Secure by Design (SbD) applies to the definition, acquisition, development, maintenance and disposal of information-based capabilities for MOD. This includes but is not limited to networks, applications, services, information technology, operational technology, platforms and weapons systems.
In essence, Secure by Design is about delivering secure Products, Services and Solutions (PSS) which are fit for purpose and do not require security retrofitting, prior to entering service.
This blog explores how Secure by Design delivers security as part of a through life approach supported by continuous assessment and assurance.
What is Secure by Design?
Secure by Design is an approach to integrate cyber security into systems and services from the very beginning of the procurement lifecycle (CADMID or CADMIT), ensuring continuous risk management throughout their development, delivery and in-service support and disposal..
Unlike traditional methods that tended to treat security requirement identification, risk treatment and mitigation as an afterthought, SbD is about designing resilience into every phase from Concept to Disposal. It is not a ‘cookie cutter’ approach, but requires a proactive mindset, guided by Industry Security Notice (ISN 2023/09 (MOD’s ISN 2023-09) and DefStan 05-139 (Cyber Security and Resilience of Products, Systems and Services). Applying SbD throughout the procurement process and in-service provides MOD with confidence that IT and OT technology associated with cutting weapons systems and platforms etc. is secure, resilient and will not compromise the war fighter. Be aware however that HMG’s approach to SbD can differ from MOD requirements.
The end result is a shift from reactive defence to proactive design enabling organisations to build secure capabilities from the ground up.
Read more: Secure by Design
Why MOD Adopted Secure by Design
Previously, MOD programmes relied on the accreditation, which evolved into or was certainly perceived as a ‘one-off approval decision’, that confirmed a system met security standards at a point in time. Thereafter, through life assurance and maintenance was pretty much ignored leading to out of date, vulnerable systems.
Now, through the application of Secure by Design, MOD programmes follow a model of continuous assurance, where cyber risk is managed dynamically throughout the CADMID/T lifecycle (Concept, Assessment, Demonstration, Manufacture, In-Service, Disposal/Termination). SbD enhances identification of security requirements, associated visibility of risks, and supports through-life assurance and supplier engagement, enabling suppliers to deliver secure capabilities that align with MOD’s mission-critical objectives and outcomes.
At the heart of this model is the Senior Responsible Owner (SRO), who remains accountable for cyber risk across the capability’s lifespan. Supported by Delivery Teams, Information Assurance specialists and industry suppliersthe SRO ensures that security decisions are evidence-based and aligned with Defence outcomes. This one team approach is crucial to ensuring that assurance is not just achieved but sustained.
The Seven MOD Secure by Design Principles
The MOD’s Secure by Design framework, outlined in ISN 2023-09, is built around seven principles that guide both MOD teams and suppliers:
- Understand and Define Context – Identify how your system supports MOD outcomes, how it manages Defence data, and the potential impact of compromise.
- Plan the Security Activities – Integrate security into programme planning, budgeting, and governance from the start.
- Implement Continuous Risk Management – Treat cyber risk as a living process; reassess regularly as the system and threat landscape evolve.
- Define Security Controls – Select and apply proportionate security controls using frameworks like NIST SP 800-53 or ISO 27001.
- Engage and Manage the Supply Chain – Collaborate with your partners and ensure each supplier understands their role in protecting MOD data, in line with the Defence Cyber Protection Partnership (DCPP).
- Assure, Verify and Test – Continuously validate security controls through testing, auditing, and independent assessment.
- Enable Through-Life Management – Maintain, monitor, and update security throughout the system’s operational life.
Together, these principles form a continuous cycle of improvement, a living assurance process that strengthens security and resilience to MOD products, services and solutions.
How SMEs Can Support Secure by Design in Practice
Small and medium-sized suppliers play a vital role in Defence innovation and delivery.
SME input to the SbD process is perhaps best viewed form the SROs perspective. What evidence would the SRO require to demonstrate that appropriate assurance has been applied to the development of a Product, Service or Solution (PSS).
Here are practical steps for SMEs to get started:
- Appoint a Security Lead – Nominate a senior individual (often the SRO or Project Manager) to take ownership of cyber risk for the PSS you are delivering or contributing to.
- Review Key Guidance – Read ISN 2023-09 and the Secure by Design Preparation Checklist (2025) to understand expectations.
- Engage your SRO counterpart – As early as possible, once contract delivery commences, engage with your SRO counterpart (usually your Prime contractor or the MOD Programme SRO, if you are fortunate to have a direct contract in place) to understand what assurance evidence is required to support the various delivery stages.
It is also important to establish which control framework the SRO wishes to apply. This, for the majority of PSS will likely be NST 800-171, but the SRO is at liberty to select the most appropriate framework for their needs.
- Embed Risk Management – Integrate cyber risk management into programme governance and update risk registers and mitigation plans quarterly.
- Engage with Your Prime Contractor or Delivery Team – Establish regular dialogue with prime contract or MOD assurance contacts, to align on expectations.
- Demonstrate Continuous Assurance – Use appropriate tools to gather and present relevant evidence to the development of PSS and communicate this at appropriate meetings (e,g, Security Working Groups) and milestone events.
FAQs: Common Questions on Secure by Design
Q1: Is Secure by Design mandatory for all MOD suppliers?
A: Yes. Any system, service, or supplier handling MOD data must follow SbD principles as set out in ISN 2023-09. It is now the default MOD assurance approach.
Q2: What’s the difference between Accreditation and Secure by Design?
A: Accreditation was a ‘one-off’ approval process. Secure by Design focuses on continuous assurance, where risk is managed throughout a system’s life, from concept to disposal.
Q3: Who is responsible for implementing Secure by Design within a project?
A: The Senior Responsible Owner (SRO) is accountable, supported by the Delivery Team Leader, Security Lead, and industry supplier partners. Everyone has a role in maintaining security assurance.
Q4: How can small businesses start applying Secure by Design?
A: Appoint a security lead and align with MOD’s ISN 2023/09 and DefStan 05-139. The SbD Preparation Checklist may also prove a useful aide memoire adaptable to MOD requirements.. Engage early with MOD or your prime contractor’s assurance team. Seek support from expert consultants, like Pera Prometheus, if required.
Q5: Does Secure by Design only apply to IT systems?
A: No. It applies to all information-based capabilities including platforms, applications, networks, operational technology, and services that handle MOD or Defence data.
Conclusion
Secure by Design is more than a tick in the box, compliance requirement, it’s a strategic enabler that, if applied appropriately, empowers SMEs to build trust, reduce costs, and enhance resilience in the defence supply chain. By embedding security early, suppliers can mitigate risks, avoid costly retrofits, and deliver capabilities that meet MOD’s stringent standards.
Stay Safe, Stay Secure
