Understanding DEFSTAN 05-138: Are you ready for Issue 4?

– Gareth Shaw, MD Pera Prometheus

For UK small and medium-sized enterprises (SMEs) working in the defence sector, staying ahead of information assurance and cybersecurity requirements is essential to securing contracts and protecting sensitive operations. The UK Ministry of Defence (MOD) has recognised that a single weak link in its supply chain can expose critical national assets to cyber risk. 

To address this, the MOD introduced DEFSTAN 05-138, the Cyber Security Standard for Defence Suppliers, that sets out clear cybersecurity expectations for all suppliers handling MOD information. With DEFSTAN 05-138 Issue 4 now imminent and set to replace issue 3 on the 3 Nov 2025 under ISN 2025/04, suppliers need to start preparing for the transition. 

This blog provides an overview of what DEFSTAN 05-138 entails and its role in the broader MOD framework. It will provide a practical guide to compliance, risk management, and implementation and explains what’s changing between Issue 3 (currently in force) and Issue 4 (the next evolution).

What is DEFSTAN 05-138?

DEFSTAN 05-138 (Cyber Security Standard for Suppliers) sets out the minimum cybersecurity controls that defence suppliers must apply to their corporate environments. It forms a core part of the MOD Cyber Security Model (CSM), the framework that governs how suppliers are assessed, certified, and monitored for cybersecurity assurance. 

Published on 14 May 2024, as an advanced publication, effectively a draft for information document, issue 4 supersedes the previous version and applies to all future MOD contracts, designs, and orders where practicable.

It covers everything from network protections to staff training, ensuring that risks to UK and partner data are managed proportionately. This standard ensures the following.

1. All MOD suppliers, from prime contractors to micro-SMEs implement proportionate and consistent cyber controls.
2. Each supplier’s level of protection matches the risk profile of their contract.
3. Sensitive or classified MOD information is secured against cyber threats, unauthorised access, or compromise.

Read more: Cyber Security Model and DEFSTAN 05 138

How Does DEFSTAN 05-138 Fit into MOD’s Cyber Security Model?

DEFSTAN 05-138 is the control framework for DEFCON 658 (Cyber (Flow down)) within the MOD’s Cyber Security Model (CSM), a risk-based system that integrates cybersecurity into every stage of the defence supply chain. 

The CSM is a tiered risk-based approach used to determine what level of security a supplier must meet such as data sensitivity or system criticality. From the 3^rd Nov, new contracts will be assigned a Cyber Risk Profile (CRP), based on the type and sensitivity of MOD information involved. DEFSTAN 05-138 then specifies the controls needed for that profile. 

For example, low-risk contracts may only require baseline security measures such as password management and patching. Whereas, high-risk contracts require full organisational governance, system monitoring, incident response capabilities, and supply chain assurance mechanisms. For subcontracts, risks flow down via DEFCON 658 (Defence Condition), to ensure the appropriate degree  of defence supply chain security, for each contract. Incidentally, DEFCON 658 has also recently been updated to edition 07/25 and is available from the Knowledge in Defence (KID) website.

As part of each contract procurement process, potential suppliers will complete a Supplier Assurance Questionnaire (SAQ), supported by evidence of implemented controls. Where gaps exist, a Cyber Implementation Plan (CIP) outlines how the organisation will achieve compliance within an agreed timeframe. This setup is SME-friendly and controls scale with risk, avoiding overkill for low-stakes work. It aligns with NCSC guidance, like Cyber Essentials, making risk management for defence contractors straightforward and cost-effective. The result? A unified approach that strengthens the entire ecosystem.

For companies who hold a Defence Cyber Certificate (DCC) for the required Cyber Risk Level, the certificate may be accepted by MOD as proof of conformance, greatly simplifying the procurement qualification process, but this is yet to be confirmed by MOD.

Compliance, Risk Management & Implementation Under DEFSTAN 05-138

To understand how to use this standard in practice, it helps to see it through three lenses: Compliance Obligations, Risk Management, and Implementation Steps.

Compliance Obligations

1. When a supplier enters into a MOD (or MOD-related) contract, the delivery team will undertake a risk assessment of that contract to assign a Cyber Risk Profile (CRP). Based on that CRP, the supplier is required to meet a specified set of controls from DEFSTAN 05-138. 
2. The supplier then completes a Supplier Assurance Questionnaire (SAQ) (self-assessment) to demonstrate how it meets those controls. 
3. If the supplier cannot immediately meet all controls, it must submit a Cyber Implementation Plan (CIP) (sometimes called a “remediation plan”) to show how it will reach compliance. 
4. DEFCON 658, cyber flow-down: any subcontractors handling MOD information must also comply (or be assessed) under equivalent controls and this process repeats throughout the supply chain until risks are appropriately mitigated.
5. DEFCON 658 requires suppliers to maintain copies of all documents required to demonstrate compliance with DEFSTAN 05-138 and DEFCON 658, including any information used to inform the CSM Risk Assessment Process and to carry out the CSM Supplier Assurance Questionnaire, together with any certificates issued to the Sub-contractor and/or any lower tier Sub-contractor, for a period of 6 years after contract termination. 
6. Non compliance can carry contractual risks, even termination or exclusion from contracts.

