23 Aug 2017

What is the Cyber Security Model?

The Cyber Security Model (CSM) is part of the Defence Cyber Protection Partnership (DCPP) which was set up by the Ministry of Defence (MOD) to manage and strengthen cyber security for the defence sector and its suppliers.

The model, which is a joint initiative between the MOD and industry, is in place to ensure that suppliers to the MOD are managing their cyber security risk appropriately, and that they are capable of protecting the MOD’s sensitive information.

The CSM is also the DCPP’s response to the task of designing an appropriate and proportionate set of controls to build on the Government’s Cyber Essentials scheme. Since January 2016, all suppliers dealing with contracts which include sensitive, MOD-identifiable information must be Cyber Essentials certified as a minimum.

However, some contracts carry an additional risk and require stricter security controls to be in place. The MOD felt that the Cyber Essentials scheme did not represent a broad enough degree of security because it only covered five major security controls and did not include wider aspects of cyber security such as governance and risk management, and this is why the CSM was introduced.

How does the Cyber Security Model work?

The Cyber Security Model is a three-stage process.

The first stage of the process is a cyber risk assessment of your organisation’s security. This is based on a questionnaire which will determine the level of risk and the complexity of the project.

The second stage of the assessment involves the contracting authority deciding on the appropriate level of cyber risk for a contract, and the supplier implementing the relevant controls to meet this level.

The third stage is a supplier assurance questionnaire, a self-assessment questionnaire which enables a supplier to demonstrate that they have the ability to meet the requirements needed for the contract.


What are the cyber risk levels?

There are five gradings of cyber risk levels, which are:


Not applicable

This is for contracts where it is assessed that there is no, or only a negligible, cyber risk. It is not expected that many contracts will fall into this category.


Very Low

This level is for contracts where a basic threat is faced, such as a simple hacking or phishing attack, or where any attacker is likely to be opportunistic, unskilled and non-persistent.



This is for contracts where the threat may be slightly more targeted, and could involve spear phishing or ransomware attacks where attackers are semi-skilled but not persistent.



This level is for contracts which are subject to more advanced threats that are tailored and targeted, and whose objective is to gain access to specific assets or enact denial of service. With these types of attacks, the attacker is likely to be persistent, organised and skilled.



This level is for contracts assessed as being subject to Advanced Persistent Threats (APT) which may be sustained over long periods and not exploited for months or years after the initial attack. These attacks will be organisation, sophisticated, well resourced and persistent.


Get Cyber Essentials certified today

As a minimum, all defence suppliers must have the Cyber Essentials certification in place. Where risks are assessed as ‘low’ or higher, Cyber Essentials Plus is necessary. These controls represent the minimum that will be required. There may be occasions when additional controls will need to be implemented. In these circumstances, an MOD accreditor will work with you.

To find out more about becoming Cyber Essentials certified, click here.