
Defence Supply Chain Cyber Security in 2026
- Overview
- Introduction
- Read the Contract Before Designing the Answer
- How the MOD Supplier Assurance Process Works Under CSMv4
- DCC, Cyber Essentials Requirements and Evidence
- Flow-down Makes Cyber Assurance Real
- When Suppliers Help to Create a Capability
- Handling OFFICIAL-SENSITIVE in Real Delivery
- Secure Collaboration has to Survive Normal Work
- Technical and Operational Supplier Evidence
- Third-Party Services, Cloud and Software Dependencies
- Engineering, Manufacturing and Project Delivery Toolchains
- Incident Response, Reporting and Resilience Across Boundaries
- 90-day Starting Plan for Defence Suppliers
- Questions to Put to the Authority, Prime or Customer
- Common Mistakes That Make Assurance Harder
- FAQs
- Glossary
- How We Can Help
- Related reading
- Source and citations
Defence Supply Chain Cyber Security – A Practical Guide for UK Suppliers
Whether you’re preparing for your first MOD contract, responding to a prime contractor’s cyber requirements or reviewing an established defence operating model, this guide brings together the policies, standards and practical considerations that shape cyber security across the UK defence supply chain.
Rather than treating CSMv4, Defence Standard 05-138, Defence Cyber Certification, Secure by Design, Security Aspects Letters and information handling as separate topics, it explains how they fit together in real delivery. The emphasis throughout is on translating contractual obligations into practical operating models that can be evidenced, audited and sustained over time.
The guide is intended as a living reference and will continue to evolve alongside MOD policy and guidance.
Updated Q3 2026 | Built around Digital MOD.UK and GOV.UK guidance as of 6 July 2026

If you only remember five things from this guide:
- Start with the contract, not the technology.
- Your assigned Cyber Risk Profile defines the minimum control requirements.
- Cyber assurance extends across subcontractors, suppliers and third-party services through flow-down.
- Collect evidence as part of normal delivery rather than immediately before an assessment.
- Secure collaboration is an operating model combining people, process and technology, not simply a platform.
Introduction
The phrase “defence supply chain” can sound abstract until a programme begins. Then it becomes obvious how many people, organisations and systems sit between an Authority requirement and a delivered outcome. A design house passes drawings to a manufacturer. A prime needs a specialist modeller. A software supplier brings in a cloud provider. A consultancy retains a niche subcontractor for assurance or test. Project data, commercial context, technical information and operational decisions move with each hand-off. Cyber security has to survive that movement without bringing delivery to a standstill.
The MOD approach is built around that reality. CSMv4 is explicitly risk-based and proportionate, while Defence Standard 05-138 Issue 4 widens the focus from a narrow “information received from MOD” lens to the supplier organisation’s business-critical operations, systems, processes and dependencies. That is why a supplier can no longer treat cyber assurance as a document prepared around one programme folder. The delivery environment, the people who administer it, the devices that reach it, the third-party services it relies on and the ability to recover from disruption all matter.
The required Cyber Risk Profile is determined through the CSM process and should be proportionate to the risk associated with the contractual activity. Each supplier needs an operating model that reflects its role, risk profile and delivery dependencies. Policies must connect to the systems people use, the access they receive, the suppliers they depend on and the evidence they retain. When a customer, auditor or incident asks how a control works, the answer needs to describe the real delivery environment.
What makes defence different from a conventional B2B supply chain?
The cyber fundamentals are familiar: manage identity, keep systems updated, understand assets, control access, detect suspicious activity, recover from disruption and make suppliers accountable. Defence adds a greater concentration of long-lived programmes, complex subcontracting, sensitive technical information, government security conditions and a realistic need to show assurance across organisations that may have very different levels of maturity. The challenge is rarely a lack of controls in isolation. The weak points appear at the joins: shared document repositories, personal accounts, unmanaged devices, ad hoc file transfers, access granted “just for the week”, specialist subcontractors who are engaged late, and evidence that has no clear owner.
There is also a practical distinction between protecting a single data set and protecting the business activity that enables delivery. The 2026 clarification to the CSM scope makes this explicit. The requirements apply across a supplier as a legal entity to its business-critical operations; they are infrastructure-agnostic; and where critical operations rely on third parties, the supplier must be able to evidence appropriate contractual, technical and/or assurance measures. That is a serious shift in emphasis for organisations that previously assumed a separate “MOD tenant”, folder or project team was the full answer.
Instead of asking only “where is the sensitive data?”, ask “what has to keep working for us to deliver this contract, and who or what could interrupt it?” That question produces a more honest map of people, systems, identities, suppliers, sites and recovery dependencies.
Read the Contract Before Designing the Answer
Cyber assurance in defence is often described in the language of frameworks. In day-to-day delivery, the contract pack is the real starting point. A tender, contract or subcontract may contain DEFCONs, a Risk Assessment Reference, a stated Cyber Risk Profile, a Security Aspects Letter, an information-classification position, a Security Grading Guide, additional technical requirements, reporting expectations, project-specific milestones and conditions for onward subcontracting. Requirements that look similar on two opportunities can lead to different operational answers because the asset, capability, geography, personnel arrangement or programme risk is different.
DEFCON 658 provides the contractual structure for cyber obligations and includes sections covering contractor obligations, management of subcontractors, records and audit. The public CSM guidance confirms that suppliers are responsible for flow-down, while the 2026 SAL guidance reinforces that applicable contractual security conditions must be flowed down when a supplier subcontracts or collaborates with another Defence supplier on classified work. Treat commercial, delivery and security review as one mobilisation activity. Leaving the security documents with one person to “translate later” is a dependable way to create rework.
