For suppliers looking to work with UK Defence, cyber security is no longer a background technical concern, rather, an increasingly part of supplier readiness, procurement confidence and contract delivery.
That does not mean every opportunity carries the same requirement, or that every supplier will be assessed in the same way. MOD procurements vary widely, from large prime contracts and complex systems delivery through to specialist services, software, consultancy, infrastructure, support and subcontract work. The cyber requirement depends on the nature of the contract, the sensitivity of information being handled, the systems involved, the level of risk assessed by the MOD, and the contractual conditions that apply.
But the direction is clear. Suppliers are expected to understand, evidence and maintain appropriate cyber security controls as part of working in the defence supply chain. For organisations that are new to MOD work, or those moving from lower-risk activity into more sensitive programmes, this can be a significant shift.
The challenge is not simply knowing that frameworks such as CSMv4, DEFCON 658, Defence Standard 05-138 and Defence Cyber Certification exist but understanding how they fit into the wider procurement and delivery environment.
Defence procurement is not only about winning the bid
The MOD advertises opportunities through various portals, alongside other public procurement routes. For many suppliers, the visible procurement process starts there: finding the opportunity, understanding the requirement, forming the bid team and preparing the submission.
Cyber security, however, often needs to be considered before that point.
Tender documents may include security clearance requirements, Cyber Essentials requirements and Defence Cyber Certification requirements, depending on the nature of the work. MOD’s own guidance for businesses contracting with defence makes clear that the level of clearance depends on the requirement and will be included in tender documents, and that these may also include Cyber Essentials and Defence Cyber Certification requirements.
That matters because cyber readiness is difficult to create at the last minute. If a supplier only starts thinking about cyber assurance once the tender pack is in front of them, they may already be under pressure. The relevant controls may need to be understood, implemented, evidenced and maintained. Where gaps exist, the supplier may need to explain how they will be addressed, and in what timescale.
This is why cyber assurance should be treated as part of defence supplier readiness and not as a task that begins after contract award.
The role of CSMv4, DEFCON 658 and Defence Standard 05-138
The MOD’s Cyber Security Model is the mechanism Defence uses to build cyber security into its supply chain. The Cyber Security Model (CSMv4) is a risk-based, proportionate approach that includes MOD Risk Assessments, Defence Standard 05-138 controls, Supplier Assurance Questionnaires and flow-down where subcontracting is involved.
DEFCON 658 is the contractual condition that lays out the terms for the Cyber Security Model. Where DEFCON 658 applies, the Cyber Security Model becomes part of the contractual relationship, rather than a separate advisory exercise.
Defence Standard 05-138 Issue 4 sets out the cyber security controls defence suppliers are required to achieve at each of the four Cyber Risk Profile levels that a contract can be assessed at. GOV.UK states that the standard applies to MOD procurements, MOD suppliers and subcontract suppliers that have a relationship to one or more MOD contracts.
This is an important distinction as CSMv4 is not simply a form-filling exercise. It connects the cyber risk associated with a contract to a set of proportionate control expectations. Those expectations then need to be evidenced by the supplier through the relevant Supplier Assurance Questionnaire and, where applicable, maintained throughout the contract lifecycle.
The Cyber Risk Profile is not selected by the supplier. MOD Delivery Teams complete the Risk Assessment, which determines the Cyber Risk Profile. Suppliers then self-assess against the CSM requirements using the Supplier Assurance Questionnaire.
For suppliers, the practical implication is straightforward: cyber requirements are shaped by the work being procured, not by a generic view of the organisation. A supplier may have strong security controls in place, but still need to understand how those controls map to the specific contract, Cyber Risk Profile and assurance requirements.
Flow-down matters
Defence work often involves complex supply chains. A prime supplier may depend on specialist subcontractors, software providers, consultants, engineering partners, hosting providers or managed service providers. In those cases, cyber assurance does not stop at the first contractual boundary.
The CSMv4 process includes flow-down guidance. Where suppliers are subcontracting, the supplier completes a Risk Assessment to generate a new Cyber Risk Profile, and the subcontractor completes the appropriate Supplier Assurance Questionnaire.
That flow-down point is easy to underestimate. A supplier may be ready to respond to its own customer requirement, but still lack visibility of the cyber posture of subcontractors supporting the work. This can create delivery risk, assurance delays and avoidable friction during procurement or contract delivery.
For suppliers working as subcontractors, the issue is just as important. They may not be contracting directly with the MOD, but the requirement can still reach them through the prime or higher-tier supplier. In practice, this means defence cyber assurance is not only a prime contractor issue. It can affect organisations at multiple levels of the supply chain.
Evidence is becoming part of supplier credibility
A supplier’s cyber posture is only useful in a defence procurement context if it can be explained and evidenced.
Policy documents have a role, but they are not enough on their own. Suppliers need to demonstrate how relevant controls are implemented, how responsibilities are managed, how systems are protected, how incidents would be handled, and how assurance is maintained over time.
