Key Takeaways
- Under DEFCON 658 and Cyber Security Model version 4 (CSM v4), Prime’s are accountable for the information security of their entire supply chain, including tier 2 and tier 3 suppliers, not just their direct subcontractors.
- Asking a supplier to complete a Supplier Assurance Questionnaire (SAQ) tells you what a supplier claims about their security. It does not tell you what they have actually put in place.
- When a breach originates in the supply chain, the Prime carries the contractual and reputational consequences, regardless of its origin or which tier it came from.
Every year, a swathe of SAQs are issued and respective suppliers fill them in. In effect, the box gets ticked.
For many Prime’s, this has become the accepted standard for supply chain assurance, repeated without question year after year. This level of complacency is a problem and the regulatory environment is making it harder to ignore. Under CSMv4 and DEFCON 658, what Prime’s are now required to demonstrate to the MOD and their customers goes well beyond what any annual spreadsheet can demonstrate.
What DEFCON 658 (02/26) and CSM (version 4) Actually Require
DEFCON 658 is the MOD contract condition at the heart of supply chain information security obligations. The reference is familiar to most in defence procurement, but what it actually demands from Prime’s and their sub-contractors is regularly underestimated.
The obligation to flow security requirements down through the supply chain, and to conduct meaningful due diligence on subcontractor compliance, rests with the Prime. A Prime that cannot demonstrate proportionate steps to ensure its suppliers (contractors and sub-contractors) meet relevant requirements, is itself in breach.
From 3 December 2025, all MOD contracts containing DEFCON 658 (02/26) must comply with the CSM and DEFSTAN 05-138 (now at version 4 and issue 4 respectively), making the Prime’s position even clearer: ensure sub-contractors comply with CSM and DEFSTAN 05-138. Effectively, the Prime is made responsible for managing MODs cyber supply chain exposure.
Where the Supplier Assurance Questionnaire can Fall Short
The Supplier Assurance Questionnaire (SAQ) is basically a self-assessment, at a single point in time. It records what a supplier believes about their own security posture, or in some cases, what they think you want to hear.
It is not subject to independent audit and confirmation and so does not confirm whether actual security controls and policies are in place and are being managed/maintained effectively
The NCSC’s supply chain security guidance draws a clear line between understanding what suppliers claim and understanding what they have actually implemented. The gap between what is claimed and what is reality is where supply chain risk lives. Relying upon a single point in time unverified questionnaire response heightens the risk, as a supplier who was ‘compliant’ in January may not be when something goes wrong in October.
There is also a dimension that a questionnaire simply cannot reach. Personnel security, including insider threat, misuse of access and unsolicited approaches from hostile actors is an area where documented policy and actual day-to-day behaviour diverge most. As our post on incident reporting obligations under ISN 2025/03 covers, a significant proportion of reportable security incidents originate from within the supply chain rather than from an external attack.
What Real Supply Chain Assurance Looks Like
Effective supply chain assurance is built across four components. The integration of al four components is essential to creating a holistic and robust risk managed approach. Relying on any one component, in isolation will leave gaps that will result in failure.
- Structured, risk-based assessment: CSM version 4 sets the standard. The MOD client assigns each contract a Cyber Risk Profile (CRP 0 through CRP 3) and every supplier needs to meet the requirements of their assigned CRP, based upon the value of the information that they handle and the perceived risk that is presented to the programme/project. Controls required under DEFSTAN 05-138 Issue 4 scale with that profile. For Prime’s, this same logic must drive how you assess your own supply chain. The SAQ under DEFCON 658 is the contractual floor, not the ceiling. Ideally, suppliers at higher CRP levels need independently verified, documented evaluation, not a yes/no form.
- Independent testing: This becomes a requirement as CRP levels rise. DEFSTAN 05-138 Issue 4 mandates Cyber Essentials Plus at CRP 2 and above. Independent vulnerability assessment and penetration testing provide the verification that self-reported controls cannot.