A Security Aspects Letter deserves particular attention. Where a Defence supplier will access assets graded OFFICIAL-SENSITIVE or higher, the current guidance says a SAL is used to provide the relevant security aspects. The document should be project-specific, kept current, reviewed at least annually and reviewed at each contract amendment. A supplier is expected to acknowledge it before work begins. When a SAL is unclear or seems impracticable, the guidance is equally direct: raise it with the Contracting Authority promptly. A vague assumption is not a defensible control.
A mobilisation checklist that makes the contract usable
| Step | What “good” looks like |
| 1. Identify the legal entities | Record the bidding entity, delivery entity, any group service providers, key subcontractors and where each one sits in the contractual chain. |
| 2. Read the security documents together | Review the ITT or contract, DEFCONs, SAL, classified-asset definitions, Cyber Risk Profile, supporting schedules and prime-flow-down wording as one pack. |
| 3. Map the delivery model | Document who needs access, what they need to do, where work is performed, which systems are involved, and what will be shared across organisational boundaries. |
| 4. Establish the evidence owner | Assign named owners for Cyber Essentials, DCC, SAQ, policies, technical evidence, subcontractor records, incident response and customer communication. |
| 5. Ask early questions | Confirm ambiguity before submitting a bid or bringing a subcontractor on board. A question asked early is usually cheaper than a design reversal after award. |
How the MOD Supplier Assurance Process Works Under CSMv4
The Cyber Security Model is the MOD mechanism for building cyber security into the defence supply chain. Version 4 is live and uses four new Cyber Risk Profiles: Level 0, Level 1, Level 2 and Level 3. It shifts the focus toward organisational security and resilience, uses the control requirements in Defence Standard 05-138 Issue 4 and is supported by the Supplier Cyber Protection Service for Risk Assessments and Supplier Assurance Questionnaires.
For a new opportunity, the Authority should provide the Risk Assessment Reference and the required Cyber Risk Profile at the earliest market engagement, usually within the invitation to tender. The supplier then completes the SAQ through the Supplier Cyber Protection Service. The SAQ is scored against the relevant profile. Where the supplier cannot demonstrate compliance, the Cyber Improvement Plan process allows the supplier to explain the gap, the remediation route and the relevant timescale. The proposal can form part of the contract documentation and is taken into account during supplier selection and award.
The annual dimension matters. Under the public MOD guidance, suppliers complete a new SAQ on the anniversary of contract award, with a one-month window after that anniversary for timely completion. That turns evidence into an operating responsibility rather than a bid-stage effort. Cyber security owners, programme managers and commercial leads need a calendar that recognises the cycle; otherwise the organisation will scramble each year to find proof it should already be collecting.
The four Cyber Risk Profile levels
| Profile | The official framing |
| Level 0 – Basic | Normally used where assessed cyber risk is very low. The standard specifies 3 controls. |
| Level 1 – Foundational | Normally used where assessed risk is low to moderate. The standard specifies 101 controls and a comprehensive cyber-security programme with good practice. |
| Level 2 – Advanced | Normally used where assessed risk is high. The standard specifies 139 controls and expects advanced oversight and planning that drive robust organisational and cyber practice. |
| Level 3 – Expert | Normally used where assessed risk is substantial. The standard specifies 144 controls and expects expert capability using defence-in-depth methods against evolving threats. |
The assigned CRP comes from the CSM Risk Assessment, rather than an internal maturity judgement or a level selected for commercial convenience. The 2026 clarification goes further: the assigned CRP level defines the minimum control requirements for the relevant Defence contract. The supplier’s own risk assessment remains important, yet it cannot lower the contractual floor.
What the control model points to in practice
Defence Standard 05-138 connects governance, risk management, asset management, supply-chain management, physical access, identity and access control, secure configuration, vulnerability management, security monitoring, incident response, recovery, testing and organisational learning. The standard requires controls to be documented and implemented with auditable evidence; Cyber Essentials applies across the relevant contract scope at all levels, while Cyber Essentials Plus applies at Levels 2 and 3. Higher levels bring increased expectations around monitoring, testing, response and assurance.
Turn each applicable control into an answerable question: who owns it, where it applies, which evidence proves it, how often it is reviewed and what happens when it fails? That produces a control map the business can use. Where a business-critical operation relies on a provider, document the dependency, residual responsibility and evidence route rather than relying on a generic statement that the provider ‘handles it’.
AVOID THE OLD BOUNDARY Do not organise readiness around the idea of “MOD information versus the rest of the business”. CSMv4 and the Issue 4 scope focus on business-critical operations and organisational resilience. The systems your payroll team uses may be irrelevant; the identity platform, endpoint management, email service, engineering repositories and outsourced IT service that keep delivery running are much harder to exclude.
DCC, Cyber Essentials and the Difference Between Meeting a Requirement and Evidencing It
Defence Cyber Certification is an organisation-wide certification scheme for UK defence suppliers, delivered for MOD by IASME. It aligns with the four CSMv4 levels. Its role is important because it creates an independent route for demonstrating compliance with the corresponding Defence Standard 05-138 control level. Under ISN 2026/02, a valid DCC certificate at the same or a higher corresponding level should be accepted as assured evidence that the supplier has satisfied the relevant Def Stan control requirement under DEFCON 658.
The operational detail matters more than the headline. A DCC certificate does not currently exempt a supplier from completing the full SAQ through the Supplier Cyber Protection Service, because the SAQ remains part of the contractual risk-assessment and procurement process. It also applies to the entity assessed. It does not automatically cover a wider corporate group unless a group-level arrangement has been expressly justified and approved through the certification authority. Group companies, shared services and overseas support functions need to be mapped deliberately rather than assumed into scope.
