What is the Cyber Security Model?

The Cyber Security Model (CSM) is part of the Defence Cyber Protection Partnership (DCPP) which was set up by the Ministry of Defence (MOD) to manage and strengthen cyber security for the defence sector and its suppliers.

The model, which is a joint initiative between the MOD and industry, is in place to ensure that suppliers to the MOD are managing their cyber security risk appropriately, and that they are capable of protecting the MOD’s sensitive information.

The CSM is also the DCPP’s response to the task of designing an appropriate and proportionate set of controls to build on the Government’s Cyber Essentials scheme. Since January 2016, all suppliers dealing with contracts which include sensitive, MOD-identifiable information must be Cyber Essentials certified as a minimum.

However, some contracts carry an additional risk and require stricter security controls to be in place. The MOD felt that the Cyber Essentials scheme did not represent a broad enough degree of security because it only covered five major security controls and did not include wider aspects of cyber security such as governance and risk management, and this is why the CSM was introduced.

How does the Cyber Security Model work?

The Cyber Security Model is a three-stage process.

The first stage of the process is a cyber risk assessment of your organisation’s security. This is based on a questionnaire which will determine the level of risk and the complexity of the project.

The second stage of the assessment involves the contracting authority deciding on the appropriate level of cyber risk for a contract, and the supplier implementing the relevant controls to meet this level.

The third stage is a supplier assurance questionnaire, a self-assessment questionnaire which enables a supplier to demonstrate that they have the ability to meet the requirements needed for the contract.


What are the cyber risk levels?

There are five gradings of cyber risk levels, which are:


Not applicable

This is for contracts where it is assessed that there is no, or only a negligible, cyber risk. It is not expected that many contracts will fall into this category.


Very Low

This level is for contracts where a basic threat is faced, such as a simple hacking or phishing attack, or where any attacker is likely to be opportunistic, unskilled and non-persistent.



This is for contracts where the threat may be slightly more targeted, and could involve spear phishing or ransomware attacks where attackers are semi-skilled but not persistent.



This level is for contracts which are subject to more advanced threats that are tailored and targeted, and whose objective is to gain access to specific assets or enact denial of service. With these types of attacks, the attacker is likely to be persistent, organised and skilled.



This level is for contracts assessed as being subject to Advanced Persistent Threats (APT) which may be sustained over long periods and not exploited for months or years after the initial attack. These attacks will be organisation, sophisticated, well resourced and persistent.


Get Cyber Essentials certified today

As a minimum, all defence suppliers must have the Cyber Essentials certification in place. Where risks are assessed as ‘low’ or higher, Cyber Essentials Plus is necessary. These controls represent the minimum that will be required. There may be occasions when additional controls will need to be implemented. In these circumstances, an MOD accreditor will work with you.

To find out more about becoming Cyber Essentials certified, click here.


Who are we?

From publishing the first national directory of public sector contracts, to being the first to market with our online Tracker solution, we have been the true pioneers of technology and innovation in the public sector marketplace. Throughout our 39 years, we have continued to evolve and chart new territory – placing our customers at the heart of everything we do. Take your business to the next level with Tracker now.

If you request a demo today!

Download your Free UK Defence Industry Report

Get SAAS-Y This Summer with DCI

Start Your Free Trial Today

Download your Free UK Defence Industry Report

Download your Free UK Defence Industry Report

When you sign up for a 3 day free trial or demo.

Limited time only

    BiP Solutions owns DCI and we look after your details carefully. We offer a range of products, services and events (some of which are free) that help buyers tender more efficiently and suppliers find, bid for and win public and private sector contracts. Only tick this box if you wish to receive information about these. We will never share your details with third parties and you will have the opportunity of opting out of communications every time we contact you. For further details, please see our Privacy Policy