Cyber Security | MOD-DCO

A joint UK Ministry of Defence (MOD) and industry initiative to improve the protection of the defence supply chain from cyber threats.

Our vision:

The defence supply chain understands the cyber threat and is appropriately protected against attack. The defence sector is proactively supporting the National Cyber Security Strategy.

The Threat

Reputational risks to suppliers
Theft of intellectual property, customer details and pricing information
Espionage
Capability compromise
Counterfeit components / backdoors
Ransomware – being unable to access your own information

National Cyber Security Strategy: Making the UK the safest place to do business online

What we are protecting: MOD Identifiable Information (MOD II)

All Electronic Information which is attributed to or could identify an existing or proposed MOD capability, Defence activities or personnel and which the MOD requires to be protected against loss, misuse, corruption, alteration and unauthorised disclosure. See DEFCON 658 for more information.

The Cyber Security Model

Mandated across new MOD contracts.

Buyer completes Risk Assessment determines Cyber Risk Profile
Cyber Risk Profile security requirements listed in DEFSTAN 05-138
Supplier completes Supplier Assurance Questionnaire (SAQ) to demonstrate the compliance with the requirements.
Cyber Implementation Plan (CIP) where requirements are not met

Flow-down:

Suppliers complete a Risk Assessment for any elements they are sub-contracting.

risk assessment

Principles:

Understand the risk
Proportionate protection
Suppliers to defence meet the standards

A Quick Cyber guide for small businesses

NCSC-Cyber-Essentials-Guide-SME

Further information

Head over to our DCPP page for more information on:

Supplier Cyber Protection tool
DEFCON 658
DEFSTAN 05-138

Also, find out more about Cyber Essentials here.

DCPP Leaflet

Download your copy of our DCPP Leaflet for further insight into the Defence Cyber Protection Partnership.

Contact us

If you would like more information on DCPP email us at ISSDes-DCPP@mod.gov.uk

What is Cyber Essentials?

Cyber Essentials is a government-backed, industry-supported initiative from the National Cyber Security Centre (NCSC) to provide businesses supplying to the MOD with a basic level of cyber security controls.

Cyber Essentials certification is crucial for businesses looking to supply into the defence market. Based on DEFCON 658, official MOD policy is that all suppliers bidding for new MOD contracts that include the transfer of ‘MOD identifiable information’ should possess Cyber Essentials certification before contract award or be able to show evidence of progress towards it in time for contract start date.

Cyber Essentials certification enables you to showcase your credentials as a trustworthy and secure organisation and puts your business in a perfect position to supply to the defence sector, knowing that your bid can be backed up with evidence that your business is cyber secure.

Minimum Requirements More on Identifiable Information Pricing Options

Cyber Essentials is a key requirement for any supplier or buyer looking to business with defence. It is essential that businesses of all types know the benefits that gaining such certification provides.

Cyber Essentials is a government-backed by the National Cyber Security Centre and has been in place since 2014.
The controls Cyber Essentials puts in place protect a business from around 80% of Cyber Attacks but these should be seen as the minimum requirements.
Certification is cheaper than paying the cost of a cyber breach. Cyber Breaches 2017 report indicated this cost is on average £1,340 per instance.
Certification can be obtained from a range of providers, for example, Cyber Essentials Online offers this from £300 ex Vat for the base level certification.
Cyber Essentials certification shows to us and your suppliers that you take data security seriously.
To date over 9,000 businesses have been certified to the Cyber Essentials scheme.

Learn more about Cyber Essentials

Find out what Cyber Essentials is and how to get certified with DCI through their free webinar. As one of a number of suppliers in the certification space, DCI is unique in that it offers a defence-focused solution for MOD tenders and is well placed to share their expertise to help suppliers position themselves to comply with and win MOD tenders.

The webinar will talk you through the benefits of Cyber Essentials certification in defence and provide you with:

An introduction to the DCPP
What is the Cyber Security Model (CSM)
How to meet the requirements of the Cyber Security Model
How does the CSM impact supplier tendering in defence?
How to become Cyber Certified with Cyber Essentials

Watch Now

Comply

Cyber Essentials is the minimum certification an organisation needs to implement to bid for new MOD defence contracts which include the transfer of ‘MOD identifiable information’.