Cyber Essentials remains foundational. It is a government-backed certification built around five technical control areas: secure configuration, user access control, malware protection, security update management and firewalls. In Defence Standard 05-138 Issue 4, Cyber Essentials is required at all four profile levels for the relevant contract scope, while Cyber Essentials Plus is required at Levels 2 and 3. The wider Defence standard also requires evidence around governance, resilience, monitoring, recovery and supply-chain responsibility.
What DCC level tells a customer about a supplier
| Certification held | Corresponding evidence position |
| DCC Level 0 | Can evidence Level 0 compliance. |
| DCC Level 1 | Can evidence Levels 0 and 1 compliance. |
| DCC Level 2 | Can evidence Levels 0, 1 and 2 compliance. |
| DCC Level 3 | Can evidence Levels 0, 1, 2 and 3 compliance. |
MOD has said that it anticipates Level 0 certification becoming a baseline requirement for Defence suppliers. The wording is prospective, so it should not be represented as a universal current requirement unless the tender or contract says so. The practical message is still clear: suppliers that intend to work regularly in Defence should put DCC on the roadmap before a tender forces the decision, particularly where the relevant entity has a complex group structure or significant third-party dependencies.
Flow-down Makes Cyber Assurance Real
Flow-down is how Defence requirements move from a prime contractor to lower-tier subcontractors and continue through the chain. It is not an administrative afterthought. The MOD’s public guidance describes it as a core part of the process for monitoring and gaining assurance across the defence supply chain. Under the CSM model, suppliers who subcontract are responsible for conducting the relevant Risk Assessment, generating the Risk Assessment Reference for the subcontract and requiring the subcontractor to complete the appropriate SAQ. This can continue through each tier.
The practical problem is that subcontractors are often engaged late. A bid assumes a specialist will be available; the specialist is selected after award; access is granted before the security questions have been resolved; then the programme discovers that the subcontractor does not have the required certification, cannot provide the required evidence or has a delivery model that depends on unmanaged personal devices and informal file transfer. By then, the gap has become a programme issue. Bring cyber assurance into supplier selection alongside cost, capacity, technical competence and schedule.
For existing contracts, the current MOD guidance says a supplier must first receive a new CSMv4 Cyber Risk Profile and Risk Assessment Reference from its customer before starting new flow-down activity under CSMv4. If you have not received that information, request it from the Delivery Team or buyer. This detail matters because CSMv3 and CSMv4 profiles are not directly comparable, and the public guidance says new flow-down activity cannot be completed under the legacy interim process.
A workable flow-down operating model
| Lifecycle point | Minimum discipline |
| Before selection | Define which roles, systems, assets and information the supplier will need. Ask whether they will introduce their own cloud, software, support or further subcontractors. |
| At selection | Evaluate cyber capability and evidence as part of the sourcing decision. Include the delivery entity, not simply a parent-brand certificate. |
| At contract | Flow down relevant contractual security conditions, CSM requirements and information-handling obligations in writing. Name the evidence and reporting expectations. |
| At onboarding | Set up access by role, not convenience. Confirm named users, supported devices, training, approved collaboration routes and offboarding dates. |
| During delivery | Review access, track changes in scope, collect updated certificates, resolve evidence gaps and understand any new dependencies. |
| At exit | Remove access, recover or dispose of information as required, retain records, and make sure successor suppliers do not inherit uncontrolled accounts or data stores. |
Questions that expose a weak subcontracting model early
- Which legal entity will actually perform the work, and does the available certification cover that entity?
- What systems will the supplier use to receive, store, process, create or transmit programme information?
- Will the supplier use personal devices, unmanaged contractor accounts, consumer file-sharing, personal email or unapproved SaaS?
- Does the supplier rely on a managed service provider, cloud service, specialist software vendor or further subcontractor to deliver the work?
- Who owns their incident response, evidence collection, access reviews and offboarding?
- Can the supplier provide the relevant evidence on the timetable needed for bid, mobilisation and annual assurance?
- What changes if the supplier brings in a new third party halfway through the work package?
When Suppliers Help to Create a Capability
CSMv4 and Defence Standard 05-138 are concerned with supplier organisational resilience. Secure by Design addresses a different, connected problem: whether a MOD capability has cyber security built into it through its lifecycle. MOD’s 2023 Secure by Design requirements apply to the definition, acquisition, development, maintenance and disposal of information-based capabilities. The scope is wide and includes networks, applications, services, information technology, operational technology, platforms and weapons systems.
The seven MOD principles are a useful organising spine for capability delivery: understand and define context; plan security activities; implement continuous risk management; define security controls; engage and manage the supply chain; assure, verify and test; and enable through-life management. The themes sound familiar because good capability security is inseparable from good programme discipline. The value comes from putting decisions, evidence, risk ownership and technical assurance into the work while architecture and delivery choices can still be changed.
The wider cross-government Secure by Design policy contains ten principles and is mandatory for departments, arm’s length bodies and executive agencies whose services are subject to the digital and technology spend-control process. It offers useful context for suppliers. MOD-specific requirements continue to be defined through the contract, SAL, Defence Standards and other programme documentation.
The supply-chain principle that changes delivery behaviour
“Engage and manage the supply chain” is often interpreted as a procurement task. On a live defence programme it is an engineering and assurance task as well. A component supplier can create a vulnerability through firmware, lifecycle support, update mechanisms or an overlooked remote service. A cloud platform can change its feature set. A software library can introduce a dependency that no one owns. A consultancy can retain a specialist who needs access to sensitive design material. Secure by Design requires those dependencies to be surfaced, assessed and governed rather than appearing as a surprise at the point of integration or incident.
