the CSM
The Defence Cyber Protection Partnership (DCCP) has always recognised Cyber Essentials as the foundation of good cyber hygiene for defence suppliers. It is the first layer of the CSM stack, not an alternative to it. Every CSM Risk Assessment returns a Cyber Risk Profile, and every non-zero profile requires Cyber Essentials or Cyber Essentials Plus as a baseline with additional controls from DEFSTAN 05-138 Issue 4 layered on top.
The MOD has published a formal mapping document showing how DEFSTAN 05-138 Issue 4 aligns with Cyber Essentials (CE) and other common frameworks. In practice this means CE evidence can be re-used inside the SAQ rather than duplicated.
For organisations who need to certify quickly, Pera Prometheus is an approved certification body for both Cyber Essentials and Cyber Essentials Plus, preparation and certification under one roof. Our guide to CSM v4 walks through the full assurance process, but the cleanest way to see how CE fits is to look at the Cyber Risk Profiles (CRP) themselves.
The Four Cyber Risk Profiles and What Each One Demands
CSM v4 assigns every contract one of four Cyber Risk Profile (CRP) Levels (replacing the old Very Low / Low / Moderate / High). There is absolutely no comparison between CSM v3 CRP and CSM v4 CRP Levels i.e. CSM v3 Low does not equate to CSM v4 CRP Level 1. Each CSM v4 CRP Level requires fulfilment of a different set of DEFSTAN 05-138 Issue 4 controls.
Level 0 — Basic. For very low assessed cyber risk with minimal exposure to sensitive systems or data. Cyber Essentials is required, alongside 3 baseline controls.
Level 1 — Foundational. The common starting point for SMEs on general MOD work. Cyber Essentials is required, plus 101 DEFSTAN controls covering governance, risk, protective controls, incident response and training.
Level 2 — Advanced. Contracts with greater sensitivity. Cyber Essentials Plus (audited, independently verified) is mandatory, alongside 139 controls including continuous monitoring and stronger technical assurance.
Level 3 — Expert. The highest assessed cyber risk. CE Plus is mandatory and 146 controls apply, built around a defence-in-depth model focused on prevention, detection, response and recovery.
Where Primes and SMEs Get This Wrong
Three traps come up repeatedly.
- SMEs assume CE alone is enough. It isn’t. CE gets you in the room, but the SAQ still has to be completed and evidenced against the DEFSTAN 05-138 controls that apply to your profile.
- Primes flow down DEFCON 658 without checking. If a sub-supplier in your chain fails or lapses Cyber Essentials, that is a flow-down failure and under DEFCON 658 the contractual liability is yours. Sub-supplier assurance is a Prime’s problem, not a sub’s.
- Everyone underestimates Danzell. On 27 April 2026, the Cyber Essentials question set changes from Willow to Danzell. Multi-factor authentication becomes mandatory across all cloud services, high-risk patches must be applied within 14 days, and business-used social media accounts come explicitly into scope. Because your CE evidence sits inside your CSM SAQ, the bar just moved under CSM too without any change to CSM itself.
Ready to Take the Next Step?
Stacking CSM, Cyber Essentials, DEFCON 658 and Danzell mid-bid is where most defence contractors lose time. At Pera Prometheus, we work with Primes and suppliers at exactly this stage, preparing SAQs, certifying CE and CE Plus, and mapping DEFSTAN 05-138 evidence. Get in touch and let’s talk through where you are.
Frequently Asked Questions
Q: Does Cyber Essentials on its own satisfy CSM?
A: No. Cyber Essentials is the baseline inside CSM, not a substitute. You still need to complete the Supplier Assurance Questionnaire and evidence additional DEFSTAN 05-138 controls for your Cyber Risk Profile.
Q: Do I need to redo my SAQ because of the Danzell update?
A: Not immediately. But when your CE certificate renews on Danzell from 27 April 2026, the underlying evidence in your SAQ must match the stricter Danzell controls particularly MFA across cloud services and 14-day patching.
Q: As a prime, am I liable if a sub-supplier fails their SAQ?
A: Under DEFCON 658 the prime is responsible for flow-down, which includes assuring sub-suppliers meet the same cyber requirements. A sub-supplier’s lapsed CE or failed SAQ is a prime’s problem.
Q: Does CSM v4 apply to contracts signed before 3 December 2025?
A: New procurements from that date must use CSM v4. Existing contracts transition under Industry Security Notice 2025/07, check the ISN for your flow-down obligations.
Stay Safe, Stay Secure.
