Industry Supplier Guidance on DEFCON 658


The MOD has released an Industry Security Notice (ISN) with the purpose of informing suppliers to the MOD about DEFCON 658 (Cyber) and its implementation of the Cyber Security Model to ensure the protection of the defence supply chain from cyber threats.

The ISN provides guidance to organisations who are or wish to become suppliers to Defence about the Defence Cyber Protection Partnership (DCPP) and the Cyber Security Model (CSM).

From October 2017, all suppliers to Defence who bid for new contracts from the MOD need to abide by DEFCON 658 and show that they meet the cyber security standards mandated by the MOD. The Cyber Security Model aims to protect MOD identifiable Information as it is passed down the supply chain, using a risk-based approach and Cyber Risk Profiles.


What is MOD Identifiable Information?

The definition of MOD identifiable Information is:

“All Electronic Information (as defined in DEFCON 658) which is attributed to or could identify an existing or proposed MOD capability, Defence activities or personnel and which the MOD requires to be protected against loss, misuse, corruption, alteration and unauthorised disclosure.”


What is the Cyber Security Model?

The process by which the authority ensures its requirements to protect MOD Identifiable Information from cyber-attack are implemented.

The model has three steps:

  • a risk assessment
  • a supplier assurance questionnaire
  • a review by the purchasing authority of the submitted information


What is the Cyber Risk Profile?

This sets out the cyber protection measures required at each level of cyber risk.

If a contract is assessed as carrying a cyber risk of ‘Low’ then the applicant will need to comply with the measures set out in the ‘Low’ Profile. These requirements are progressive as one moves up the risk profiles.

The cyber risk profiles and their corresponding controls are:

  • N/A – No action required, although the DCPP advises all suppliers to achieve Cyber Essentials as a minimum.
  • Very Low – Cyber Essentials certification.
  • Low – Cyber Essentials Plus certification.
  • Moderate – All the requirements of ‘Low’ plus additional controls.
  • High – All the requirements of ‘Moderate’ plus additional controls.


What is Cyber Essentials?

If the transfer, storage or access of MOD Identifiable Information takes place electronically as part of a contract, then the minimum cyber risk control required is a Cyber Essentials certificate.

Cyber Essentials is a standard established by the National Cyber Security Centre to provide protection from the most basic, yet common threats.

Certification to the Government’s Cyber Essentials Scheme is a mandatory requirement for organisations wishing to win business with the MOD, and can help your organisation prepare and defend itself against malicious cyber attacks, regardless of the sector you operate in.

You can sign up for Cyber Essentials and start your certification today.


Further Reading

The entire Industry Supplier Guidance on DEFCON 658 is available on our website, so you can familiarise yourself with the notice and be confident that you have all the important information your organisation needs on this subject.

The ISN can be downloaded here.


Who are we?

From publishing the first national directory of public sector contracts, to being the first to market with our online Tracker solution, we have been the true pioneers of technology and innovation in the public sector marketplace. Throughout our 39 years, we have continued to evolve and chart new territory – placing our customers at the heart of everything we do. Take your business to the next level with Tracker now.

If you request a demo today!

Download your Free UK Defence Industry Report

Start Your Free Trial Today

Download your Free UK Defence Industry Report

Download your Free UK Defence Industry Report

When you sign up for a 3 day free trial or demo.

Limited time only

    BiP Solutions owns DCI and we look after your details carefully. We offer a range of products, services and events (some of which are free) that help buyers tender more efficiently and suppliers find, bid for and win public and private sector contracts. Only tick this box if you wish to receive information about these. We will never share your details with third parties and you will have the opportunity of opting out of communications every time we contact you. For further details, please see our Privacy Policy