The MOD Secure by Design Problem Book is useful precisely because it avoids the easy fiction that supply-chain assurance is solved through a single certificate or questionnaire. It identifies supplier assurance as a continuing challenge: MOD relies on suppliers for architectural design, implementation and through-life support, but suppliers may be constrained in what they can share as evidence. That is a healthy reminder for both buyers and suppliers. The aim is to build confidence through proportionate evidence, dialogue, technical testing and accountable decision-making, rather than to produce a perfect-looking spreadsheet.
Handling OFFICIAL-SENSITIVE in Real Delivery
The Government Security Classifications Policy establishes three tiers: OFFICIAL, SECRET and TOP SECRET. It places OFFICIAL-SENSITIVE within the OFFICIAL tier as a marking used when compromise is likely to cause moderate damage to the work or reputation of the organisation and/or HMG. Classification describes sensitivity and baseline behaviours; the contract, SAL and the particular information, people, systems and sharing route determine the delivery model.
Where a supplier will access classified assets at OFFICIAL-SENSITIVE or above, ISN 2026/04 says the relevant security aspects should be communicated through a SAL. The SAL should describe the project-specific security dimensions and may reference information classification, capabilities, contractual information, security controls, milestones, personnel arrangements, security grading guidance and other considerations. It can be graded at the lowest appropriate level, and the guidance advises separating higher-classified material into an annex rather than unnecessarily raising the classification of the whole document.
For day-to-day teams, the important outcome is clarity. People need to know what they are permitted to share, with whom, where it may reside, which devices and services may access it, how access is approved, which handling instructions apply, when it must be reviewed and what to do when they are unsure. A well-designed collaboration environment helps, but it cannot correct an undefined or misunderstood information model. The right controls start with an agreed understanding of the asset and the intended use.
A practical information-flow exercise
Take one important artefact – a design drawing, interface-control document, test report, vulnerability finding, programme plan or commercial work package – and follow it from creation to archive. Who creates it? Which identity provider authenticates the creator? Where does the document live? Who can share it externally? Can it be downloaded? What does the audit trail capture? How is a contractor removed? Does the recipient need to be revalidated? What happens when a version is superseded? How is the record retained or disposed of? In a complex supply chain, this exercise exposes the difference between “we use secure tooling” and “we can govern information across the programme”.
A POINT THAT GETS MISSED Cross-government policy states that OFFICIAL information, including information marked SENSITIVE, can be stored or processed in overseas data centres or cloud regions where satisfactory legal, data-protection and security practices are in place. There is no universal UK-location rule at this classification level. MOD contract requirements, a SAL or other programme constraints can still impose a different answer for a specific delivery scenario.
Secure Collaboration has to Survive Normal Work
Defence programmes move quickly across organisational boundaries. Teams exchange design material, plans, test outputs, requirements, commercial documentation and decisions. When approved routes are awkward or slow, people create workarounds: files copied into unmanaged locations, personal accounts used for convenience, access widened beyond the original need, passwords shared through informal channels and duplicate versions becoming the working copy. The operational test is whether the approved route is usable enough for normal delivery while maintaining the controls the programme needs.
A defensible secure-collaboration model normally combines several disciplines: named identities; managed or trusted devices; role-based permissions; strong authentication; controlled external access; clear ownership of shared workspaces; version control; monitoring and audit; data-handling rules; a defined onboarding route; and prompt offboarding. The exact tools will vary. The answer must map to the actual flow of information, the relevant contract conditions and the organisation’s Cyber Risk Profile. It should also leave an evidence trail that a supplier can produce without reconstructing it after the event.
This is where a managed environment can have practical value. It can bring identity, device standards, monitoring, secure internet access, audit and vulnerability-management responsibilities into a more coherent operating model. However, a managed environment is still only part of the answer. The programme needs agreed information-handling rules, supplier onboarding, role definitions, processes for exceptions, ownership of shared content and a route for reviewing changes. Technology can make good practice easier; it cannot create clear accountability in its absence.
Patterns that hold up under scrutiny
| Working pattern | Why it matters |
| External access is sponsored | Every external user has a named internal sponsor, a role, a business purpose, a review date and an offboarding path. |
| Sensitive sharing happens in one governed route | The working version stays in a controlled workspace. Email is not used as the default document-management system. |
| Projects have an owner | Each workspace has a responsible business owner who can approve access and explain what should remain there. |
| Audit is useful | The organisation can identify who accessed, shared, downloaded or changed material without relying on manual recollection. |
| Exceptions are recorded | Urgent sharing and temporary access are treated as managed exceptions with expiry, evidence and review rather than permanent shortcuts. |
| Offboarding is part of mobilisation | The project knows how access will be removed and information managed when the work package, person or supplier leaves. |
The Technical and Operational Foundations Suppliers Need to Evidence
The most useful way to read Defence Standard 05-138 is as a set of operating outcomes. It expects suppliers to manage risk, protect against attack, detect security events and minimise the impact of incidents. This is closely aligned with the NCSC Cyber Assessment Framework’s structure, although the CAF serves a different primary purpose and should not be treated as a replacement for contractually applicable Defence requirements. The two frameworks are complementary reference points: Def Stan defines the contractual control floor for CSMv4 profiles; CAF provides a broader resilience lens for organisations with essential functions or a need for mature cyber-governance benchmarking.
