Defence cybersecurity and resilience is now a core expectation and contractual requirement, for any organisation working with or supporting the UK defence industry. The Ministry of Defence’s (MOD) DEFCON 658 (Cyber Flowdown) and the Cyber Security Model (CSM) set out how cyber risk should be assessed and managed across defence contracts, while broader best practice guidance from the National Cyber Security Centre (NCSC) helps suppliers strengthen their resilience and protect sensitive information throughout the supply chain.
Yet Information Assurance and Cybersecurity are a specialist areas and so it is no wonder many businesses, particularly Small and Medium Enterprises (SMEs), still find compliance challenging? Cyber frameworks can appear complex, requirements shift regularly to match the developing threat and the consequences of getting it wrong can range from contract delays to real business operational and security risks. This is a very broad arena in which to obtain a high degree of expertise, in a relatively short timeframe.
This blog explores the most common pitfalls businesses face in defence cyber compliance, alongside practical steps to avoid them. The aim is to simplify the topic and help businesses feel more confident and informed.
Why do SMEs struggle with defence cyber compliance?
Many SMEs are highly capable in their domain but most likely do not have dedicated internal cyber security teams or compliance expertise. As a result, they face challenges such as:
- An underappreciation of the threats that exist to their business
- Unfamiliarity with MOD or NCSC terminology
- Uncertainty on how to apply the standards required by Defence, e.g. DEFSTAN 05-138, CSM, DCC etc
- Resource constraints when implementing security improvements and maintaining them as part of continuous diligence.
Understanding and recognising these barriers helps businesses take realistic, manageable steps towards compliance.
Below are some of the common pitfalls and how to avoid them.
1. Understanding what measures need to be applied
Issue 4 of the Cyber Security Model (DefStan 05-138) released on 3rd Dec 2025 introduces 4 Cyber Risk Profile Levels (CRPLs): Level 0, Level 1, Level 2 and Level 3, each mapped to a set of controls (NIST 800-171). These controls must be applied to the business infrastructure and this is a subtle change to issue 3 of the CSM where controls only needed to be applied to IT infrastructure that was used to handle MOD Identifiable Information (MOD II). The onus, with issue 4, is now upon MOD suppliers organisational security and resilience.
Ultimately, CSM v4 concerns itself with Cyber Resilience within the Business.
The CSM level is determined as part of a risk assessment, undertaken by the Contracting Authority and this is then flowed down to sub-contractors. Should sub-contractors have a requirement to sub-contact themselves, to business partners, they are obliged to carry out their own risk assessment to determine the level their sub-contractors must apply across their business IT infrastructure.
Interpreting the requirements of CSM Issue 4 controls will, for some SME’s, be a challenging and for some overwhelming.
A potential starting point would be to undertake a Business Impact Analysis (BIA) to identify their critical assets, resources and operations and from there, work toward applying CSM security controls as they apply to the business, rather than adopt a set of tick list operations which are not necessarily relevant and cost the business in terms of unnecessary expense and managerial overhead.
Read more: DEFSTAN 05-138 Issue 4
How to avoid this
- Confirm the assigned Cyber Risk Profile Level with the contracting authority, early in the tender process.
- Identify the critical assets, resources and operations for your business.
- Map your organisation’s controls against Def Stan 05-138 Issue 4 to identify gaps.
- Where relevant, review subcontractor capability in line with the assigned CRP and flow down contractual liabilities as appropriate.
- Review DEFCON 658 to understand your responsibilities as a sub-contractor to MOD.
2. Treating Cyber Essentials as a one time task
Cyber Essentials (CE) and Cyber Essentials Plus (CE+) remain foundational assurance needs for defence contracts. However, a common error is treating CE as an annual tick-box exercise rather than an ongoing security baseline.
The Cyber Essentials is a commercial pre-requisite certification to Cyber Security Model issue 4 as well as the Defence Cyber Certificate accreditation programme introduced by IASME.
