CSMv4 Compliance – What MOD Suppliers Need to Do Before 3 November 2025
After nearly two years of preparation, Cyber Security Model version 4 (CSMv4) is now confirmed for formal implementation across the defence supply chain.
The Ministry of Defence announced through Industry Security Notice (ISN) 2025/04 that CSMv4 will take effect from 00:01 GMT on 3 November 2025, ending the interim period and reinstating the definitive CSM process in support of DEFCON 658.
From go-live, CSMv4, underpinned by Defence Standard 05-138 Issue 4, becomes the mandatory framework for cyber security assurance on MOD contracts and subcontracts that contain DEFCON 658. All Risk Assessments (RAs) and Supplier Assurance Questionnaires (SAQs) must be generated and submitted using the new online tooling available on gov.uk. This ensures every supplier, from major primes to SMEs, follows the same process for determining cyber risk, applying proportionate controls, and evidencing compliance throughout the contract lifecycle.
The interim guidance introduced in 2024 and 2025 kept projects moving while CSMv4 was being finalised, but it also created complexity. Different Delivery Teams operated slightly different interpretations, and many suppliers were juggling multiple assurance processes. CSMv4 ends that. By mandating the new online tooling and aligning the process directly to Defence Standard 05-138 Issue 4, the MOD has established one consistent approach that scales across every level of the supply chain.
What’s changed for suppliers
- Annual SAQ reviews are reinstated for existing contracts containing DEFCON 658; they take place on the contract’s anniversary date, with Delivery Teams notifying suppliers of any updated RA level in advance.
- New RA/SAQ tooling is mandatory for new activity. Interim RAs not yet advertised must be withdrawn and re‑raised using the new platform. Where a procurement was already advertised under an interim RA, MOD may either allow completion under the interim process or require a restart under a new RA, at MOD’s determination.
- Evidence expectations are higher. Demonstrable proof of control effectiveness is required; policy statements alone are insufficient.
- Alignment to Defence Standard 05‑138 Issue 4 is required; the current issue is available via gov.uk.
- Transition flexibility applies: MOD project teams and Senior Responsible Owners will account for the enhanced organisational resilience requirements during FY 2025/26 when setting proportionate remediation timescales.
Why this matters
CSMv4 and Defence Standard 05‑138 Issue 4 establish a single, enforceable framework for supplier cyber assurance across Defence. The emphasis is on organisational security and resilience, with four Cyber Risk Profiles and proportionate control sets. By requiring annual reviews, continuous improvement and stronger evidence, the model moves assurance away from a snapshot‑in‑time towards an auditable, data‑led regime.
For suppliers, that shift is significant. The number and depth of control requirements have increased, and demonstrating evidence isn’t a paper exercise, it demands structured governance, verified technical assurance and the ability to respond quickly to audit and remediation requests. In practice, this will stretch smaller suppliers and test even mature cyber programmes. Understanding where your organisation stands, and what gaps exist against the new expectations, will be critical to maintaining eligibility for MOD contracts.
How to prepare ahead of go‑live
- Access and familiarise yourself with the new CSM tooling on gov.uk; understand submission requirements and data fields.
- Confirm your Risk Assessment (RA) level with your Delivery Team.
- Review and update your Supplier Assurance Questionnaire (SAQ) against Defence Standard 05‑138 Issue 4 controls.
- Schedule the annual SAQ review for each contract containing DEFCON 658.
- Identify remediation needed to meet the enhanced evidence and resilience requirements, and agree proportionate timelines with your Delivery Team (particularly during FY 2025/26).
A step forward in defence cyber assurance
CSMv4 provides a predictable and transparent assurance regime — one that shifts focus from documentation to demonstrable control maturity. It gives suppliers a clearer path to evidencing their security posture, enables Delivery Teams to make evidence‑based decisions, and helps raise the resilience baseline across the defence ecosystem.
For many organisations, achieving this level of assurance requires more than good governance. It depends on having an infrastructure capable of maintaining compliance across every control objective defined in Defence Standard 05‑138 Issue 4.
Navigating those expectations takes time, expertise and a clear understanding of how the new control sets apply in context. That’s where Logiq’s team works alongside suppliers, helping interpret the standard, map responsibilities and build proportionate compliance roadmaps that stand up to MOD scrutiny. For some, that means targeted advisory support to address governance or evidence gaps, for others, it may mean moving to an assured environment designed for full alignment with CSMv4 from the outset.
Logiq’s DISX platform was designed for exactly that purpose. It’s a defence‑grade secure managed service that inherently aligns with CSMv4, providing a technical environment where control effectiveness can be demonstrated and sustained. DISX meets — and in many cases exceeds — the control requirements at Cyber Risk Profile Level 3 (‘Expert’), ensuring that sensitive MOD and partner data remains protected throughout its lifecycle.
By design, DISX integrates the measures needed to satisfy CSMv4’s four core objectives:
- Managing security risk: clear governance, risk management, and asset visibility across all connected systems.
- Protecting against cyber‑attack: multi‑factor authentication, device management, endpoint encryption, and privileged access controls built in.
- Detecting cyber events: continuous monitoring, log correlation, and proactive attack discovery embedded at the platform level.
- Minimising incident impact: resilient architecture, tested recovery processes, and integrated business continuity planning.
This embedded compliance means that organisations operating within DISX can focus on delivery, confident that their environment meets the assurance expectations of both CSMv4 and Defence Standard 05‑138 Issue 4. It is, in effect, a ready‑made foundation for suppliers seeking to achieve, and maintain, cyber resilience at the highest standard demanded by Defence.
For further guidance, or for help navigating these changes, please get in touch with our team of CSMv4 experts.
References:
Ministry of Defence, Industry Security Notice 2025/04: Implementation of CSM (v4) and revocation of interim measures in support of DEFCON 658, 3 October 2025. Ministry of Defence, Cyber Security Model (CSM) Guidance, updated October 2025 — gov.uk/guidance/cyber-security-model Ministry of Defence, Defence Standard 05‑138 Issue 4: Cyber Security for Defence Suppliers.
About Logiq:
Logiq is a NCSC-assured cyber security consultancy and secure managed services provider focused on safeguarding critical organisational data. Our clients are amongst the most demanding in the world and have some of the most stringent and complex security needs. We help to design and develop innovative solutions that enable them to focus on delivering their business securely.