Governance and risk
At Levels 1 to 3, the Defence standard expects governance, clearly defined roles and responsibilities, risk-management processes, senior accountability and assurance. The practical evidence often includes a cyber-risk register that connects to business risk; named decision-makers; policy and standards that reflect how the organisation operates; an asset and dependency model; board or senior-management reporting; regular reviews; and tracked remediation. The standard does not reward a policy library for its own sake. It expects documented and implemented controls with auditable evidence.
Identity, access and devices
Identity is the control plane for modern collaboration. The standard requires suppliers to understand, document and manage access to networks, systems and removable media that support functions and protect data. It includes multi-factor authentication at higher applicable levels, device management, privileged-user management, least privilege, access to audit data and identity-and-access management. For a supply-chain organisation, those requirements turn into practical disciplines: no shared user accounts; no orphaned admin access; no unowned service accounts; no uncontrolled contractor access; and no unmanaged endpoint quietly becoming the route into programme data.
Configuration, vulnerability management and testing
Secure configuration and vulnerability management are not areas where a supplier can rely on good intentions. The applicable Defence Standard 05-138 controls require secure configuration and a vulnerability-and-patch-management process that identifies, reports and remediates internal and external-facing vulnerabilities. The standard describes monthly vulnerability scans and scans around major system or application updates, prioritisation using CVSS v3 or above, risk-treatment planning and retention of evidence. It also includes at least annual penetration testing of externally facing systems that support business functions and protect data, with scope, methodology and findings recorded. These expectations make evidence management a technical responsibility, not a compliance afterthought.
Monitoring, response and recovery
The standard expects security monitoring, documented coverage, named responsibilities and escalation. At higher levels, expectations include continuous monitoring. It also requires up-to-date incident-response plans, the capability to enact them, and exercises at least every 12 months using relevant scenarios. Those phrases have a human implication: suppliers need to know who receives an alert on a Friday afternoon, who can isolate an account, who speaks to the customer, where the critical logs are, what the recovery priorities are and who decides whether a subcontractor incident affects the programme. A plan kept in a shared folder is not enough if nobody has practised the decisions.
Evidence that is worth collecting as you work
| Control area | Useful evidence |
| Governance | Board or leadership reporting, risk decisions, accountable roles, policy approvals, exception records. |
| Assets and dependencies | Asset inventories, network diagrams, service ownership, supplier registers, data-flow records. |
| Identity and access | Access reviews, MFA coverage, privileged-access records, onboarding and offboarding logs, service-account ownership. |
| Vulnerability management | Scan results, patch reports, remediation tickets, risk-acceptance decisions, penetration-test reports. |
| Monitoring and response | Monitoring design, alert runbooks, incident records, escalation matrix, retention settings, exercise outcomes. |
| Supply chain | Due diligence, certificates, SAQs, flow-down records, subcontractor agreements, service-provider assurance and reviews. |
| Business continuity | Recovery plans, restore evidence, tabletop exercises, lessons learned and corrective actions. |
Third-Party Services, Cloud and Software Dependencies
Most defence suppliers rely on third parties. That does not automatically create a problem; it changes the assurance task. The 2026 CSM scope clarification is clear that the Def Stan controls apply to business-critical operations regardless of the supplier’s underlying infrastructure. Where those operations rely on third-party services, the supplier must implement appropriate contractual, technical and/or assurance measures to evidence that the controls are met. A cloud provider’s security documentation, a managed-service contract or a software supplier’s certification can all form part of the answer. They do not remove the supplier’s responsibility to understand how the dependency affects its own control position.
The same principle applies to software supply chains. Open-source components, developer platforms, remote-support tools, engineering applications, APIs, build pipelines and endpoint agents can become critical dependencies. Mature suppliers keep an inventory of what is in use, who owns it, how it is updated, which accounts and secrets can access it, what happens if the service fails and whether it introduces a new onward supplier. This work sits within asset management, secure configuration, supply-chain management and recovery planning.
Cloud-location questions require restraint. Cross-government policy states that data at OFFICIAL, including the SENSITIVE marking, can be stored and processed in overseas data centres or cloud regions where appropriate legal, data-protection and security practices are in place, and that there is no universal UK-location requirement at that classification level. A supplier must still check the contract, SAL, export-control considerations, customer instructions and the operational details of the service. Record a decision grounded in the actual requirement and the service being delivered.
Practical third-party assurance
Start with a supplier inventory that identifies the provider, service, business owner, information handled, criticality and renewal date. Keep evidence proportionate to the dependency: relevant certifications or control reports, contractual commitments, technical architecture, incident-notification obligations and review records.
Make ownership explicit for accounts, administrative access, support channels, API keys, integration credentials and backups. For genuinely business-critical services, maintain a documented response to material terms changes, incidents, feature withdrawal or provider financial distress, alongside a transition or exit plan for programme data and assurance records held in the platform.
Engineering, Manufacturing and Project Delivery Toolchains
Office-document collaboration is only one part of the defence supply chain. Engineering, manufacturing and programme-delivery teams may work across CAD models, drawings, bills of materials, simulation outputs, test data, requirements tools, issue trackers, source repositories, configuration baselines, supplier portals and field-service records. These artefacts can carry sensitive technical and commercial context even where the document itself is not obviously classified. The cyber question needs to follow the work: how is version control maintained, who can change a baseline, what is exported, how are external suppliers brought into the toolchain, where does local working happen and how is access removed when a work package finishes?
Security and programme controls reinforce each other here. A clean configuration-management process supports delivery quality and cyber assurance. A controlled design-review process supports engineering integrity and information handling. A supplier register that distinguishes approved from unapproved participants supports procurement governance and access control. Strong operating models build the relevant security checks into the release, change, onboarding and work-package closure processes teams already use.
