Working with the MOD

Working with the MOD

Since 1 January 2016, all MOD suppliers are required to comply with the Cabinet Office Procurement Policy Note 09/04. This means that you need to have Cyber Essentials certification if you are looking to win contracts involving the transfer or generation of Ministry of Defence Identifiable Information (MODII).


Winning MOD tenders

The MOD spends up to £20 billion on the procurement of goods and services each year. This amounts to 45% of
overall central government spend, making the MOD the single biggest spending customer in the UK after the NHS.

When the MOD releases a new contract for tender, they identify the level of risk for each piece of work and the
organisation that wins the contract will need to demonstrate that they have the required controls in place. This also
includes the supply chain as each tender included in the supply chain will also be subject to the risk assessment.

Having a secure supply chain that has cyber defences in place is more important to the MOD than ever before –
which is why Cyber Essentials is the minimum level of certification an organisation needs to implement in order
to bid for new MOD contracts that involve Ministry of Defence Identifiable Information (MODII).

Why you need Cyber Essentials to work with the MOD

As the threat of cyber-attacks is ever increasing, the UK MOD created the Defence Cyber Protection Partnership (DCPP).

The DCPP is a joint MOD and industry initiative, that was developed to improve the protection of the defence supply chain from cyber threats.

The DCPP has three principles, taken from the National Cyber Security Strategy:

• Understand the cyber risk
• Proportionate protection
• All suppliers adopt standards

The UK Government says this about the DCPP:

“The DCPP aims to protect our military capability by improving cyber defence through the MOD’s supply chain while preserving existing investment in cyber security measures.”

As part of this partnership, a number of cyber security standards have been created by the MOD, one of which is the Cyber Security Model (CSM). This was created to manage and strengthen cyber security for the defence sector and its suppliers.

The CSM is also the DCPP’s response to the task of designing an appropriate and proportionate set of controls to build on the Government’s Cyber Essentials scheme.

The Cyber Risk Levels

The MOD has created five gradings of cyber risk level that require certain levels of Cyber Essentials certification.


Not Applicable

This is for contracts that have little to no cyber risks. No Cyber Essentials certification is needed for this risk level.


Very Low

A basic risk level is faced here, such as a phishing attach or a simple hacking. Only Cyber Essentials certification is required here.



Threats are slightly more targeted at this level, and could involve semi-skilled attackers. Cyber Essentials Plus is required here.



This level is for contracts that could face more advanced threats that are becoming more targeted. Attackers could gain access to critical assets. With these types of attacks, the attacker is likely to be persistent, organised and skilled. Cyber Essentials Plus is required for this level.



This level is for contracts assessed as being subject to Advanced Persistent Threats (APT). These attacks will be organisation, sophisticated, well resourced and persistent. Cyber Essentials Plus is required here.

Protect, promote, comply

Be eligible to work with the MOD by protect your business from 80% of common cyber attacks and promote to your clients and industry partners that your organisation holds itself to a high standard of cyber security.

Organisations that achieve Cyber Essentials demonstrate they have considered and committed to strengthening their defences against common cyber threats.

If you haven’t already joined the Cyber Essentials scheme, then now is the time to do so.

Ready to Find and Win More MOD Tenders?


Our sister brand, Supply2Defence, gets its data from the UK and ROI’s largest database of contracts and awards covering the MOD, blue light and civil buyers across public sector procurement.

Supply2Defence’s dedicated research team finds the latest opportunities from more than 3,000 sources, including low-value tenders that don’t appear in the OJEU, publishing more contracts and awards than anywhere else!

Supply2Defence provides free access to all UK MOD and blue light notices and awards as standard.