Select regional store:

Cyber Essentials for the MOD supply chain

As of 1 January 2016, all suppliers bidding for new MOD contracts must be compliant with the Cyber Essentials scheme.

The MOD mandates Cyber Essentials as the first step for all suppliers where there is an exchange of information.

Additional cyber security controls are required based on the DCPP Cyber Security Model (CSM) cyber risk profile.


What is the DCPP and CSM?

The Defence Cyber Protection Partnership (DCPP) is responsible for protecting the defence supply chain from cyber threats.

The Cyber Security Model (CSM) was developed by the DCPP in partnership with industry, and comprises three elements: a risk assessment process, a set of cyber assurance profiles and a supplier assurance questionnaire.


How the CSM risk assessment process works

The risk assessment process sets out a level of cyber risk through a series of questions relating to the specific contract. The risk assessment must be conducted by the contracting authority. This will be the MOD in all cases, but there may also be a requirement for this process to be repeated by the relevant supplier employing subcontractors.

Based on the outcomes of the cyber risk assessment, the CSM sets out cyber protection measures that need to be taken.


There are four cyber assurance profiles:

  • (Not applicable)
  1. Very low
  2. Low
  3. Moderate
  4. High

The lowest DCPP requirement (‘Very low’) is Cyber Essentials. For those who are assessed as a ‘low’ risk or higher, Cyber Essentials Plus is prescribed in accordance with existing HMG policy. Full details of the required cyber profiles are set out in DEFSTAN 05-138, also available on

Find out more about the Cyber Essentials scheme >>


The CSM recommends that all defence suppliers aim to achieve compliance with the Cyber Essentials scheme as a minimum.

“For all new requirements advertised from 1st January 2016 which entail the transfer of MOD identifiable information from customer to supplier or the generation of information by a supplier specifically in support of the MOD contract, MOD will require suppliers to have a Cyber Essentials Certificate by the contract start date at the latest, and for it to be renewed annually. This requirement must be flowed down the supply chain.”

“CES certification will become the baseline requirement for companies in the UK defence supply chain. Suppliers are strongly encouraged to start working towards achieving it.” - Richard Jefferys, Defence Commercial Head of Policy, Process and Procedures (P3)

The final part of the Cyber Security Model is a supplier assurance questionnaire that measures how a supplier is complying with the required measures.


How IT Governance can help

IT Governance is a CREST-accredited certification body for the Cyber Essentials scheme, and has helped over 130 companies to successfully achieve certification to either Cyber Essentials or Cyber Essentials Plus.

As a leading global provider of cyber security solutions, including penetration testing, PCI DSS compliance solutions, staff awareness training, ISO 27001 project implementations and the delivery of professional cyber security qualifications, we are committed to helping businesses protect themselves and their customers from the perpetually evolving range of cyber threats.


Supply chain security

Cyber Essentials certification is required throughout the supply chain wherever those contracts include MOD identifiable information. It is always the responsibility of the contracting organisation to ensure that its subcontractor has achieved the necessary certification. IT Governance can help organisations with large supply chains to achieve the required level of cyber security and Cyber Essentials compliance.

Contact one of our key account managers today to find out how we can help you get cyber secure quickly and cost-effectively on +44 (0) 845 070 1750 or email

This website uses cookies. View our cookie policy