A PRACTICAL TEST Ask a programme lead to show how a design revision reaches the right external people, how a superseded version is identified, and how the organisation can tell who accessed it. The answer usually reveals whether security, configuration control and collaboration are operating as one system or as separate paperwork.
Incident Response, Reporting and Resilience Across Organisational Boundaries
Defence supply-chain resilience is judged under pressure. A ransomware event, compromised account, lost device, third-party breach, software vulnerability or mistaken disclosure can quickly become a shared operational problem. The supplier needs to understand its own response responsibilities, the contractual reporting routes, the information that needs to be preserved, which systems can be isolated, how delivery will continue and when the Authority or prime needs to be informed. The right answer differs by contract and incident, so teams should establish the contact route and decision-making arrangements before an incident occurs.
Defence Standard 05-138 expects incident-management processes grounded in risk assessment, continuity of business functions and protection of data. It expects response and recovery capability, and annual exercises at a minimum. These exercises should move beyond a generic phishing scenario. A valuable defence-focused exercise could explore a compromised external engineer account, loss of access to an engineering SaaS platform, evidence that a subcontractor has been breached, a file shared to the wrong recipient, or a vulnerability in a critical software component. The purpose is to find decision bottlenecks while the programme still has time to fix them.
An exercise should produce usable decisions
A useful exercise confirms who can make operational, commercial and security decisions outside normal office hours, and leaves the team with a practical contact tree for the customer, prime, managed-service provider, cloud provider, legal advisers and key subcontractors.
It should clarify what evidence needs preserving, what can be contained immediately and what must be reported through the contract route. Recovery priorities should reflect programme obligations, with actions assigned to named owners and followed through governance meetings rather than filed as an exercise report.
A 90-day Starting Plan for Defence Suppliers
Start by establishing a reliable baseline, understanding the contract and building the evidence habit. This plan is designed for organisations that may already have good controls yet lack a clean defence-specific view of what applies, who owns it and where proof lives.
Days 1-30: create a shared factual picture
- Collect current MOD and prime contracts, tenders, subcontracts, SALs, DEFCONs, Risk Assessment References, CRPs and any existing CIPs.
- Identify the legal entity or entities that deliver Defence work and map group services, outsourced IT, cloud platforms and critical suppliers.
- Record current Cyber Essentials and Cyber Essentials Plus scope, DCC status, previous SAQs and certificate expiry dates.
- Build a short inventory of systems, information flows, collaboration spaces, identities, devices and suppliers that enable delivery.
- Name owners for assurance, technical evidence, subcontractor management, incident response and contract interpretation.
Days 31-60: close the biggest gaps in the operating model
- Map the assigned CSMv4 level and Def Stan controls to existing policies, technologies, services and evidence. Prioritise absent or weak evidence around identity, devices, asset management, vulnerability management, monitoring, response and suppliers.
- Review external-access pathways. Remove shared identities, confirm MFA, set access-review dates and define a sponsor model for contractors and partner users.
- Create a repeatable subcontractor onboarding pack that includes cyber due diligence, contractual flow-down, acceptable collaboration routes and exit steps.
- Run one information-flow exercise on a high-value programme artefact and document the practical remediation actions.
- Agree an escalation route for SAL questions, CRP ambiguity, new subcontractors, major tool changes and suspected incidents.
Days 61-90: demonstrate that the model can operate
- Complete the relevant SAQ or prepare the evidence set needed for the next tender, renewal or DCC assessment.
- Conduct an incident-response tabletop exercise based on a realistic supply-chain scenario and track actions to closure.
- Review critical third parties against their security, access, incident, resilience and exit commitments.
- Set a calendar for annual SAQs, certificate renewal, policy review, access recertification, penetration testing, vulnerability scanning, supplier review and exercises.
- Give senior leadership a short decision paper showing current CRP obligations, major gaps, risk acceptance decisions, remediation dates and resource needs.
Questions to Put to the Authority, Prime or Customer
Good suppliers surface unclear requirements early and keep the answers with the contract record. The following questions create clarity without forcing the customer to rewrite the whole security model.
- What Cyber Risk Profile and Risk Assessment Reference apply to this opportunity or existing contract?
- Does the contract contain DEFCON 658, and what evidence will the Authority or prime expect at bid, mobilisation and annual review?
- Is a DCC certificate required, accepted as evidence, or expected by a particular date? Which legal entity must hold it?
- Which information classifications, handling instructions and contractual security conditions apply to the work?
- Will a Security Aspects Letter be issued? If so, who should receive it and who must acknowledge it?
- Which systems, collaboration routes, devices, networks, locations and external parties are permitted or restricted for this work?
- What flow-down obligations apply to subcontractors, and what must be visible to the Authority or prime?
- What is the reporting route and expected timescale for a suspected cyber incident, loss of information, serious vulnerability or material supplier failure?
- Are there project-specific requirements for cloud services, export controls, operational technology, classified assets, personnel vetting or facility arrangements?
- Which requirements change when the work package, team composition or subcontracting model changes?
KEEP THE ANSWER Record written responses against the contract pack. A decision made in a tender clarification or mobilisation meeting can be as operationally important as a policy document, particularly when the programme later changes people or suppliers.
