MOD Suppliers – the new Cyber Essentials requirements explained

Cyber Essentials logo with caption








For suppliers to the MOD, change is coming. The planned roll out of CSM in August of 2016 has been delayed. We are now expecting the Cyber Security Model (CSM) to be rolled out to large suppliers from January 2017 – with a full launch by April. FATS (a commercial MOD framework) will also go live in April and it is expected to include the contractual aspects of CSM.

To be compliant with the requirements of the CSM, the MOD supply chain will need Cyber Essentials or Cyber Essentials Plus and have information security governance policies in place.

Ascentor strongly recommend that defence industry companies prepare for CSM by gaining certification to Cyber Essentials in advance – so they are ready to respond to the new contract requirements. In our experience, the larger the business, the more complex and time consuming the process. Don’t delay and put future contracts at risk.

For assistance on any aspect of CSM or Cyber Essentials, please contact Dave James at Ascentor [email protected]

The following article will tell you more about the CSM.

For suppliers to the MOD bidding for new contracts advertised from January 1st 2016 – there is a new MOD requirement you’ll need to know.

Check to see if the contract involves the transfer of MOD identifiable information from customer to supplier, or the generation of information by a supplier specifically in support of the MOD contract.

If the answer is yes, you and any subcontractors must have achieved Cyber Essentials certification by the contract start date.

Cyber Essentials certification will become a baseline requirement for companies in the UK defence supply chain – suppliers are strongly encouraged to start working towards it.

Defence Cyber Protection Partnership (DCPP)

What has brought this about?

As part of the MOD commitment to ensuring it and its suppliers are protected against cyber security threats, it has been working with industry and other Government departments in the Defence Cyber Protection Partnership (DCPP) to develop a proportionate means of achieving this.

As a first step ahead of the forthcoming Cyber Security Defence Model (CSM) which is expected to apply to all new Defence contracts from Q2 2016, the MOD has announced that it will be implementing the Government’s Cyber Essentials Scheme through a compliance question in its supplier selection Pre-Qualification Questionnaire.

The exact wording from the MOD is as follows:

For all new requirements advertised from 1st January 2016 which entail the transfer of MOD identifiable information from customer to supplier or the generation of information by a supplier specifically in support of the MOD contract, MOD will require suppliers to have a Cyber Essentials certificate by the contract start date at the latest, and for it to be renewed annually. This requirement must be flowed down the supply chain.

What is Cyber Essentials?

Cyber Essentials is not new, first launched in June 2014 it is a set of measures that all organisations should implement to protect against basic cyber threats on the internet. It has already been a mandatory requirement for suppliers to Government of certain types of contracts to hold Cyber Essentials certification.

The MOD had an initial exemption from Cyber Essentials when it was first launched because it was developing its more extensive CSM model – but have now decided that Cyber Essentials is the first step for all suppliers where there is an exchange of information.

Why you should have it anyway

The reality is that, unless your particular contract doesn’t contain any MOD information, your organisation is going to need Cyber Essentials certification to do business with the MOD. Besides which, obtaining Cyber Essentials is good practice – it is a security standard that will protect your business from cyber threats and you’ll also gain valuable certification.

A bulletin released by Defence Contracts Online in December 2015 stated that by implementing the basic Cyber controls required of the Government’s Cyber Essentials scheme, businesses will protect their information assets from almost 80 per cent of Cyber threats.

Cyber Essentials and the Cyber Security Model (CSM)

In advance of the launch of the Cyber Security Model (CSM) , the MOD suggests suppliers may wish to commence the process of achieving Cyber Essentials Scheme certification. Cyber Essentials is available at two levels: CES and CES Plus. CES will be the sole measure required for Very Low risk contracts; for anything carrying a greater risk the baseline will be CES Plus.

How do you achieve Cyber Essentials and what does it cost?

Full details of Cyber Essentials and Cyber Essentials Plus can be found in Ascentor’s Guide to Cyber Essentials. It’s available as a free download – please click the icon below.

CE download icon

Cyber Essentials certification is achievable through an official certifying body and prices start from £300. Ascentor was selected by IASME as the first licensed external assessors of its Cyber Essentials assessment process and can partner with your organisation to ensure you meet this security management standard.

For details about the various routes to certification offered by Ascentor, please see Cyber Essentials Certification with Expert Support.

There’s an additional advantage in achieving certification via Ascentor and IASME. When an organisation with a turnover under £20 million achieves self-assessed certification covering their whole organisation to the basic level of Cyber Essentials, they are automatically awarded Cyber Liability Insurance.

For further information

To arrange a chat with our qualified Cyber Essentials assessors to discuss the merits of the various Cyber Essentials options, please call 01452 881712 or email [email protected]

Other posts you might like

IA, IASME, CREST – the Cyber Essentials alphabet soup explained

IA Inside – building Information Assurance into the heart of your projects

The Demise of IS1 & 2 – Are Risk Assessments Really Worth the Effort?

// ]]>

You may also be interested in:

Work from home cyber security myths

Cyber security myths home workers fall for

Home workers are a growing gateway to your data and systems. If they believe any of these popular cyber security myths, your security is at serious risk.

Cyber security working from home

Managing good cyber security when working from home - what employers need to know

Home working carries increased security risks, but it doesn’t have to be open season for cyber criminals. These tips will help you put together a robust level of cyber security for your home based employees.

Cyber Essentials is changing - our overview

As the IASME Consortium takes over the management of the certification of Cyber Essentials (CE) Scheme, we look at what the changes will involve and why the scheme is still very much needed.