CSM Version 4 Explained: What Defence Suppliers Need to Know in 2026

For defence suppliers, the landscape of cyber and supply chain security has shifted significantly. With the formal implementation of the Cyber Security Model version 4 (CSM v4), the Ministry of Defence (MOD) has moved away from temporary interim measures to a robust, risk managed evidence-based regime. 

If your organisation is part of the UK defence supply chain, these changes are not optional. As of 3 December 2025, CSM v4 is the mandatory framework for assurance on contracts where DEFCON 658 applies. It represents a move away from simply protecting MOD Identifiable Information (MOD II), to ensuring your entire organisation is resilient to attack.

This guide breaks down what CSM v4 means for your business in 2026, the specific requirements of the new risk levels, and the practical steps you need to take to remain compliant and competitive.

5 Key Takeaways for Suppliers

  • CSM Version 4 is now mandatory – Since 3 December 2025, all new and existing MOD contracts containing DEFCON 658 must comply with CSM v4 and Defence Standard 05-138 Issue 4.
  • Risk levels have changed – The old CSM v3 Cyber Risk Profiles (Very Low, Low, Moderate, High) have been replaced with four Cyber Risk Profile Levels (0, 1, 2, 3), with clearer requirements for each.
  • Everyone in the supply chain must comply – Unlike previous versions, CSM v4 applies to all suppliers and subcontractors, not just prime contractors.
  • Proof Over Paperwork – Policy statements are no longer enough, suppliers must now provide demonstrable proof that their security controls are effective and evidence-based.
  • Annual Reviews Reinstated – If you have an existing contract referencing a Cyber Risk Profile, the Contracting Authority’s SRO should assign a Cyber Risk Profile Level upon the contract anniversary. Thereafter you will be required to complete an annual SAQ review. 

What is CSM v4?

The Cyber Security Model (CSM) is the MOD’s method for building security into its supply chain. While previous versions focused upon protecting specific MOD II, the onus of CSM v4 is upon supplier organisational security and resilience and represents a significant change in purpose and effort.  CSM v4 creates a single, enforceable standard underpinned by DEFCON 658 (07-25): Cyber Flow Down . This aims to standardise how cyber risk is determined and managed across the entire defence ecosystem, from major primes down to the smallest SME. The MOD recognises that if an organisation within the supply chain is compromised, the knock-on effects could impact defence operations, even if the attackers never directly target MOD information.

The New Cyber Risk Profile Levels

One of the most immediate changes you will notice is the new risk grading system. Your Contracting Authority (This can be the MOD Delivery Team, Defence Prime, or Sub-Contractor) will assign your contract one of four Cyber Risk Profiles Levels (CRPL) based upon a risk assessment, currently derived from the Risk Assessment and Supplier Assurance Questionnaire (SAQ). Each level corresponds to the volume and complexity of security controls you must implement, as detailed in Def Stan 05-138 Issue 4.

  • Level 0 (Basic): The Level 0 ‘Basic’ CRPL is normally assigned where there is a very low level of assessed cyber risk to a Supplier delivering an output. It requires Supplier organisations to demonstrate basic cyber security practices and requires adherence to 3 specific controls, including Cyber Essentials certification.
  • Level 1 (Foundational): The Level 1 ‘Foundational’ CRPL is normally assigned where there is a low to moderate level of assessed cyber risk to a Supplier delivering an output. It requires Supplier organisations to demonstrate a comprehensive cyber security programme with good practices. It requires an additional 98 controls to be applied. You must hold a valid Cyber Essentials certification and demonstrate a comprehensive security programme.
  • Level 2 (Advanced): The Level 2 ‘Advanced’ CRPL is normally assigned where there is a high level of assessed cyber risk to a Supplier delivering a contracted output. It requires Supplier organisations to demonstrate advanced cyber security oversight and planning which drives robust organisational and cyber practices. This requires an additional 38 controls to be applied, including having Cyber Essentials Plus certification. 
  • Level 3 (Expert): The Level 3 ‘Expert’ CRP is normally assigned where there is a substantial level of assessed cyber risk from a Supplier delivering a contracted output. It requires Supplier organisations to demonstrate expert cyber security capabilities that fully take advantage of the ‘defence in depth’ methodology to appropriately protect the organisation against new and evolving threats. At this level, a total of 144 controls are applied to the business IT infrastructure.

It is worth noting here that MOD has been very clear in stating that the old Cyber Risk Profiles defined in CSM v3 relate in no way whatsoever to the Cyber Risk Profile Levels in CSM v4.  Be wary of misinterpreting the use of familiar terms such as “very low” or “high” when reading the descriptions of the CRPLs in CSM v4.  

Understanding DEF STAN 05-138 Requirements

The reasoning behind CSM v4 is contained in DEFCON 658: Cyber Flow Down and is a contract condition for providing Products services and solutions to MOD. DEFCON 658 is essentially the policy behind the controls described in Def Stan 05-138 Issue 4.  Unlike a simple checkbox exercise, this standard demands evidence of governance, risk management, and technical security. Think of CSM v4 as the What and Why, and Def Stan 05-138 as the How.

The controls set out in Def Stan 05-138 cover a range of areas; including network security, access management, encryption, incident response, vulnerability management, and staff training. The controls scale based on your assigned risk level and the higher your level, the more comprehensive your security measures need to be.

Def Stan 05-138 Issue 4 is more prescriptive than previous versions and specifies exactly what good security looks like at each level. This clarity is helpful, but it also means there’s less room for interpretation.  

CSM v4 Timeline and Deadlines

CSM v4 officially became effective for all new MOD contracts, on 3rd December 2025.

  • New Contracts: All new Risk Assessments and SAQs must use the new CSM v4 tooling – Supplier Cyber Protection Service. You are required to submit a new SAQ on the anniversary of your contract award date.
  • Existing (Legacy) Contracts: On the contract anniversary, your Delivery Team should notify you of your new Cyber Risk Profile (Level 0–3), in advance.
  • Transition Period: The MOD has indicated that during the 2025/26 financial year, project teams may offer some flexibility regarding remediation timelines to help suppliers adjust to the tougher requirements.

Practical Steps Suppliers Should Take

Once you are in receipt of a MOD contract which advises a CRP Level to be achieved:

  1. Register on the Portal: Familiarise yourself with the Supplier Cyber Protection Service on gov.uk. You cannot submit your assessments without access to this tool.
  1. Confirm Your Level: Check with your MOD Delivery Team to confirm your Cyber Risk Profile (Level 0–3). Do not guess; the requirements between levels differ significantly.
  1. Conduct a Gap Analysis: Compare your current security setup against the controls listed in Def Stan 05-138 Issue 4. Identify exactly where you fall short and complete a Cyber Improvement Plan (CIP) to address these shortcomings.  Not here that CSM v3 used Cyber Implementation Plans and CSM v4 uses Cyber Improvement Plans.
  1. Secure Certifications: Ensure your Cyber Essentials is current (required for Level 0 and 1). If you are Level 2 or 3, you must achieve Cyber Essentials Plus. If these lapse, you are non-compliant.
  1. Prepare Your Evidence: Gather your policies, logs, and training records. Assessors will ask for proof that a policy is actually being followed, not just that it exists on paper.

Navigating Compliance with Confidence

Adapting to CSM v4 may feel daunting, especially for organisations that do not have a large in-house cybersecurity team. The culture shift from self-assessment to evidence-based assurance means that compliance may well be challenging to achieve.

This is where a consultative partner can be invaluable. We at Pera Prometheus, specialise in helping defence suppliers navigate the specific complexities of MOD requirements. We understand that some SMEs may find it difficult to interpret the actual compliance needs. Whether you need a Remote Security Manager to guide your governance strategy, or a detailed gap analysis to see how you measure up against Def Stan 05-138, our team understands the unique pressures of the defence sector.

To combat the confusion surrounding CSM v4 we have provided an interactive flow chart process on our website. For more information on how they can support your compliance journey, visit Pera Prometheus.

Frequently Asked Questions (FAQs)

1. What happens if I cannot meet the requirements immediately?

If you cannot meet the required controls, you must submit a Cyber Improvement Plan (CIP). This document details the specific areas of non-compliance and the timescales for fixing them. This plan becomes part of your contract, and failure to meet the agreed deadlines can have commercial consequences.

2. Do I really need Cyber Essentials Plus?

Yes, if your contract is assessed at Level 2 (Advanced) or Level 3 (Expert). Cyber Essentials Plus involves an independent technical audit and is mandatory for these levels. For Level 0 and Level 1, the basic Cyber Essentials certification is the minimum requirement.

3. What is Flow Down and is it my responsibility?

Flow Down is the process of passing security requirements down the supply chain. If you subcontract any part of an MOD contract, you are responsible for assessing the cyber risk of your sub-contractors (creating a Risk Assessment Reference for them) and ensuring they complete their own SAQs.

4. Does CSM v4 apply to all suppliers?

It applies to all suppliers engaged on contracts where the MOD is a contracting party, specifically those containing DEFCON 658. Even suppliers of low-risk goods (Level 0) must meet basic requirements, including Cyber Essentials.

Stay Safe, Stay Secure

Related Posts