Common Mistakes That Make Assurance Harder Than It Needs to Be
| Pattern | Why it fails |
| Treating a certificate as the whole answer | Cyber Essentials and DCC are important, but they sit within a wider set of contractual, operational and evidence obligations. Scope, legal entity and current status all matter. |
| Starting with technology | A platform choice made before the contract, information flow, users, suppliers and evidence expectations are understood often has to be reworked. |
| Assuming the prime owns the risk | The prime may impose requirements, but each supplier remains responsible for its own business-critical operations, contracted obligations and subcontractor management. |
| Keeping security in a separate workstream | Security decisions need to reach commercial, engineering, IT, operations and project teams. Otherwise the control is agreed on paper and bypassed in delivery. |
| Onboarding subcontractors late | Late assurance turns a supplier gap into a programme delay. Include cyber questions in selection and mobilisation. |
| Treating OFFICIAL-SENSITIVE as a tool specification | Classification informs protection; the applicable technical and procedural controls are determined by the contract, SAL, information and delivery context. |
| Collecting evidence only before assessment | Annual assurance and incident readiness make evidence a continuous operating responsibility. |
| Forgetting the shared-service model | Certification and assurance need to match the legal entity, scope and real dependency structure. Group branding does not automatically create group coverage. |
Frequently Asked Questions
What is the MOD Cyber Security Model?
The Cyber Security Model is the MOD’s risk-based, proportionate approach for building cyber security into the defence supply chain. Under CSMv4, it uses Risk Assessments, four Cyber Risk Profiles, Defence Standard 05-138 Issue 4 controls, Supplier Assurance Questionnaires and flow-down where subcontracting is involved.
Does CSMv4 apply to subcontractors?
CSMv4 supports flow-down through the supply chain. A supplier that subcontracts completes the relevant Risk Assessment, generates a Risk Assessment Reference and requires its subcontractor to complete the appropriate SAQ. The process can continue through tiers.
What is Defence Standard 05-138?
Defence Standard 05-138 Issue 4 defines the cyber controls that suppliers are required to achieve at each of four Cyber Risk Profile levels. It applies to MOD procurements, suppliers and subcontract suppliers with a relationship to one or more MOD contracts.
Is Cyber Essentials enough for an MOD supplier?
Cyber Essentials is foundational and is required by Def Stan 05-138 Issue 4 across all CSMv4 levels for the relevant contract scope. The Defence standard also sets expectations around governance, risk, suppliers, monitoring, response, recovery and evidence. Cyber Essentials Plus is required at Levels 2 and 3.
What is Defence Cyber Certification?
DCC is an organisation-wide certification scheme for UK Defence suppliers. A valid certificate at the same or a higher corresponding level can be accepted as assured evidence that the supplier meets the relevant Def Stan 05-138 control level under DEFCON 658.
Does DCC mean we can skip the Supplier Assurance Questionnaire?
No. The current MOD guidance says suppliers with a valid DCC certificate are still required to complete the full SAQ at the relevant level through the Supplier Cyber Protection Service as part of the contractual risk-assessment and procurement process.
Does a DCC certificate cover our whole group?
Not automatically. The current CSM scope clarification states that certification applies to the entity undergoing assessment. Group-wide coverage requires an explicitly justified and approved group-level arrangement.
How often do we complete a Supplier Assurance Questionnaire?
Under the public CSMv4 guidance, suppliers complete a new SAQ on the anniversary of the contract award date, with a one-month completion window after the anniversary.
What is a Cyber Improvement Plan?
A CIP is the route used where a supplier cannot meet the required CSM controls. It records the improvement activity, timings and reasons for non-compliance, and can form part of the contract documentation.
What is DEFCON 658?
DEFCON 658 is the MOD Defence Condition that lays out the contractual terms for the Cyber Security Model, including contractor obligations, subcontractor management, records and audit.
What is a Security Aspects Letter?
A SAL is a project-specific contractual document used to communicate relevant security aspects. Under current MOD guidance, it is used where the Defence supplier will access classified assets at OFFICIAL-SENSITIVE or above.
Is OFFICIAL-SENSITIVE a separate classification?
The Government Security Classifications Policy sets three tiers: OFFICIAL, SECRET and TOP SECRET. OFFICIAL-SENSITIVE is a marking within OFFICIAL that provides additional information about sensitivity and handling.
Does OFFICIAL-SENSITIVE require data to stay in the UK?
There is no universal cross-government requirement for OFFICIAL information, including information marked SENSITIVE, to be stored or processed only in UK regions. Contract-specific requirements, SALs, export controls and Authority direction can change the answer for a particular programme.
What is Secure by Design in MOD?
MOD Secure by Design is a lifecycle approach to ensuring cyber security is built into information-based capabilities from definition and acquisition through development, maintenance and disposal. It includes seven MOD principles, one of which is engaging and managing the supply chain.
Where should a smaller supplier start?
Start with the active contract or opportunity, establish the assigned CRP and documents that apply, confirm Cyber Essentials scope, map the delivery entity and dependencies, and create a practical evidence register. The NCSC Cyber Action Toolkit and Cyber Essentials guidance can also help smaller organisations improve their baseline.
