CSMv4 Compliance: MOD Cyber Requirements Explained

Article first published 07/10/2025 and updated 27/05/2026

CSMv4 Compliance – What MOD Suppliers Need to Do

CSMv4 is now the current MOD Cyber Security Model for supplier cyber assurance. It is built around Defence Standard 05-138 Issue 4 and DEFCON 658, with the aim of applying a more proportionate, risk-based and evidence-led approach across the defence supply chain.

CSMv4, underpinned by Defence Standard 05-138 Issue 4, applies to MOD contracts and subcontracts that contain DEFCON 658. Risk Assessments and Supplier Assurance Questionnaires are now managed through the Supplier Cyber Protection Service available via GOV.UK. This gives suppliers and MOD Delivery Teams a more consistent process for determining cyber risk, applying proportionate controls, and evidencing compliance throughout the contract lifecycle.

Under CSMv4, contracts are assessed against Cyber Risk Profiles, with controls and evidence expectations aligned to the level of cyber risk associated with the contract. This replaces the previous CSMv3 approach and brings supplier assurance into closer alignment with Defence Standard 05-138 Issue 4.

The interim guidance introduced in 2024 and 2025 helped projects continue while CSMv4 was being finalised, but it also created complexity. Different procurements and Delivery Teams could find themselves working through different transition arrangements. CSMv4 is intended to provide a more consistent and scalable assurance model across the defence supply chain, supported by online tooling and direct alignment to Defence Standard 05-138 Issue 4.

What’s changed for suppliers

Annual SAQ reviews are reinstated for existing contracts containing DEFCON 658. These take place on the contract’s anniversary date, with Delivery Teams notifying suppliers of any updated Cyber Risk Profile level and Risk Assessment Report in advance. MOD’s CSMv4 implementation notice confirms the reinstatement of annual SAQ reviews for existing DEFCON 658 contracts.
New RA and SAQ tooling is now part of the CSMv4 process. MOD Delivery Teams complete Risk Assessments, which determine the applicable Cyber Risk Profile, while suppliers complete the relevant Supplier Assurance Questionnaire through the Supplier Cyber Protection Service.
Evidence expectations are higher. Suppliers need to demonstrate how they meet the relevant Defence Standard 05-138 controls. Policy statements alone are unlikely to be sufficient where practical implementation, technical assurance or operational evidence is required.
Alignment to Defence Standard 05-138 Issue 4 is required where DEFCON 658 applies. The standard sets out the cyber security controls required for each Cyber Risk Profile, and suppliers are contractually required to meet the relevant controls.
Transition flexibility applies. MOD project teams and Senior Responsible Owners are expected to account for enhanced organisational resilience requirements during FY 2025/26 when setting proportionate remediation timescales. This gives suppliers some room to address gaps, but it should not be treated as a reason to delay preparation.

Why this matters

CSMv4 and Defence Standard 05-138 Issue 4 establish a clearer framework for supplier cyber assurance across Defence. The emphasis is on organisational security and resilience, with Cyber Risk Profiles and proportionate control sets helping to determine what suppliers need to evidence.

For suppliers, that shift is significant. The number, depth and nature of control requirements may increase depending on the Cyber Risk Profile, and demonstrating compliance is not simply a paper exercise. It depends on structured governance, practical evidence, technical assurance and the ability to respond to audit, review and remediation requirements.

In practice, this may stretch smaller suppliers and test even mature cyber programmes. Understanding where your organisation stands, what evidence already exists, and what gaps remain against the relevant control set will be critical to maintaining eligibility for MOD contracts.

How to prepare ahead of go‑live

Access and familiarise yourself with the Supplier Cyber Protection Service on GOV.UK, including the submission process and required information.
Confirm the applicable Cyber Risk Profile and Risk Assessment Report with your MOD Delivery Team.
Review and update your Supplier Assurance Questionnaire against the relevant Defence Standard 05-138 Issue 4 controls.
Schedule annual SAQ reviews for contracts containing DEFCON 658.
Identify remediation needed to meet enhanced evidence and resilience requirements, and agree proportionate timelines with your Delivery Team where gaps exist.
Consider whether Defence Cyber Certification is appropriate for your organisation and contract profile.

Defence Cyber Certification and DEFCON 658

Defence Cyber Certification now provides a recognised route for demonstrating assurance at the appropriate level. MOD Industry Security Notice 2026/02 confirms that a supplier holding and maintaining valid certification at the appropriate DCC level may use that certification as assurance of control requirements under DEFCON 658.

This does not remove the need for suppliers to understand their responsibilities, maintain evidence, or manage cyber risk throughout the life of a contract. It does, however, make DCC an increasingly important part of the MOD supplier assurance picture.

For suppliers, the practical point is simple: evidence should not be treated as something to gather at the end. CSMv4 and DCC both strengthen the case for maintaining a live, organised and contract-relevant evidence base throughout delivery.

A step forward in defence cyber assurance

CSMv4 provides a more predictable and transparent assurance regime — one that shifts focus from documentation alone to demonstrable control maturity. It gives suppliers a clearer route for evidencing their security posture, enables Delivery Teams to make better-informed assurance decisions, and helps raise the resilience baseline across the defence ecosystem.

For many organisations, achieving this level of assurance requires more than good governance. It depends on having the right operating model, technical environment, evidence management and support arrangements in place.

Navigating those expectations takes time, expertise and a clear understanding of how the new control sets apply in context. That’s where Logiq’s team works alongside defence suppliers, helping interpret the standard, map responsibilities and build proportionate compliance roadmaps that can stand up to MOD scrutiny.

For some organisations, that means targeted advisory support to address governance or evidence gaps. For others, it may mean moving to an assured environment designed to support MOD supplier assurance from the outset.

Logiq’s DISX platform was designed to support secure collaboration and managed service delivery in defence and other regulated environments. As a defence-grade secure managed service, DISX provides a controlled technical environment where many of the security, monitoring, access control, resilience and governance measures expected under CSMv4 can be implemented, evidenced and maintained.

DISX supports key assurance objectives aligned with Defence Standard 05-138 Issue 4, including:

Managing security risk: governance support, risk management, asset visibility and controlled operating processes across connected systems.
Protecting against cyber-attack: multi-factor authentication, device management, endpoint encryption, privileged access controls and managed security measures.
Detecting cyber events: continuous monitoring, logging, alerting and proactive security oversight.
Minimising incident impact: resilient architecture, recovery processes and support for business continuity planning.

This gives organisations a stronger foundation for meeting MOD assurance expectations, particularly where they need to collaborate securely, protect sensitive information and maintain evidence of control effectiveness throughout the contract lifecycle.

For suppliers, the priority is understanding which Cyber Risk Profile applies, what evidence is needed, whether DCC certification is appropriate, and how cyber assurance will be maintained throughout the contract lifecycle.

For further guidance, or for help navigating these changes, please get in touch with our team of CSMv4 experts.

References:

Ministry of Defence, Industry Security Notice 2025/04: Implementation of CSM (v4) and revocation of interim measures in support of DEFCON 658, 3 October 2025. Ministry of Defence, Cyber Security Model (CSM) Guidance, updated October 2025 — gov.uk/guidance/cyber-security-model Ministry of Defence, Defence Standard 05‑138 Issue 4: Cyber Security for Defence Suppliers.

About Logiq:

Logiq is a NCSC-assured cyber security consultancy and secure solutions provider focused on safeguarding critical organisational data. Our clients are amongst the most demanding in the world and have some of the most stringent and complex security needs. We help to design and develop innovative solutions that enable them to focus on delivering their business securely.