Risk Management 

1. DEFSTAN 05-138 is inherently risk-based. The core idea is, not every supplier needs the same level of controls. The level of security required is proportional to the cyber risk of the contract.
2.  The Cyber Risk Profile (CRP) drives which set of controls (higher or lower) apply.
3. The standard is designed to integrate with existing cyber/industry frameworks so that suppliers with good practices (e.g. ISO 27001, NIST alignment) may more easily map into DEFSTAN compliance. 
4. The mapping document for Issue 4 explicitly shows alignment with NIST SP 800-171.
5. Where residual risk remains, the contract may require formal acceptance of the risk by the MOD, or mitigation via other means. 

Implementation Steps: A practical approach

If your organisation is (or plans to become) a MOD supplier, here’s how you might practically implement DEFSTAN 05-138:

1. Gap analysis / maturity assessment – Compare your current cybersecurity posture (policies, controls, technologies, processes) against the DEFSTAN 05-138 issue 4 controls for your likely Cyber Risk Profile. Use the mapping (for Issue 4) to see where your existing framework aligns. 
2. Define scope & boundaries – Decide which systems, networks, data stores are “in scope” for compliance. Clarify which subcontractors or third parties must also comply (flow-down).
3. Develop policies, procedures, and governance – Implement the required organisational controls (e.g. roles & responsibilities, risk management frameworks, security policy, incident response, identity & access, asset management).
4. Technical control implementation – Apply technical controls like logging, encryption, monitoring, patching, endpoint protection, network segmentation, etc. The specific controls depend on which CRP applies.
5. Training & awareness – Staff should be trained, and awareness programs deployed so that security is embedded, not just treated as a checklist.
6. Self-assessment (SAQ) and evidence collection – Populate the SAQ with evidence (processes, logs, audits, reports) to illustrate how controls are met.
7. Remediation (Cyber Implementation Plan, CIP) – If gaps remain, plan, document and execute remediations, with timelines and responsibilities. Submit the CIP as required.
8. Audit, verification, review – Maintain reporting, audits, internal reviews and respond to MOD or contract audits/inspections where exercised. This to include verification checks on hoy YOUR sub-contractors are managing the contract risks for which they are responsible.
9. Ongoing maintenance & continuous improvement – You’ll need regular reviews, updates (patching, threat intelligence, incident lessons), and possibly re-submission of SAQ or proof over contract lifetime.

What is new in DEFSTAN 05-138 Issue 4 vs Issue 3?

Below is a list of changes introduced in DEFSTAN 05-138 Issue 4 compared to Issue 3, and what those changes imply for suppliers.

• Risk Profile:

Old Cyber Risk Level (DEFSTAN 05-138 Issue 3	New Cyber Risk Level (DEFSTAN 05-138 Issue 4)
N/A – Cyber Essentials optional
Very Low – Cyber Essentials	Level 0 – An initial 3 Controls
Low – 17 additional controls	Level 1 – An additional 97 controls;
Moderate – 34 additional controls	Level 2 – An additional 39 controls;
High – 11 additional controls	Level 3 – An additional 7 controls.
A total of 63 controls	A total of 146 controls

• • 4 Risk Levels: Level 0 – Basic (3 controls), Level 1 – Foundational (100 controls), Level 2 – Advanced (139 controls), Level 3 – Expert (146 controls).
  • The risk levels are redefined; mapping from old to new is not one-to-one, so new assessments are required under Issue 4.

• Scope:
  • Changes the CSM focus from “MOD Identifiable Information” to organisational security and resilience, which in many cases may result in a scope of the whole business, however, note that logical boundaries for networks may be recognised by the Contracting Authority.
  • Suppliers will have to show controls across more parts of their organisation (not just contract-specific systems). Some new controls may require changes in governance, network architecture, and oversight.

• Control set:
  • Issue 4 introduces updated and expanded controls, more thorough requirements in identity, supply chain, third-party risk, assurance, monitoring, etc. The mapping document shows how new controls align with standards like CAF, NIST, ISO.
  • Some suppliers will find their current controls are insufficient under Issue 4, meaning additional investment or changes may be needed.  

• Assurance and Certification:
  • A stronger assurance framework, including the introduction of the IASME Defence Cyber Certification (DCC), an independent approach to providing third-party validated certification of conformance.
  • Suppliers will have to work toward independently verifiable certification, in addition to internal assurance to meet the expanded controls.

• Documentation:
  • Issue 4 is more extensive (146 controls) than issue 3 (63 controls) with more details.
  • The greater detail likely reflects more rigorous requirements with clarifications, and guidance for the suppliers.

Our Advice for SMEs

In summary, Issue 4 is a more mature, broader, and more rigorous version of DEFSTAN 05-138. It extends scope, strengthens assurance, and integrates more tightly with other cyber standards. However, if your business is in the MOD supply chain then take note of these key takeaways.

1. Don’t wait too long to prepare, be proactive and identify how the changes affect your compliance, risk and implementation. 
2. Reassess your existing SAQ and map your new Cyber Risk Profile (CRP) against the new levels. For legacy contracts we would expect the uplift from issue 3 to issue 4 to take place on the contract anniversary. Speak to your contract Senior Risk Owner (SRO) for more information.
3. New contracts will adopt the new issue 4 approach form the 3 November 2025.
4. Understand the controls applicable to your new CRP and implement the changes.
5. Invest in auditability, evidence, and certification readiness.
6. Manage subcontractor / supply chain risk.
7. In the absence of in-house skills, seek support from experts like Pera Prometheus Consulting.
8. Achieving CSM conformance does not automatically assure your network systems are assured to handle and store classified information at OFFICIAL or above. The assurance requirements for these needs are dealt with in separate DEFCONs – 659A and 660.

Stay Safe, Stay Secure