DEFCON 658 is one of those terms that appears in MOD procurement and immediately sends suppliers looking for a plain-English explanation. That is understandable. It is not a cyber framework in the usual sense. It is a defence condition: a contractual mechanism that brings cyber security obligations into MOD supplier relationships.
Where DEFCON 658 applies, cyber security is not simply a good practice activity or an internal IT concern. It becomes part of the contract. Suppliers need to understand the Cyber Risk Profile, complete the relevant assurance activity, maintain evidence, manage non-compliance, and flow appropriate requirements down to subcontractors.
That is why a lightweight reading of DEFCON 658 can cause problems. It is easy to see it as a clause that asks for a questionnaire. In practice, it connects contract obligations, the Cyber Security Model, Def Stan 05-138 Issue 4, supply chain flow-down and ongoing assurance.
What DEFCON 658 does
DEFCON 658 sets out cyber obligations for MOD suppliers and the way those obligations should be managed through the supply chain. GOV.UK describes the condition as applying to suppliers down the supply chain, with sections covering definitions, authority obligations, contractor obligations, management of subcontractors, records, audit and general provisions.
The supplier impact is straightforward enough to state, but harder to run well. If a contract involves MOD information and the condition applies, the supplier needs to show that the required cyber controls are understood, implemented or managed through an agreed improvement route. Where subcontractors are involved, relevant obligations need to be flowed down and monitored rather than left as an informal expectation.
How DEFCON 658 relates to CSMv4 and Def Stan 05-138
The easiest way to understand the relationship is to separate the roles of each part. DEFCON 658 is the contract condition. The Cyber Security Model is the assurance process used to assess and manage cyber risk for MOD contracts. Def Stan 05-138 Issue 4 specifies the cyber controls that defence suppliers are required to achieve at each of the four Cyber Risk Profile levels.
Under CSMv4, suppliers may be asked to work with a Cyber Risk Profile level and a Risk Assessment Reference. The supplier then completes the appropriate Supplier Assurance Questionnaire and must maintain their position over time. MOD guidance also reinstates annual contract maintenance, with suppliers completing a new SAQ on the anniversary of contract award, within the specified completion window.
For suppliers, the lesson is simple. DEFCON 658 is not something to park with legal and forget. It has operational consequences for delivery teams, IT, security, commercial, procurement and subcontractor management.
What suppliers commonly miss
The first missed point is flow-down. MOD guidance makes clear that suppliers are responsible for flow-down, and that DEFCON 658 contains the contractual obligations suppliers must place upon subcontractors. This matters because many defence programmes rely on multi-tier supply chains. A prime contractor cannot assume that its own SAQ is the end of the story if subcontractors are handling relevant information or delivering parts of the requirement.
The second missed point is evidence. Completing an SAQ is not the same as being able to evidence the operating reality behind it. Suppliers should expect to explain how controls work, who owns them, how exceptions are managed, and what happens when a control is not fully met. Where a supplier is non-compliant against the required control set, an agreed improvement plan may be needed.
The third missed point is that cyber obligations are not static. CSMv4 places greater emphasis on maintenance, annual review and ongoing visibility. A supplier that was comfortable under earlier expectations may still need to revisit its processes, evidence and supplier management approach.
A practical DEFCON 658 checklist for suppliers
- Confirm whether DEFCON 658 is included in the contract and whether MOD Identifiable Information is involved.
- Identify the relevant Cyber Risk Profile level and Risk Assessment Reference.
- Complete the correct Supplier Assurance Questionnaire using the current CSMv4 process.
- Map the required controls against real systems, processes and responsibilities.
- Document any gaps and agree a credible improvement approach where needed.
- Identify subcontractors who need relevant cyber obligations flowed down.
- Keep records that show how controls are implemented and maintained.
- Review the position annually and when programme, system or supplier arrangements change.
Why this is difficult in real delivery
The difficulty is not usually that suppliers are ignoring cyber security. More often, they are trying to interpret MOD requirements using fragmented systems, limited internal security resource and unclear contractual language. Cyber Essentials, Cyber Essentials Plus, ISO 27001, internal IT policies and supplier questionnaires can all help, but they do not remove the need to understand the specific obligations created by DEFCON 658 and CSMv4.
A supplier may also have a perfectly reasonable enterprise IT environment that is not well suited to MOD delivery. The challenge is to create a controlled way of working where sensitive information can be accessed, shared, monitored and evidenced without slowing delivery to a crawl.
How Logiq can help
Logiq supports defence suppliers with the practical side of MOD cyber assurance. That includes interpreting CSMv4 expectations, understanding control gaps, preparing evidence, designing proportionate secure operating models, and supporting Secure by Design activity where programmes need security built into delivery rather than bolted on afterwards.
Where suppliers need a secure working environment for sensitive collaboration, DISX Secure Collaboration provides a managed service designed around controlled access, governed collaboration, audit-ready logging, endpoint-aware security and the practical handling of sensitive information. It is particularly relevant where suppliers need to reduce the burden of building and operating their own secure collaboration environment.
A contractual gateway
DEFCON 658 is not just a clause to acknowledge. It is the contractual gateway into a wider cyber assurance process. For suppliers, the priority is to understand what the contract requires, what information is in scope, which controls apply, what evidence is needed, and how those obligations are managed through the supply chain.
Related Links:
