For projects starting from April 2016, all suppliers will be required to meet the Defence Cyber Protection Partnership (DCPP) Cyber Security Model (CSM). This will mean that in addition to Cyber Essentials (CE), all parties involved will also be required to meet corresponding governance requirements.
Following on from the earlier (1st January 2016) notification (discussed here), which specified that all MoD contractors and sub-contractors will be required to have Cyber Essentials or Cyber Essentials Plus. It is also important to be aware that this extends to all MoD procurement, suppliers and subcontractors, even if they are not working directly with/for the MoD. All suppliers will be required to have the relevant Cyber Essentials certificate in place at the latest by the contract start date, and then maintain compliance with the scheme by renewing annually.
This document outlines the key requirements under the MoD procurement and DCPP CSM in relation to contractors and sub-contactors within the defence community.
There are four different risk categories for all MoD projects, very low, low, moderate and high, which have different certification requirements:
- All contractors and sub-contractors on projects with a very lowrisk rating are required to have a CE certificate.
- All contractors and sub-contractors on projects with low, moderateand high risk ratings are required to be CE+ certified (which includes gaining CE as part of the process).
- All contractors and sub-contractors on projects with low, moderateand high risk ratings are required to implement additional security controls beyond CE and CE+.
Scheme Updates (April 2016)
The Defence Cyber Protection Partnership (DCPP) Cyber Security Model (CSM) is now live. This means that all MoD contract or sub-contracts must now be assigned a cyber risk profile as defined below, each will come with its own mandated set of requirements:
|Not Applicable||For contracts where it is assessed that there is no, or only a negligible, cyber risk. It is not expected that many contracts will fall in to this category.
Cyber Essentials recommended but not required
|Very Low||For contracts where a basic threat is faced (i.e. simple hacking, phishing or spyware) and where any attacker is likely to be opportunistic, unskilled and non-persistent. The sorts of contracts this will apply to are likely to be those covering commodity purchases or standard service provisions e.g. office supplies or the disposal of non-sensitive waste.
Cyber Essentials Only
|Low||For contracts where the threat may be slightly more targeted (i.e. involving spear phishing, whaling or ransomware and where attackers are semi-skilled but may not be persistent). It is likely to apply to contracts for basic parts or services but not where these could be linked to military capability. This profile is likely to apply primarily to contracts handling information classified as OFFICIAL, but may also occasionally apply to those involving small quantities of OFFICIAL information which have the handling instruction SENSITIVE.
Cyber Essentials Plus & 16 Additional Controls
|Moderate||For contracts subject to more advanced threats that are tailored and targeted with the objective of gaining access to specific assets or enacting denial of service. The attacker is likely to be persistent, organised and either be skilled or have access to skills e.g. cyber criminals or hacktivists. This will likely apply to contracts that involve handling greater volumes of, or more sensitive, personal information, and those involving larger quantities of OFFICIAL-SENSITIVE information.
Cyber Essentials Plus & 32 Additional Controls
|High||For contracts assessed as being subject to Advanced Persistent Threats (APT), which may be sustained over long periods and not exploited for months, or years after the initial attack. Attackers will be organised, highly sophisticated, well resourced and persistent. This will likely apply to contracts that are essential to support key military capability and those handling information classified at SECRET or above.
Cyber Essentials Plus & 43 Additional Controls
The risk assessment process will be conducted by the subject letting the contract (for example the MoD or a defence supplier sub-contracting elements of the work). All parties involved must meet the minimum requirements associated with the contracts assigned risk profile, otherwise they will not be eligible for the work.
Therefore, while the minimum requirement is only to achieve Cyber Essentials, it would be advisable to attain Cyber Essentials Plus. This provides the company with a demonstrable approach to information security and prepares for the eventuality that a contract will be assigned a more demanding risk profile.
Get in Touch
What is the Cyber Essentials Scheme?:
MoD Industry Security Notice:
Further reading on the additional governance control requirements for each risk profile: