Industry Supplier Guidance on DEFCON 658
The MOD has released an Industry Security Notice (ISN) with the purpose of informing suppliers to the MOD about DEFCON 658 (Cyber) and its implementation of the Cyber Security Model to ensure the protection of the defence supply chain from cyber threats.
The ISN provides guidance to organisations who are or wish to become suppliers to Defence about the Defence Cyber Protection Partnership (DCPP) and the Cyber Security Model (CSM).
From October 2017, all suppliers to Defence who bid for new contracts from the MOD need to abide by DEFCON 658 and show that they meet the cyber security standards mandated by the MOD. The Cyber Security Model aims to protect MOD identifiable Information as it is passed down the supply chain, using a risk-based approach and Cyber Risk Profiles.
What is MOD Identifiable Information?
The definition of MOD identifiable Information is:
“All Electronic Information (as defined in DEFCON 658) which is attributed to or could identify an existing or proposed MOD capability, Defence activities or personnel and which the MOD requires to be protected against loss, misuse, corruption, alteration and unauthorised disclosure.”
What is the Cyber Security Model?
The process by which the authority ensures its requirements to protect MOD Identifiable Information from cyber-attack are implemented.
The model has three steps:
- a risk assessment
- a supplier assurance questionnaire
- a review by the purchasing authority of the submitted information
What is the Cyber Risk Profile?
This sets out the cyber protection measures required at each level of cyber risk.
If a contract is assessed as carrying a cyber risk of ‘Low’ then the applicant will need to comply with the measures set out in the ‘Low’ Profile. These requirements are progressive as one moves up the risk profiles.
The cyber risk profiles and their corresponding controls are:
- N/A – No action required, although the DCPP advises all suppliers to achieve Cyber Essentials as a minimum.
- Very Low – Cyber Essentials certification.
- Low – Cyber Essentials Plus certification.
- Moderate – All the requirements of ‘Low’ plus additional controls.
- High – All the requirements of ‘Moderate’ plus additional controls.
What is Cyber Essentials?
If the transfer, storage or access of MOD Identifiable Information takes place electronically as part of a contract, then the minimum cyber risk control required is a Cyber Essentials certificate.
Cyber Essentials is a standard established by the National Cyber Security Centre to provide protection from the most basic, yet common threats.
Certification to the Government’s Cyber Essentials Scheme is a mandatory requirement for organisations wishing to win business with the MOD, and can help your organisation prepare and defend itself against malicious cyber attacks, regardless of the sector you operate in.
The entire Industry Supplier Guidance on DEFCON 658 is available on our website, so you can familiarise yourself with the notice and be confident that you have all the important information your organisation needs on this subject.