Gareth Shaw, Founder of Pera Prometheus Consulting Ltd
Table of Contents
Securing contracts with the UK Ministry of Defence (MOD) offers significant opportunities for businesses within the Defence Industry. However, understanding and adhering to the MOD’s information and cyber security requirements are essential for successfully securing and maintaining these contracts. UK Defence Industry operates in a high-stakes environment where sensitive information, national security, and critical infrastructure are at constant risk from hostile threat sources and actors in both the physical and cyber environments. As an information and cyber security consultant, I often see businesses underestimate the importance of robust information and cybersecurity measures when working with the MOD or other HMG authorities. Failing to comply with information and cybersecurity standards not only jeopardise national security but may also result in lost contracts, reputational damage, and financial penalties.
In this blog, I will explore the information and cybersecurity aspects which businesses must follow relating to the Cyber Security Model and DEFSTAN 05-138 which businesses should consider before working within Defence Industry. It should be noted that there are other processes that MOD may require you to follow, implement and maintain such as Secure by Design, Facility Security Clearance (FSC) and Industry Personnel Security Assurance (IPSA), but these will be covered in other blogs.
Cyber Security Model in the Defence Industry
The Cyber Security Model (CSM), developed by the UK Ministry of Defence (MOD), is essential for safeguarding the integrity and resilience of the MOD’s supply chain against cyber threats. This structured, risk-based framework mandates that suppliers implement cyber security measures aligned with the sensitivity and risk of the information they manage in relation to the programmes or projects that they are supporting. Businesses seeking to enter or expand their presence within Defence Industry should familiarise themselves with the specific requirements outlined by the CSM, be prepared to achieve relevant certifications, and actively participate in initiatives such as the Defence Cyber Protection Partnership (DCPP) to demonstrate robust cyber security practices and readiness.
Key components of the CSM include:
Risk Assessment:
Each MOD contract undergoes a Risk Assessment conducted by the MOD Delivery Teams. This assessment determines the Cyber Risk Profile of the contract, categorising it into one of four levels: “Very Low,” “Low,” “Moderate,” or “High.” The assigned risk profile dictates the specific cyber security controls that suppliers must implement. It should be noted that a new version of the CSM is due for release this year which will move from verbal to numeric assessment levels. Once the new CSM is in force, Revision 4 of DEF STAN 05-138 will come into effect.
Defence Standard (DEFSTAN) 05-138:
This standard outlines the cybersecurity requirements for defence suppliers. It aligns with the DCPP and ensures that suppliers protect MOD Identifiable Information from loss, misuse, or unauthorised disclosure. The requirement to comply with DEFSTAN 05-138 will be dictated to your Business by either the Contracting Authority of Defence Industry Prime. If DEFSTAN 05-138 is the chosen assurance format, as opposed to Secure by Design, then your Business will need to demonstrate adherence through the SAQ process.
Supplier Assurance Questionnaire (SAQ):
Suppliers must self-assess their compliance with the CSM requirements by completing the SAQ. This process involves evaluating current cyber security measures against the stipulated DEFSTAN 05-138 controls for the Business’s contract(s) risk profile as ascertained by the CSM Risk Assessment.
Flow Down Requirements:
When suppliers subcontract elements of their MOD contracts, they are responsible for conducting a Risk Assessment for the subcontracted work. This ensures that subcontractors also implement appropriate cyber security measures, maintaining the integrity of the entire supply chain. Such flow down requirements will be clearly stated in the Security Aspect Letter associated with the SAL.
Cyber Implementation/Improvement Plan (CIP):
If a supplier cannot fully meet the required controls, they must produce and implement a CIP detailing how they intend to remediate any shortfalls and maintain the required standards throughout the lifecycle of the programme, project or contract. This plan is subject to MOD approval and ensures that suppliers are actively working towards meeting the necessary standards.
Defence Condition 658 (DEFCON 658):
This contractual clause specifies the terms related to cyber security within MOD contracts. It reinforces the obligations of suppliers to adhere to the CSM and ensures that cyber security requirements are legally binding.
Current and Upcoming Versions of the CSM:
Cyber Security Model v3 (CSMv3):
is specifically designed to protect electronic information classified as “MOD Identifiable Information.” It categorises cyber risks into four distinct profiles: Very Low, Low, Moderate, and High. CSMv3 relies on security controls detailed in Defence Standard 05-138 Issue 3. Since June 2021, CSMv3 has operated under an interim process detailed in Industry Security Notice 2021/05. This interim arrangement includes temporary measures:
- Pausing flow-down obligations for contracts assessed as “Very Low,” “Low,” and “Moderate” risk.
