As of 1 January 2016, all suppliers bidding for MOD contracts that include the exchange of ‘MOD identifiable information’ have to adopt the Cyber Essentials scheme by the contract start date as a basic step to demonstrate their cyber security.
The DCPP and CSM in short
The Defence Cyber Protection Partnership (DCPP), responsible for protecting the supply chain from cyber crime, now requires the adoption of security controls based on the Cyber Security Model (CSM) cyber risk profile. The CSM comprises three elements: a risk assessment process, a set of cyber assurance profiles and a supplier assurance questionnaire.
The risk assessment process
This process identifies the level of cyber risk a supplier is exposed to, using a series of questions related to the contract, and is conducted by the contracting authority – usually the MOD. Based on the outcome, the CSM establishes the cyber protection measures that the supplier needs to take.
The cyber assurance profiles and the supplier assurance questionnaire
There are five possible outcomes from the risk assessment, each of which requires Cyber Essentials or Cyber Essentials Plus implementation as security measures:
⋅ Not applicable (in a small number of cases)
1. Very low – Cyber Essentials
2. Low – Cyber Essentials Plus
3. Moderate – Cyber Essentials Plus
4. High – Cyber Essentials Plus
The supplier assurance questionnaire measures the supplier’s ability to comply with the required measures. For more information, click here >>
Cyber Essentials grants basic protection
As Richard Jefferys, Defence Commercial Head of Policy at Process and Procedures (P3), recently said: “CES certification will become the baseline requirement for companies in the UK defence supply chain. Suppliers are strongly encouraged to start working towards achieving it.”
Achieve Cyber Essentials certification with us
IT Governance has tailored three packaged solutions to help you achieve Cyber Essentials or Cyber Essentials Plus certification at your own pace while meeting your needs and budget. Because IT Governance is a CREST-accredited certification body, you will benefit from an external vulnerability scan of your network and applications in addition to the certification service.