How to avoid this
- Monitor the CE control areas continuously.
- Revalidate configuration, patching and access controls regularly.
- Update CE documentation whenever devices, networks or processes change.
- Use the NCSC Small Business Guide checklist as a simple health check.
3. Poor documentation and evidence management
Many suppliers have the right controls in place but fail assessments and audits due to missing or outdated evidence such as patch logs, screenshots, asset records, training records or policy versions.
How to avoid this
- Maintain a structured compliance evidence library.
- Apply versions control to all implemented policies and procedures.
- Adopt a rigorous change control policy to business operations.
- Store audit logs demonstrating patching, access control and backup activity.
4. Poor Supply Chain Visibility and Control
With the revocation of CSM issue 3 and the interim management process, Prime contractors will now be required to flow down cyber requirements for all CRP levels to their subcontractors. However, many SMEs have limited visibility of their own suppliers.
A major pitfall is presuming suppliers and subcontractors meet the required security standard. Any partner working as part of an MOD supply chain, must meet the appropriate CRP level and its assurance requirements. Under DEFCON 658 (Cyber Flow down), you remain responsible for the cyber security of your entire supply chain.
How to avoid this
- As per DEFCON 658, conduct cyber due diligence on all subcontractors.
- Request evidence of conformance to the required CRP level.
- Include cyber obligations in contracts.
- Include basic cyber clauses (e.g. requirement to hold Cyber Essentials) in all new subcontracts.
- Ensure to follow the NCSC Supply Chain Security Guidance.
5. Underestimating the importance of staff awareness
Human error remains a leading cause of security breaches across the defence sector. Phishing, weak passwords, accidental data disclosure and poor device handling are persistent risks.
How to avoid this
- Deliver regular cyber awareness training, to include Phishing simulations which are a popular attack vector applied by threat actors.
- Provide training on the secure handling of sensitive or classified information.
- Where you employ security cleared staff, provide regular training on their responsibilities as security cleared personnel.
Read more: Employee Training
6. Weak access control and identity management
Misconfigured identity and access controls such as shared passwords, inactive accounts or the absence of MFA continue to cause compliance failures. Ignoring these control measures can lead to security breaches causing major disruptions.
How to avoid this
- Apply least-privilege access.
- Enable MFA across key systems.
- Review and remove inactive accounts regularly.
7. Incomplete or untested incident response plans
Incident response planning is essential for suppliers operating at higher Cyber Risk Profiles. However, many plans are generic, outdated or untested.
How to avoid this
- Undertaking a Business Impact Analysis will assist with identifying the key assets you need to protect and without which your business cannot recover, for an incident. Knowing what these key assets are will assist with creating a suitable recovery plan.
- Develop a clear, role-based response plan.
- Test through tabletop exercises involving everyone including senior management. Don’t forget to maintain a record of this and the identified findings/lessons learned.
- Update the plan after system changes or lessons learned.
- Log all incidents (even minor ones) and review lessons learned.
8. Neglecting continuous improvement and governance
Cyber governance must be ongoing. Threats evolve and MOD expectations change over time. Failing to maintain controls, review risks or conduct internal audits leads to compliance drift. Refer to NCSC risk management guidance and Government Security Policy Framework to stay on top of compliance.
How to avoid this
- Introduce a system of senior management led, security reviews, commonly referred to in MOD parlance as Security Working Groups.
- Perform regular internal audits.
- Refresh risk assessments annually.
- Monitor MOD and NCSC updates.
Final thoughts
Defence cyber compliance can be challenging for SMEs, but most issues arise from avoidable gaps, unclear requirements, missing evidence, weak governance or outdated processes. Understanding the changes introduced through CSMv4 and applying trusted NCSC and MOD guidance can significantly improve compliance readiness and resilience.
However, sometimes utilising the expertise of consulting companies like Pera Prometheus can guide you to be on the right side of the compliance.
Stay Safe, Stay Secure