The MOD has made this requirement mandatory since January 2016 for suppliers looking to do business in the defence sector.

As the risk level goes up, some additional controls are required that can be evaluated through Cyber Essentials Plus vulnerability tests.

Protect

The controls that need to be in place to achieve Cyber Essentials certification protect a business from around 80% of common cyber attacks.

It’s worth considering that certification is cheaper than the alternative of paying for the cost of a cyber breach. The Cyber Breaches Survey 2017 report indicated this cost is, on average, £1,340 per instance of a cyber breach.

Promote

Certification allows your business/organisation to promote itself as cyber secure up to the Cyber Essentials standard level, which can make a real difference when bidding for contracts.

When you receive your Cyber Essentials certificate, you will also receive the relevant Cyber Essentials branding to use on collateral such as tender bids for one of the many defence contracts available through Cyber Essentials Online.

Download a free Cyber Essentials Scheme Summary

The Cyber Essentials scheme summary will provide you with:

– Some background information about the scheme
– The scope of the assessment
– Assurance framework
– The next steps to becoming certified

After reading the scheme summary, you will have a clearer picture of the importance of the scheme and what is involved in the certification process.

As one of the available Cyber Essentials suppliers DCI offers the following options:

Cyber Essentials

Self Assessment certification

£300 ex VAT

For MOD Contracts where the risk is "Very Low" Inclusive support and advice throughout application process Access to the online self-assessment questionnaire Includes certificate and Cyber Essentials branding for your business Provides 12 months’ certification upon successful application No additional costs for retests or Gap Analysis

Buy Now

Cyber Essentials Plus

The certification for maturing networks

£2,500 ex VAT

Access to the online self-assessment questionnaire Required for MOD contracts where the risk is "Low", "Moderate" or "High" On Site assessment and vulnerability test Provides 12 months’ certification upon successful application Includes certificate and Cyber Essentials branding for your business The price includes expedited remedial assessments if required

Buy Now

Key Supplier Information for Cyber Essentials certification

Which of the different accreditation/certification bodies should I choose to gain the Cyber Essentials certification?

Suppliers are free to decide which certification body to use, but must be aware they have a choice. Information on the different accreditation bodies is available here. The illustrated pricing above is from Defence Contracts International and illustrates the service they offer as a defence focused business intelligence provider other suppliers are available and service offerings will differ.

Are there scenarios where I may be unable to gain Cyber Essentials certification?

Suppliers may be unable to achieve Cyber Essentials if any hardware or software on their network is unsupported by their manufacturer/developer and is deemed ‘not supported’. This means security updates cannot be developed and patched to these products.

If a supplier is unable to achieve Cyber Essentials in support of an MOD requirement they may be able to have this requirement waivered, this ‘risk acceptance’ process is outlined in DEFSTAN 05-138.

Do I need Cyber Essentials Plus?

In line with MOD procurement policy note 09/14, Cyber Essentials Plus will be incorporated into the CSM, under which any contract assigned a risk level of ‘Low’ or higher will require suppliers to hold Cyber Essentials Plus. Full details of the Cyber Risk Profiles are in DEFSTAN 05-138 which is available via defencegateway.mod.uk. New users will need to register to access the DEFSTANs.

How much does Cyber Essentials cost?

The cost of achieving Cyber Essentials certification through an official certifying body is currently approximately £300. This does not include the cost of any improvements required to achieve Cyber Essentials compliance. A Cyber Essentials certificate is valid for 12 months and must be renewed annually. The pricing may differ from supplier demanding on the service offering or level to which they offer.

Do I need to get Cyber Essentials to bid for UK MOD work as an overseas supplier?

Overseas suppliers may apply for and gain Cyber Essentials accreditation, this is not a UK only accreditation. International equivalents may also be acceptable and the ability for a supplier to submit a Cyber Implementation Plan alongside the SAQ enables suppliers to prove their standards match the controls required by DEFSTAN 05-138.