Working with the MOD
Working with the MOD
Since 1 January 2016, all MOD suppliers are required to comply with the Cabinet Office Procurement Policy Note 09/04. This means that you need to have Cyber Essentials certification if you are looking to win contracts involving the transfer or generation of Ministry of Defence Identifiable Information (MODII).
Winning MOD tenders
The MOD spends up to £20 billion on the procurement of goods and services each year. This amounts to 45% of
overall central government spend, making the MOD the single biggest spending customer in the UK after the NHS.
When the MOD releases a new contract for tender, they identify the level of risk for each piece of work and the
organisation that wins the contract will need to demonstrate that they have the required controls in place. This also
includes the supply chain as each tender included in the supply chain will also be subject to the risk assessment.
Having a secure supply chain that has cyber defences in place is more important to the MOD than ever before –
which is why Cyber Essentials is the minimum level of certification an organisation needs to implement in order
to bid for new MOD contracts that involve Ministry of Defence Identifiable Information (MODII).
Why you need Cyber Essentials to work with the MOD
As the threat of cyber-attacks is ever increasing, the UK MOD created the Defence Cyber Protection Partnership (DCPP).
The DCPP is a joint MOD and industry initiative, that was developed to improve the protection of the defence supply chain from cyber threats.
The DCPP has three principles, taken from the National Cyber Security Strategy:
• Understand the cyber risk
• Proportionate protection
• All suppliers adopt standards
The UK Government says this about the DCPP:
“The DCPP aims to protect our military capability by improving cyber defence through the MOD’s supply chain while preserving existing investment in cyber security measures.”
As part of this partnership, a number of cyber security standards have been created by the MOD, one of which is the Cyber Security Model (CSM). This was created to manage and strengthen cyber security for the defence sector and its suppliers.
The CSM is also the DCPP’s response to the task of designing an appropriate and proportionate set of controls to build on the Government’s Cyber Essentials scheme.
The Cyber Risk Levels
The MOD has created five gradings of cyber risk level that require certain levels of Cyber Essentials certification.
This is for contracts that have little to no cyber risks. No Cyber Essentials certification is needed for this risk level.
A basic risk level is faced here, such as a phishing attach or a simple hacking. Only Cyber Essentials certification is required here.
Threats are slightly more targeted at this level, and could involve semi-skilled attackers. Cyber Essentials Plus is required here.
This level is for contracts that could face more advanced threats that are becoming more targeted. Attackers could gain access to critical assets. With these types of attacks, the attacker is likely to be persistent, organised and skilled. Cyber Essentials Plus is required for this level.
This level is for contracts assessed as being subject to Advanced Persistent Threats (APT). These attacks will be organisation, sophisticated, well resourced and persistent. Cyber Essentials Plus is required here.
Protect, promote, comply
Be eligible to work with the MOD by protect your business from 80% of common cyber attacks and promote to your clients and industry partners that your organisation holds itself to a high standard of cyber security.
Organisations that achieve Cyber Essentials demonstrate they have considered and committed to strengthening their defences against common cyber threats.
If you haven’t already joined the Cyber Essentials scheme, then now is the time to do so.