Navigating MOD Cyber Compliance in 2025

In the UK defence sector, cyber security is no longer treated as a peripheral concern; it is central to procurement policy, and the risks of compromise are too great to be left to interpretation. At the heart of the Ministry of Defence (MOD) expectations sits Defence Standard (Def Stan) 05-138, a detailed standard that defines the cyber security controls required for any supplier handling MOD Identifiable Information (MODII).

Now at Issue 4 (14 May 2024), Defence Standard 05-138 serves as the foundational framework that underpins cyber compliance across the defence supply chain, covering a comprehensive range of requirements across organisational and technical domains. These include access management, encryption, incident response, vulnerability management, governance, and ongoing staff training. Crucially, however, the standard is risk-based, scaling in complexity depending on the sensitivity of the data involved and the potential operational impact of compromise.

Following Industry Security Notice 2025/04 (ISN 2025/04), issued on 3 October 2025, the Ministry of Defence reinstates the full Cyber Security Model (CSM) process. From 3 November 2025, all MOD contracts containing DEFCON 658 must comply with Defence Standard 05-138 Issue 4 (14 May 2024). Delivery Teams complete a Risk Assessment (RA) to assign a Cyber Risk Profile (CRP0–CRP3), while suppliers complete the corresponding Supplier Assurance Questionnaire (SAQ) using the MOD’s CSM tooling. This process ensures consistent, evidence-based assurance across the supply chain, replacing self-assessed interpretations with verifiable compliance.

The CSM’s tiered approach means that higher-risk programmes, such as those involving defence platforms, secure communications, or classified environments, carry stricter control requirements. Conversely, lower-risk contracts benefit from proportionate and achievable expectations.

The Role of DEFCON 658

Defence Standard 05-138 isn’t just a guidance document; it becomes a contractual obligation when referenced via DEFCON 658, a standard clause used in MOD contracts. When DEFCON 658 is included, it mandates that all suppliers, and their subcontractors, comply with the relevant cyber security controls from Defence Standard 05-138, based on the classification of information exchanged.

This contractual linkage is how the MOD ensures that cyber risk is managed consistently across multi-tiered supply chains. It eliminates ambiguity and places a clear onus on suppliers to put appropriate technical, procedural, and cultural controls in place from the outset. Failure to comply is not simply a matter of internal risk, it can affect contractual eligibility, supplier reputation, and future access to defence tenders.

More on DEFCON 658: https://www.logiq.co.uk/news-insights/defcon-658-securing-the-defence-supply-chain/

CSMv4 and Cyber Risk Profiles

Cyber Risk Profiles (CRP0–CRP3) range from basic to expert levels of assurance, scaling in complexity according to the nature of information handled and the potential operational impact of compromise.

Suppliers can no longer self-determine which controls are relevant without MOD oversight. The MOD Delivery Team performs the Risk Assessment (RA) and assigns a Cyber Risk Profile (CRP0–CRP3). Suppliers must then meet those controls or provide a credible Cyber Implementation Plan (CIP).

While the control content of Defence Standard 05-138 hasn’t changed fundamentally, the structure around it has. Each CRP now corresponds to a defined set of control outcomes, enabling a more predictable and consistent approach to assurance, particularly across complex programmes with multiple subcontractors.

Cyber Essentials certification is expected wherever MOD-Identifiable Information (MODII) is handled, and Cyber Essentials Plus is frequently required for higher risk profiles (e.g., CRP2–CRP3). These schemes are designed to complement rather than replace the control framework defined within Defence Standard 05-138 Issue 4. They provide a practical demonstration of baseline cyber hygiene, which strengthens the evidence base for Supplier Assurance Questionnaires (SAQs). Always refer to the Delivery Team guidance for confirmation of specific certification requirements.

For more information and guidance on CSMv4, read our previous articles:

https://www.logiq.co.uk/news-insights/understanding-mod-cyber-security-model-v4/

https://www.logiq.co.uk/news-insights/csmv4-defence-supply-chain-cybersecurity/

https://www.logiq.co.uk/news-insights/csmv4-compliance-mod-cyber-requirements/

From Implementation to Proof: The Emergence of DCC

To strengthen assurance across the defence supply chain, the MOD and IASME Consortium have introduced the Defence Cyber Certification (DCC) scheme — a formal, third-party assessment aligned to Defence Standard 05-138 Issue 4. Publicly launched in mid-2025, DCC verifies not only that controls exist but that they’re effective in practice. Certification is valid for three years and subject to annual attestations.

Although DCC is not yet mandatory, it is fast becoming expected wherever MOD-Identifiable Information is shared between organisations. Suppliers that cannot evidence independent certification may find themselves at a competitive disadvantage.

Logiq has achieved DCC Level 0 certification, demonstrating early adoption and proactive alignment with MOD expectations.

Learn more about DCC: https://www.logiq.co.uk/news-insights/defence-cyber-certification-risk-profiles-real-assurance/

What Does All This Mean for Suppliers?

It’s not just about ticking boxes; suppliers are now expected to implement controls to a defined standard, at the right level, and to be able to prove that those controls are both appropriate and effective.

This introduces several new realities for suppliers:

• They need to understand their assigned CRP and what it means in practical terms.
• They must conduct internal gap analysis against Defence Standard 05-138 Issue 4 to identify where current practices fall short.
• They should have documented implementation plans (Cyber Implementation Plans or CIPs) where full compliance is not yet in place.
• And increasingly, they must be prepared to undergo independent audit and certification to remain contractually viable.

For SMEs or organisations without a dedicated cyber team, this can represent a significant operational and resource burden. But this is where managed services and expert-led platforms can provide much-needed support.

How DISX Supports CRP3-Level Cyber Assurance

DISX, Logiq’s secure managed workspace, has been developed to directly support organisations working at the highest levels of MOD assurance. Aligned to Cyber Risk Profile 3, DISX implements key technical controls referenced in Defence Standard 05-138, including secure identity and access management, full device encryption, patch and configuration management, endpoint protection, and audit-ready monitoring and logging.

What sets DISX apart is that these controls aren’t just implemented, they’re continuously monitored and backed by structured operational evidence. This gives suppliers the practical tools and data they need to demonstrate compliance during a DCC assessment. For many, this removes the need to build these capabilities internally, accelerating time to certification while reducing internal cost and complexity.

Importantly, DISX is not pitched as a shortcut or exemption from MOD standards. Rather, it offers a ready-made environment that aligns with the MOD’s expectations, making it easier for suppliers to meet their obligations and demonstrate assurance.

From Standards to Strategy

Defence Standard 05-138 remains the primary cyber standard for UK defence suppliers, but it’s now part of a broader assurance ecosystem that includes contractual enforcement, structured risk profiling, and formal certification.

Suppliers that view cyber security as a living, operational function and not just a paper exercise will be best placed to navigate this new landscape. Understanding your CRP, preparing for DCC, and implementing proportionate controls from the outset is no longer optional if you want to win and retain defence work.

With the right planning, expert support, and platforms like DISX, compliance becomes more than a requirement, it becomes a strategic differentiator.