This evidence-led approach is built into the CSMv4 model. Suppliers self-assess against the applicable requirements, and where they cannot meet them, GOV.UK states that they must submit a Cyber Improvement Plan setting out when they will meet the required level of compliance, with associated timescales or reasons why they are unable to comply.
For many organisations, this is where the real work begins. The challenge is not only implementing cyber controls, but maintaining the records, governance and technical evidence needed to show that those controls are operating effectively.
That evidence may include access control records, asset information, risk management activity, vulnerability management outputs, incident response arrangements, supplier assurance, monitoring, logging, business continuity arrangements and evidence of review. The exact evidence required will depend on the contract, Cyber Risk Profile and applicable controls, but the principle is consistent: suppliers need to be able to show how assurance is being achieved, not simply state that it exists.
Defence Cyber Certification is part of the assurance picture
Defence Cyber Certification gives suppliers a recognised route for demonstrating assurance at the appropriate level.
MOD Industry Security Notice 2026/02 confirms that a supplier holding and maintaining valid certification at the appropriate level, issued under the Defence Cyber Certification scheme, may use that certification as assurance of control requirements under DEFCON 658.
That does not remove the need for suppliers to understand their contractual responsibilities. Nor does it mean certification should be treated as a substitute for active cyber risk management. Suppliers still need to maintain their security posture, understand the context of the work they are performing, and respond to contract-specific requirements.
However, DCC does provide an important route for suppliers that need to demonstrate confidence against the relevant assurance level. For buyers, primes and Delivery Teams, valid certification can reduce uncertainty. For suppliers, it can help move cyber assurance from a reactive bid-by-bid activity into a more structured part of organisational readiness.
Secure delivery matters after the contract is won
Cyber assurance does not end once a procurement is complete.
A supplier may be able to satisfy the initial requirement, but then still create risk during delivery if information is shared through uncontrolled routes, external access is poorly managed, sensitive data is duplicated into unmanaged locations, or project teams rely on informal workarounds to keep delivery moving.
This is particularly relevant in defence environments where multiple organisations may need to collaborate across programme boundaries. Drawings, technical documentation, project information, commercial material, operational updates and sensitive data may need to move between MOD teams, primes, subcontractors and specialist suppliers.
The issue is not only whether information can be shared. It is whether it can be shared securely, with appropriate control over access, devices, auditability, retention, export, monitoring and evidence.
For some suppliers, this is where the wider procurement requirement becomes a delivery requirement. It is not enough to win the contract and complete the questionnaire. The operating environment also needs to support secure collaboration, evidence maintenance and ongoing assurance throughout the life of the work.
Cyber readiness should be treated as a defence capability
For suppliers looking to win or retain MOD work, cyber security should not be treated as an isolated compliance task. It is part of being credible, prepared and able to deliver in a defence environment.
That means understanding likely procurement requirements before opportunities arise. It means knowing how CSMv4, DEFCON 658, Defence Standard 05-138 and DCC may apply. It means preparing evidence before it is requested. It means understanding how requirements can flow down to subcontractors. It also means making sure that the systems and collaboration environments used during delivery do not create unnecessary risk.
This is especially important for SMEs and specialist suppliers. Defence wants access to innovation, specialist capability and a wider industrial base, but participation in defence supply chains still carries security obligations. Smaller organisations may not have large internal compliance teams, but they still need a proportionate, organised and evidence-led approach.
The most effective starting point is not to wait for a tender to force the issue. Suppliers should assess where they already stand, what evidence they hold, how their current controls map to recognised requirements, and where they would need support if a defence opportunity introduced a higher level of assurance.
How Logiq can help
Logiq works with organisations operating in defence, government and other regulated environments where cyber assurance, secure collaboration and evidence-led delivery matter.
For suppliers preparing for MOD opportunities, this can include helping interpret CSMv4 and Defence Standard 05-138 requirements, mapping responsibilities, reviewing evidence, identifying gaps, supporting Cyber Improvement Plans and helping organisations build a more proportionate route to compliance.
For organisations that need a secure environment to support defence collaboration, Logiq’s DISX Secure Collaboration platform provides a controlled managed service designed for sensitive work across regulated supply chains. It supports secure access, managed devices, monitoring, resilience and collaboration across organisational boundaries, helping suppliers maintain better control over information throughout delivery.
Cyber assurance in UK Defence procurement is not just about passing a questionnaire, it’s about being able to show that the organisation, its systems and its supply chain can be trusted to support defence work securely.
For suppliers, that is now part of the cost of entry, and part of the discipline of delivery.
About Logiq:
Logiq is a NCSC-assured cyber security consultancy and secure solutions provider focused on safeguarding critical organisational data. Our clients are amongst the most demanding in the world and have some of the most stringent and complex security needs. We help to design and develop innovative solutions that enable them to focus on delivering their business securely.