Glossary
| Term | Meaning |
| Authority / Contracting Authority | The MOD customer body that issues the procurement or contract and communicates relevant contractual and security obligations. |
| CAF | NCSC Cyber Assessment Framework. A resilience framework primarily aimed at organisations with essential functions, CNI and other critical responsibilities. |
| CIP | Cyber Improvement Plan. The route for documenting remediation where a supplier cannot demonstrate required CSM compliance. |
| CRP | Cyber Risk Profile. The level generated by the CSM risk-assessment process: Level 0, 1, 2 or 3 under CSMv4. |
| CSMv4 | Cyber Security Model Version 4. The current MOD supplier-cyber-assurance process described in the public guidance. |
| Cyber Essentials | A government-backed certification based on five technical control areas: secure configuration, user access control, malware protection, security-update management and firewalls. |
| Cyber Essentials Plus | An independently verified version of Cyber Essentials. Required in Def Stan 05-138 Issue 4 at CSMv4 Levels 2 and 3. |
| DCC | Defence Cyber Certification. An independent organisation-wide certification route for UK Defence suppliers aligned with CSMv4 levels. |
| DCPP | Defence Cyber Protection Partnership. The joint MOD and industry initiative focused on improving protection of the defence supply chain from cyber threat. |
| Def Stan 05-138 | Defence Standard 05-138. The cyber-security control standard for Defence suppliers under CSMv4. |
| DEFCON | A Defence Condition – a standard contractual condition used in MOD contracts. DEFCON 658 concerns cyber. |
| DEFCON 658 | The Defence Condition that lays out contractual terms for the Cyber Security Model, including flow-down, records and audit. |
| Flow-down | The process of taking relevant Defence cyber and security requirements from a supplier into subcontractor agreements and onward tiers. |
| FSC | Facility Security Clearance. A clearance that may be relevant to certain Defence contracts and premises. It does not by itself settle cyber-assurance requirements. |
| Information classification | The HMG classification system: OFFICIAL, SECRET and TOP SECRET. OFFICIAL-SENSITIVE is a marking within OFFICIAL. |
| MFA | Multi-factor authentication. A control that requires more than one factor to authenticate to a system or service. |
| MOD | Ministry of Defence. |
| NCSC | National Cyber Security Centre, the UK’s national technical authority for cyber security. |
| OFFICIAL-SENSITIVE | A marking applied within the OFFICIAL classification tier, indicating a greater sensitivity and need for appropriate handling. |
| RAR | Risk Assessment Reference. The reference generated through the CSM process, provided to suppliers in connection with the relevant Cyber Risk Profile. |
| SAQ | Supplier Assurance Questionnaire. The questionnaire suppliers complete against the applicable Cyber Risk Profile through the Supplier Cyber Protection Service. |
| SAL | Security Aspects Letter. The project-specific contractual security document used where a supplier will access classified assets at OFFICIAL-SENSITIVE or above. |
| SCPS | Supplier Cyber Protection Service. The online service used for CSMv4 Risk Assessments and Supplier Assurance Questionnaires. |
| Secure by Design | MOD’s lifecycle approach to building security into information-based capabilities, including supply-chain management and through-life assurance. |
How We Can Help
Defence cyber security isn’t delivered through policies alone. It depends on the way people collaborate, how suppliers are onboarded, how information moves between organisations and whether the controls described in a contract can be sustained throughout delivery.
Logiq works with defence, government and highly regulated organisations to translate cyber requirements into practical operating models. From CSMv4 readiness and Defence Cyber Certification through to Secure by Design, secure collaboration and ongoing cyber assurance, we help organisations build approaches that are proportionate, evidence-led and workable in day-to-day delivery.
Whether you’re preparing for a new contract, improving supply chain assurance or looking to create a more secure environment for programme delivery, we can help you move from compliance activity to operational confidence.
Related reading
- MOD Secure by Design – A Practical Guide
- DISX Secure Collaboration
- DISX Isolate – for above OFFICIAL environments
- Secure by Design service page
- Cyber Security and Assurance
- OFFICIAL-SENSITIVE Information: What Happens Before and After Secure Sharing?
- OFFICIAL vs OFFICIAL-SENSITIVE: what defence suppliers need to know
- What is DEFCON 658? Cyber obligations for MOD suppliers
- Secure Collaboration and the Modern Defence Supply Chain
- Cyber Assurance in UK Defence Procurement
- Understanding the MOD’s Cyber Security Model v4
- CSMv4 Compliance: MOD Cyber Requirements Explained
- Preparing for DCC Evidence Requirements
- Delivering OFFICIAL and OFFICIAL-SENSITIVE Work in Practice
Source and citations
- MOD Cyber Security Model (CSMv4)
- Defence Standard 05-138 Issue 4: cyber security for defence suppliers
- ISN 2026/01: clarification to Cyber Security Model scope
- ISN 2026/02: using Defence Cyber Certification as assurance under DEFCON 658
- DEFCON 658: cyber flow-down
- ISN 2026/04: Security Aspects Letters and contractual security conditions
- Government Security Classifications Policy
- MOD Secure by Design requirements (ISN 2023/09)
- Government Secure by Design: overview
- Secure by Design Problem Book
- NCSC: Supply chain security guidance
- NCSC: Assessing and gaining confidence in supply-chain cyber security
- NCSC: Mapping your supply chain
- NCSC: Supplier assurance questions
- NCSC: Cyber Essentials overview
- NCSC: Cyber Essentials Supply Chain Playbook
- NCSC: 10 Steps to Cyber Security
- NCSC: Cyber Assessment Framework (CAF)
- NCSC CAF Objective A4: Supply Chain
- NCSC: Operational security guidance
- IASME: Defence Cyber Certification (DCC)
- Defence Cyber Protection Partnership
- Government Security: Contracting securely
- Government Cyber Security Policy Handbook: data security
- MOD Defence research security guidance
- MOD research project management checklist
- R-Cloud for suppliers
- Defence Cyber Resilience Strategy
- Government cyber security and resilience policy statement
Need practical support?
Whether you’re responding to a new MOD contract, preparing for CSMv4, strengthening supplier assurance or looking to improve secure collaboration, Logiq helps defence organisations turn cyber requirements into practical operating models.
