Cybersecurity Maturity Model Certification 2.0: Requirement for UK Contractors in US Defence
Key Takeaways If your organisation supplies components, software, services, or specialist expertise into the US defence market, the rules for doing so have changed. The US Department of Defence (DoD) Cybersecurity Maturity Model Certification (CMMC) 2.0 is no longer an aspiration. Phase 1 went live in November 2025, and Phase 2, mandatory third-party certification, arrives […]
Beyond the Questionnaire: What Real Supply Chain Assurance Looks Like for PRIMEs
Key Takeaways Every year, a swathe of SAQs are issued and respective suppliers fill them in. In effect, the box gets ticked. For many Prime’s, this has become the accepted standard for supply chain assurance, repeated without question year after year. This level of complacency is a problem and the regulatory environment is making it harder to ignore. Under CSMv4 and DEFCON 658, what Prime’s are now […]
Breach, Report, Recover: What Security Incidents Organisations must Report and how to do it
Key Takeaways: When a security incident occurs, the instinct in many organisations is to delay, assess whether the magnitude of the incident and then judge whether or not to report the incident. This procrastination is itself a compliance failure. ISN 2025/03, issued by the Ministry of Defence in May 2025, removes any ambiguity. Defence suppliers are obligated to report all security incidents promptly. This blog sets out what that […]
Cyber Essentials vs Cyber Essentials Plus: Which One Does Your Business Actually Need?
Key Takeaways Most UK businesses that ask about Cyber Essentials already know they need it. What is not always clear is which level is needed. The answer is invariably driven by contractual expectation but it can also depend on who you’re supplying. This guide explains what separates the two levels, what each involves, and which […]
Under CSM v4, Cyber Essentials is Non-Negotiable
Key Takeaways There is a persistent misconception across the UK defence supply chain that the Cyber Security Model (CSM v4) has replaced Cyber Essentials. It hasn’t. Since CSM v4 became mandatory in December 2025, some defence SMEs have quietly dropped their Cyber Essentials renewals on the assumption that the new framework covers the same ground. That assumption costs […]
FSC and the Defence Supply Chain: When It Applies to Subcontractors and What You Must Get Right
Key Takeaways Before a Defence Supplier enters preliminary discussions, collaborates with, or places a subcontract with a Third-Party Defence Supplier for work involving material classified SECRET or above the MOD Delivery/Project Team must be consulted. This is achieved through the completion of a Form 1686 (F1686). The F1686 has two functions, it ensures that the […]
MOD Formally Confirms DCC as Proof of DEFCON 658 Conformance
Gareth Shaw, MD Pera Prometheus Key Takeaways Defence Cyber Certification (DCC) launched in May 2025, but its validity as proof of conformance with the Cyber Security Model (CSM) was not formally acknowledged by MOD until now (30 Mar 2026). In addition, there has been a degree of confusion as to the scope and breadth of […]
No Framework, No Safety: Information Security and Cyber Resilience for UK SMEs
Key Takeaways Most businesses have some form of information and cybersecurity in place. Antivirus software, reasonably strong passwords, maybe a firewall. The problem is that having a handful of tools is not the same as having a plan. Without something to connect them, a framework, you end up with security that covers the obvious things […]
IPSA Is Not an HR Process, It’s Your First Line of Defence Against Insider Threat
Key Takeaways Picture this. A small defence contractor spends months earning their IPSA (Industry Personnel Security Assurance) accreditation. The processes in the PRF have been accepted by ISAC and you can now manage your own security clearances. Then, twelve months later, a member of staff with security clearance leaves under difficult personal circumstances. It takes […]
ISO 27001 Checklist: Giving Information Assurance to potential Clients
ISO 27001 is the internationally recognised standard for Information Security Management Systems (ISMS). In the defence supply chain, it can carry particular weight because the information you handle, technical drawings, project timelines, personnel data, classified correspondence etc. often have implications that go well beyond your own organisation. Your clients need to have confidence your business […]