The Ministry of Defence has released an Industry Security Notice (ISN) with the purpose of informing those who supply to the MOD about DEFCON 658 and its implementation of the Cyber Security Model (CSM) to ensure the protection of the defence supply chain from cyber threats.
The ISN provides guidance to organisations who are or wish to become suppliers to defence about the Defence Cyber Protection Partnership (DCPP), the CSM and Cyber Risk Profiles.
From October 2017, all suppliers to defence who bid for new contracts from the MOD need to abide by DEFCON 658 and show that they meet the cyber security standards mandated by the MOD. The Cyber Security Model aims to protect MOD identifiable information as it is passed down the supply chain, using a risk-based approach and Cyber Risk Profiles.
For further explanation, see our previous article on the subject in the link below or download the ISN for yourself here.
The MOD has released an Industry Security Notice (ISN) with the purpose of informing suppliers to the MOD about DEFCON 658.
Cyber Risk Profiles
A Cyber Risk Profile sets out the cyber protection measures required at each level of cyber risk.
If a contract is assessed as carrying a cyber risk of ‘Low’ then the applicant will need to comply with the measures set out in the ‘Low’ profile. These requirements are progressive as one moves up the risk profiles.
The Cyber Risk Profiles and their corresponding controls are:
- N/A – No action required, although the DCPP advises all suppliers to achieve Cyber Essentials as a minimum.
- Very Low – Cyber Essentials certification.
- Low – Cyber Essentials Plus certification.
- Moderate – All the requirements of ‘Low’ plus additional controls.
- High – All the requirements of ‘Moderate’ plus additional controls.
N/A: For contracts where it is assessed that there is no, or only a negligible, cyber risk. It is not expected that many contracts will fall into this category.
Very Low: For contracts where a basic threat is faced (ie simple hacking, phishing or spyware) and where any attacker is likely to be opportunistic, unskilled and non-persistent.
The sorts of contracts this will apply to are likely to be those covering commodity purchases or standard service provision, eg office supplies or the disposal of non-sensitive waste.
Low: For contracts where the threat may be slightly more targeted (ie involving spear phishing, whaling or ransomware and where attackers are semi-skilled but may not be persistent). It is likely to apply to contracts for basic parts or services but not where these could be linked to military capability.
This profile is likely to apply primarily to contracts handling information classified as OFFICIAL, but may also occasionally apply to those involving small quantities of OFFICIAL information which have the handling instruction.
Moderate: For contracts subject to more advanced threats that are tailored and targeted with the objective of gaining access to specific assets or enacting denial of service. The attacker is likely to be persistent, organised and either be skilled or have access to skills, eg cyber criminals and hacktivists.
This profile will likely apply to contracts that involve handling greater volumes of, or more sensitive, personal information and those involving quantities of OFFICIAL-SENSITIVE information.
High: For contracts assessed as being subject to Advanced Persistent Threats (APT), which may be sustained over long periods and exploited for months or years after the initial attack. Attackers will be organised, highly sophisticated, well resourced and persistent.
This profile will likely apply to contracts that are essential to support key military capability and those that are handling information classified as SECRET or above.
How DCI Cyber Essentials can help
The first step to keeping your organisation safe from cyber attack is to be certified with DCI Cyber Essentials. Certification to the Government’s Cyber Essentials Scheme is a mandatory requirement for organisations wishing to win business with the MOD, and can help your organisation prepare and defend itself against malicious cyber attacks, regardless of the sector you operate in.