Preparing MOD Suppliers for CSMv4 Readiness
This article reflects guidance as at 25 July 2025. For the latest updates, visit the MOD Cyber Security Model page on gov.uk.
Back in January, we explored what CSMv4 means for the defence supply chain and why it represents a significant evolution from CSMv3. With the publication of Def Stan 05‑138 Issue 4, attention is shifting from understanding the model to taking practical steps to prepare. This article looks at what suppliers should be doing now.
The Ministry of Defence’s Cyber Security Model (CSM) is undergoing a major evolution. MOD’s guidance confirms that CSMv4 is under development with a phased transition planned; organisations should continue to apply CSMv3 until rollout arrangements are communicated.
With the publication of Defence Standard 05‑138 Issue 4 (released “for information” ahead of rollout), CSMv4 introduces significant changes that will affect organisations across the defence supply chain — from primes to micro‑SMEs. While the full rollout date for CSMv4 has not been announced, MOD has stated there will be a phased transition. Suppliers should prepare now so they are ready when procurement transitions to CSMv4.
From CSMv3 to CSMv4: A Step Change in Scope
Under CSMv3, cyber risk is managed through Cyber Risk Profiles focused on protecting electronic “MOD Identifiable Information” within systems and services used on a contract. CSMv4 takes a much broader view. The new Def Stan 05‑138 Issue 4 makes clear that risk assessment now considers the entire organisational environment, not just a project or contract boundary.
This means enterprise‑wide controls are now in scope. Security policies, training, governance, and technical measures must be applied across the business, rather than being restricted to a single network segment or project team. Four new Cyber Risk Profiles, Levels 0 to 3, replace the previous “Very Low” to “High” model, and evidence expectations have risen sharply: organisations must now prove that controls are in place and effective. There is also a stronger emphasis on resilience, business continuity, incident response, and supply‑chain risk management.
Snapshot: CSMv4 Cyber Risk Profiles
| Level | Focus | Typical Requirements |
| Level 0 | Baseline cyber hygiene | Policies, patching, AV/EDR, user awareness training |
| Level 1 | Enhanced assurance | Documented risk management, access control, monitoring, supplier assurance |
| Level 2 | High assurance | Independent review, formal incident response and continuity planning, stronger technical controls |
| Level 3 | Mission-critical | Comprehensive, externally assured controls, advanced monitoring, mature security management system |
For many suppliers, particularly SMEs, this represents a shift from one‑off compliance exercises to continuous, auditable cyber resilience across the enterprise.
The Link to Defence Cyber Certification (DCC)
Running alongside CSMv4 is the Defence Cyber Certification (DCC) scheme, created by MOD in partnership with IASME. DCC is described by MOD as a crucial element of CSMv4 and provides a formal third‑party certification route aligned to the new risk profiles. In addition to completing Supplier Assurance Questionnaires, suppliers will have access to an independent certification route via IASME‑licensed Certification Bodies. This will raise confidence in the assurance process and is likely to become an important differentiator in contract competitions.
Steps for Readiness
While MOD has not yet published the transition timetable, suppliers should not wait. Early preparation will reduce the risk of contract delays or disqualification once enforcement begins.
The first step is to understand which Cyber Risk Profile is likely to apply to your work. Level 0 will apply to all suppliers as a minimum, while Levels 1–3 introduce progressively more demanding controls covering monitoring, incident management, and assurance. Once you have identified your likely level, perform a gap analysis to compare your current security posture against the requirements. This should cover policy coverage, technical measures such as patching and logging, organisational processes including risk assessments and training, and whether you can evidence that controls are effective.
Any gaps should be captured in a Cyber Implementation Plan that sets out how and when they will be addressed. MOD encourages suppliers to submit a CIP as part of the assurance process, demonstrating a clear trajectory toward compliance. At the same time, consider your position in the supply chain. Primes will be expected to ensure their subcontractors meet the required level, so even lower‑tier suppliers should anticipate requests for evidence. Engaging early with supply‑chain partners and flowing down requirements will prevent last‑minute surprises.
Preparing for independent assessment is also key. Begin gathering the artefacts you would need for SAQ submissions and, if appropriate, a DCC audit. This includes policies, network diagrams, risk assessments, incident response plans, training records, and evidence showing controls are operating as intended. A readiness review or mock audit can help uncover weaknesses before formal certification.
Finally, involve stakeholders across the business. Compliance with CSMv4 is not solely an IT responsibility, procurement, HR, operations, and senior leadership must all contribute. Make sure responsibilities are clearly defined and that your Board understands the commercial implications of non‑compliance.
Key Challenges and Considerations
For many suppliers, the biggest challenge will be producing sufficient evidence to show that controls are not only present but effective. This may require investment in monitoring tools, better documentation, and more robust staff training. Budget pressures also need to be considered: compliance at Levels 2 or 3 can be resource‑intensive. Starting early allows organisations to spread investment and avoid last‑minute spikes in spending. Cultural change will be just as important as technology. Shifting from a “tick‑box” approach to one of continuous security improvement takes time and commitment, so senior leadership buy‑in is essential.
A Call to Action for the Supply Chain
CSMv4 is more than a paperwork exercise. It marks a deliberate move towards a resilient and secure defence ecosystem. Suppliers who act now will not only minimise disruption when the new model is enforced but also strengthen their position in the market. MOD’s direction of travel is clear: higher assurance, more rigorous evidence, and a focus on organisation‑wide security maturity. By taking early action, understanding requirements, closing gaps, and planning for DCC certification, suppliers can demonstrate that they are ready to protect the information and systems that underpin national defence.
About Logiq:
Logiq is a NCSC-assured cyber security consultancy and secure managed services provider focused on safeguarding critical organisational data. Our clients are amongst the most demanding in the world and have some of the most stringent and complex security needs. We help to design and develop innovative solutions that enable them to focus on delivering their business securely.
