Most guidance written about CSMv4 is pitched at a fairly abstract level. It explains the framework architecture, the four risk profiles, the evidence requirements, and the link to DCC.
All of that is accurate and useful. What it often does not describe is what the process looks and feels like for a specialist SME with between ten and fifty staff, no dedicated IT security function, a managing director simultaneously responsible for business development, delivery and compliance, and a genuine desire to do the right thing running up against limited capacity to do everything.
This article is written for those businesses. It is not a simplified version of the framework documentation but an attempt to describe the practical reality of what CSMv4 asks of smaller suppliers, where the difficulty usually lands, and what helps.
Your starting point is probably better than you think, and the gap is probably not where you expect.
Most SMEs in the defence supply chain are not starting from zero. If you hold Cyber Essentials, have reasonable IT practices, use a reputable cloud platform, and have some documented policies in place, you already have a foundation. The controls required at Level 0 and Level 1 are not unusual and many suppliers are already meeting some of them in practice.
The gap that catches many smaller suppliers off guard is not technical. It is evidential. CSMv4 does not just ask what controls you have, it asks you to demonstrate that those controls are working consistently across the whole business. That means being able to show an assessor or Delivery Team not just a policy document, but evidence that the policy is followed, that staff are trained, that configurations are checked, that access is reviewed, and that incidents, if they occur, are handled and recorded properly.
For SMEs that have been running sensible security practices informally, this often requires a shift in how those practices are documented and maintained. The underlying controls themselves may not need to change significantly, the discipline around recording them does.
What Level 1 Cyber Risk Profile requirements look like in practice
Level 1 applies where MOD assigns a Level 1 Cyber Risk Profile, below the highest risk tiers. The control set at Level 1 runs to 101 controls. For context, DEFSTAN 05-138 Issue 4 defines Level 0 as 3 controls, Level 2 as 139 controls and Level 3 as 144 controls.
That sounds like a lot. In practice, some of those controls may already exist in some form within a well-run SME. The substantive demands at Level 1 cluster around a few areas: documented risk management that is genuinely active rather than produced for an audit; access control that is systematic and reviewed regularly; monitoring that produces logs and that someone is reviewing; and supplier assurance, understanding and managing the security posture of the third parties you depend on.
The supplier assurance element catches many smaller businesses by surprise. CSMv4 expects you to assess and manage the cyber security of your own supply chain, even if that supply chain consists of a cloud platform, a managed IT provider, and a handful of specialist subcontractors. That is not an unreasonable expectation. But it does require conversations with those suppliers about their security practices, and evidence that those conversations have taken place.
The governance challenge
CSMv4 makes clear that cyber security is an organisational responsibility, not only an IT function. That means senior leadership needs to understand the business’s cyber risk position, allocate appropriate resource to address it, and demonstrate that security is embedded in how the company operates, not delegated entirely to whoever manages the IT.
For a small business, this often lands heavily on one or two people. The managing director, the operations lead, the person who has always handled IT. They can quickly find themselves responsible for a compliance programme that touches every part of the business, from HR and onboarding to procurement and contract management.
The practical advice here is not to try and do everything at once but to prioritise the controls that directly affect your contract work. Build governance documentation that reflects how the business genuinely operates, rather than copying templates designed for much larger enterprisesa, and be honest in your SAQ about where gaps exist and what the plan is to address them. The Cyber Improvement Plan process exists precisely because the MOD recognises that reaching full compliance may require planned remediation rather than overnight change.
What makes the process more manageable
The suppliers navigating CSMv4 most effectively usually share a few characteristics. They have made a deliberate decision about where their sensitive work takes place, and that environment is consistent, managed, and configured to a known standard. They have built simple, sustainable evidence collection habits rather than trying to reconstruct evidence at assessment time. And they have involved senior leadership properly, rather than treating CSMv4 as something that sits in the IT corner of the business.
On the environmental question specifically, a common source of difficulty for smaller suppliers is a fragmented technical environment. Different devices, inconsistent configurations, multiple cloud platforms, unclear boundaries around what is in scope for a given contract. That fragmentation makes evidence collection harder, monitoring less reliable, and control assurance more difficult to demonstrate. A coherent, well-managed environment — whether that is a managed platform or a tightly controlled internal setup — provides a far more stable foundation for CSMv4 compliance than a collection of individually reasonable tools that do not form a coherent whole.
What level of effort should SMEs expect?
It depends significantly on your starting point, your Risk Profile level, and how much evidence infrastructure is already in place.
For an SME approaching Level 1 with Cyber Essentials already in place, reasonable existing practices, and a willingness to invest in documentation and governance, this may mean several months of structured effort followed by an ongoing maintenance commitment. Not trivial. Manageable with the right approach.
For businesses starting from a lower base, or facing Level 2 requirements for the first time, the effort is likely to be more significant. Level 2 requires a broader and more demanding set of controls than Level 1 and, where DCC is used as assurance, a more formal certification route. This is where external support, whether advisory, technical, or both, may help avoid rework and improve the reliability of the outcome.
The worst position to be in is discovering the gap late. If a contract competition or buyer expectation requires DCC certification at a level the current environment cannot support, the timeline to get there is likely to be measured in months, not weeks. That point has become more immediate as following a Defence Digital update published on 8 May 2026, Eleanor Fairford, MOD Director of Cyber Defence & Risk, said she had asked all industry partners to achieve Level 0 DCC certification by 31 December 2026.
For SMEs, Level 0 may sound basic, but the Defence Digital update describes it as including Cyber Essentials for all applicable business-critical systems within scope. Starting the conversation early, with your Delivery Team, with a specialist adviser, or with your managed service provider, is almost always the right call.
About Logiq:
Logiq is a NCSC-assured cyber security consultancy and secure solutions provider focused on safeguarding critical organisational data. Our clients are amongst the most demanding in the world and have some of the most stringent and complex security needs. We help to design and develop innovative solutions that enable them to focus on delivering their business securely.