- Pausing annual renewal obligations for existing certifications.
- Despite the pause, DEFCON 658 must still be included in contracts where MOD Identifiable Information is shared with subcontractors.
Cyber Security Model v4 (CSMv4):
- represents a significant update aimed at enhancing organisational security and resilience, aligning with the MOD’s Cyber Resilience Strategy for Defence. Key features include:
- Changing the focus from protecting “MOD Identifiable Information” to overall organisational security.
- Introducing four new Cyber Risk Profiles: Level 0, Level 1, Level 2, and Level 3.
- Applying controls specified in Defence Standard 05-138 Issue 4.
- Offering a new online Supplier Cyber Protection Service for completing Risk Assessments and Supplier Assurance Questionnaires. CSMv3 risk profiles do not directly match the new profiles, therefore, a fresh Risk Assessments and Supplier Assurance Questionnaires will be necessary.
Transition to CSMv4
The transition to CSMv4 will be phased. Until fully implemented, organisations should continue following CSMv3 guidelines. To help organisations prepare, several resources have been released for informational purposes:
- Industry Security Notice 2024/02 – advance publication of Defence Standard 05-138 Issue 4
- Defence Standard 05-138 Issue 4 (informational release)
- Def Stan 05-138 Issue 4 standards mapping
Additional planned resources include:
- Guidance on compliance for each Cyber Risk Profile
- Information on flow-down requirements
- Guidance on completing Cyber Implementation Plans (CIPs)
Key Cybersecurity Rules for the UK Defence Industry
In addition to CSM compliance, to work with the MOD or other defence clients, businesses must comply with several cybersecurity frameworks and regulations. Here are the most important ones:
IASME Certifications:
The Information Assurance for Small and Medium Enterprises (IASME) is UK government-backed certification organisation that helps businesses protect against common cyber threats. Despite the title, Large Enterprises are also expected to meet this requirement in most cases. Some form of IASME certification is a mandatory requirement for most MOD contracts.
Cyber Essentials
covers basic security controls, such as firewalls, secure configurations, access controls, malware protection, and patch management. It’s a self-assessment process, but certification must be verified by an accredited body.
Cyber Essentials Plus
goes further, requiring an independent audit of your systems, including a vulnerability assessment, to verify compliance. This is often required for contracts with higher cyber risk levels.
Cyber Assurance Levels
formerly IASME Bronze, Silver or Gold certifications, are now measured on 2 levels. Both assessments focus upon an organisations policies, processes and procedures with Level 1 consisting of the submission of a self assessment questionnaire to an accredited body and Level 2 being audited.
Achieving these certifications demonstrates that your business has basic protections in place and can handle sensitive information securely. A Security Management Framework Consultant can assist in preparing you for these certifications, ensuring compliance with cybersecurity in the defence industry.
Defence Cyber Protection Partnership (DCPP):
Is a joint initiative between the MOD and Defence Industry to improve cybersecurity across the Defence Supply Chain. The DCPP is responsible for the introduction and implementation of the CSM)
Depending on your contract requirements, you may need to implement additional controls beyond Cyber Essentials. For example, contracts involving the handling and storage of SECRET information or above information will require additional control measures.
Compliance with Other Nations’ Requirements:
If your business works with international Defence partners, such as the US Department of Defense (DoD), you may need to comply with additional requirements, such as the US Defense Federal Acquisition Regulation Supplement (DFARS) or Cybersecurity Maturity Model Certification (CMMC). The MOD is working on mutual recognition agreements to reduce duplication, but for now, you must notify the MOD if these requirements conflict with UK regulations.
My thoughts on compliance and certification
When you operate within the UK Defence environment you are stepping into an entirely different threat landscape. Threat sources and threat actors may be willing to dedicate more resources in the execution of their attacks and your organisation and personnel need to ensure that you are aware of the escalated threat. Information and Cybersecurity in the Defence Industry is a non-negotiable aspect of working with the MOD and other Defence clients. If businesses wish to win contracts or work as a sub-contractor then achieving compliance and certifications stipulated by MOD is critical. While the process can seem daunting, the benefits of winning MOD contracts, protecting your reputation, and supporting national security are well worth the effort. Businesses should consider consulting with a security management framework consultant or seek security manager support, who can help ensure that information and cybersecurity efforts align with industry standards.
Pera Prometheus is a Company composed entirely of veterans who now assist Defence Industry meet the challenges of achieving and maintaining MOD standards whilst continuing to operate effectively as commercial entities. We understand the MOD requirements.