- Continuous oversight: This is where the intent of CSM v4 and DEFCON 658 (02/26) most often gets missed. DEFCON 658 (02/26) mandates annual SAQ renewal, to demonstrate continued compliance, but CSMv4 is built around ongoing risk management, not point-in-time snapshots. A Prime treating the annual SAQ as its full assurance programme meets the bare minimum requirement, not the real world need. Higher-risk suppliers need more frequent review, with events such as a security incident, an ownership change, or a new sub-tier engagement prompting an immediate out-of-cycle check. This keeps the assurance and compliance picture current.
- Verified workforce competence: DEFSTAN 05-138 Issue 4 is very explicit on this and it is often overlooked. The standard includes security awareness and training requirements at every CRP level because technical controls, alone, are not sufficient. A supplier can have the right tools and still fail if their people do not know how to use them and a supporting security culture is not present. Effective security awareness training should be relatable and leave personnel with increased awareness, as opposed to playing a video on a portal at double speed while you complete another task and save a completion certificate.
The National Cyber Security Centre (NCSC) also provides detailed information on Supply Chain Security Guidance designed to help organisation establish effective control and oversight of the supply chain.
What the Prime Must Be Able to Demonstrate
When the MOD or a Government programme customer asks a Prime to evidence its supply chain assurance, the question is not whether the questionnaire went out. It is, what did you find? How did you verify it? What did you actually do about the gaps? This should require a documented assurance process with named ownership, a risk-tiered view of the supply chain, records of assessment and testing, and clear evidence of where remediation was required and completed.
The Cyber Security and Resilience Bill, expected to receive Royal Assent in 2026, adds financial penalties for supply chain security failures at the reporting organisation level. In a Prime-subcontractor structure, responsibility for this sits with the PRIME. This is now a board-level exposure, not a compliance team matter.
Getting the assurance framework right does not require complexity. It requires the right structure, clear ownership, and a genuine commitment to keeping the picture current.
Intelligence Advantage – Staying ahead with compliance
Building genuine supply chain assurance takes more than updating a questionnaire. It takes governance, testing capability, and people across your organisation and your supply chain who understand what security means in practice. In order to implement the assurance framework correctly, the senior level management and leadership need to understand the requirement and relevance of it as well as where it sits in an overall business strategy.
At Pera Prometheus, we understand that the senior leadership are busy with running the business and may have very little opportunity to stay updated with the changing compliance framework and regulation. This is why we have introduced The Intelligence Advantage.
The Intelligence Advantage is a senior leadership training and awareness presentation that brings security threats out of the theoretical world and into the world that you live in. At the end of a short informative brief you will walk away understanding why security matters and stop seeing it as just another compliance hurdle. We will show you the threats hidden in plain sight. Get in touch to have the discovery call.
Frequently Asked Questions
Q: How often should Prime’s assess their contracted suppliers?
A: At a minimum every 12 months, although realistically the frequency should be risk-proportionate. It would not be unreasonable to consider higher-risk suppliers as requiring more regular reviews, with additional checks triggered by incidents, ownership changes, or new sub-tier engagements.
Q: What is the Prime’s liability if a supplier causes a security incident?
A: The Prime is responsible for their sub-contractors compliance with DEFSTAN 05-138. Under ISN 2025/03, the Prime must also ensure the incident is reported through MOD Defence Industry WARP, regardless of which tier it originated from.
Q: Can a large Prime with a complex supply chain realistically manage this?
A: Yes. Risk-based tiering concentrates effort where it matters most rather than applying it uniformly, which keeps the model manageable without sacrificing the rigour that a customer or auditor will expect to see.
Q: What is the “The Intelligence Advantage” training and awareness program by Pera-Prometheus?
A: The Intelligence Advantage teaches leaders how to see what adversaries see. The human, behavioural, and organisational weaknesses that shape every attack, and how to start noticing the threats that hide amongst us in plain site everyday.
Stay Safe, Stay Secure
