Four Steps to Demystifying MOD Security Expectations for Industry (Sponsored Whitepaper)
This article is brought to you by CDS DS.
Although cyber is probably the most prominent in people’s minds and often understandably grabs the headlines, security is about the physical, personnel, procedural and technical controls needed to minimise security risks. It is not simply a tick-box exercise!
Cyber espionage presents an omnipresent threat to the defence sector and national security at large, enabling intelligence gathering, stealing of intellectual property, virtual and physical sabotage, and could even lead to loss of life. Cyber criminals seek to elicit money via technology-enabled fraudulent activities or holding companies to ransom by denying them access to their business-critical information, leading to financial loss and reputational damage.
Employees and anyone with authorised access to premises, technology and information can either accidentally or deliberately cause security incidents. This could lead to embarrassing data breaches and significant down-time of your business operations, resulting in legal penalties under the Official Secrets Act, Computer Misuse Act or data privacy legislation for example.
The last 5 years alone have seen many global defence suppliers suffer a breach by state-backed cyber threats. Sensitive data has been breached by compromising vulnerable technology systems. It really does continue to be a case of when, not if security incidents occur.
The MOD publishes lots of great information and offers help and guidance to suppliers, communicating applicable security expectations and requirements. This is usually done via bid and contract processes, but it can (and often does) get lost in the noise, or its importance is under-played in the desire to win and deliver work.
Suppliers simply want to do the right thing but struggle to understand and implement the MOD’s security expectations logically, pragmatically and in a cost-effective way.— CDS Defence & Security
Unfortunately, security expectations can be omitted from those processes too, leaving suppliers exposed to the prospect of unbudgeted cost and unexpected requirements. More regularly, suppliers simply want to do the right thing but struggle to understand and implement the MOD’s security expectations logically, pragmatically and in a cost-effective way.
If you are new to the defence sector, it is a real challenge knowing where to start. Even if you’ve been in the sector for a while, more robust security expectations can still catch you by surprise, especially if you suddenly need to handle information and assets at higher classifications.
The Four Steps
Taking a 4-step approach to understanding and meeting the MOD’s security expectations will help you understand what you need to do. What you need to do depends on the classification and sensitivity of the information and assets you need to store, handle and process. Above all, remember the fundamental MOD expectation of a risk-based approach to security. For easy reference:
- Steps 1 and 2 are applicable to ALL MOD Suppliers. Everyone will need to handle MOD Identifiable Information (MII) and information classified as OFFICIAL.
- Step 3 is applicable to MANY MOD Suppliers. Those with a requirement to store, handle and process information classified as OFFICIAL with the SENSITIVE handling caveat (OFFICIAL-SENSITIVE (O-S)).
- Step 4 is applicable to SOME MOD Suppliers. Those with a requirement to store, handle and process information classified at SECRET (or above).
Step 1 – Understand and mitigate your security risks: Applicable to all MOD Suppliers
Carry out formal physical and technical security risk assessments in line with the sensitivity and classification of the information and assets you are required to handle, store, process or produce. This will help you to identify and implement proportionate security controls (including but not limited to those expected by the MOD contractually) and demonstrate you have minimised security risk when audited by the MOD.
Review, maintain and update your security risk assessments regularly. If you’ve already done this – consider conducting gap analysis exercises against your controls and those expected by the MOD, mapping to them as needed.
Step 2 – Security of MOD Identifiable Information: Required by all MOD Suppliers
All defence suppliers will store, handle and process sensitive MOD Identifiable Information (MII) by default and as defined by the MOD’s Defence Cyber Protection Partnership’s (DCPP) Cyber Security Model (CSM). The DCPP CSM security expectations are not just contractual obligations for defence primes. The MOD contracts primes to flow down and contractually oblige all their sub-contractors using the DCPP CSM scheme.
Defence suppliers must be security risk assessed by their contracting bodies using the MODs Octavian online portal when available (note: manual processes have been in place for this recently). Depending on the calculated risk profile level, which will be Very Low, Low, Moderate or High, various security controls are required. The number and complexity of security controls increases in line with the assessed risk profile level.
Among those controls, you will be expected to achieve at least Cyber Essentials Basic or more likely Cyber Essentials Plus. The MOD also conducts audits to ensure that defence suppliers meet the DCPP CSM security control requirements. Anyone with access to MII requires security vetting in line with the Baseline Personnel Security Standard (BPSS) as a minimum.
Step 3 – Security of O-S Information and Assets: Required by many MOD Suppliers
Many defence suppliers will need to store, handle and process O-S information and assets. The MOD should contractually oblige suppliers to meet certain Defence Contract (DefCON) and Defence Standards (DefStans) applicable to handling O-S, but this can be inadvertently omitted or added unexpectedly during the bid or contract periods.
The physical, personnel, procedural and technical security controls for O-S require additional attention, and any systems or assets that store, handle and process O-S often need formal MOD Accreditation. The Accreditation process requires additional security controls to those needed under the DCPP CSM processes and requires access to, and completion of, an assessment using the MOD’s Defence Assurance Risk Tool (DART).
It is important to remember that the requirement for accreditation is not just for the systems used to store, handle and process O-S information, it’s also applicable for the info, assets, capabilities and equipment you deliver to the MOD too!
The MOD has closely aligned itself with the United States’ National Institute for Standards in Technology Cyber Security Framework (NIST CSF) and has also recently published a set of Secure by Design Principles that are intended to replace Accreditation processes in the future.
Anyone with access to O-S information or assets requires security vetting in line with the Baseline Personnel Security Standard (BPSS) as a minimum, but Security Check (SC) level is often expected also, particularly for those with system administration privileges.
Step 4 – Security of SECRET (and above) Information and Assets: Required by some MOD suppliers
Organisations required to store, handle, process or produce information or assets classified at SECRET (or above) must gain a Facility Security Clearance (FSC – previously known as List X) which the MOD will initially approve and periodically audit over time. The FSC is typically focused on the physical and personnel security control requirements, including things like CCTV, Automated Access Control Systems (AACS) and approved alarm systems.
Your company will need its Board to have at least 50% as UK Nationals, a nominated Security Controller and, if appropriate, an IT Security Officer (ITSO). A Board-level UK National must be responsible for all security matters related to SECRET (or above) information or assets.
The technical security controls for any systems or assets that store, handle and process SECRET (and above) require formal MOD Accreditation which requires access to, and completion of, an assessment using a dedicated version of the MOD’s Defence Assurance Risk Tool (DART).
The accreditation process requires an increased level of physical, personnel, procedural and technical controls to those needed under the DCPP CSM and O-S processes. As with O-S information and assets, it is important to remember that the requirement for Accreditation is not just for the systems used to store, handle and process O-S information, it’s also applicable for the info, assets, capabilities, and equipment you deliver to the MOD too!
The MOD has closely aligned itself with the United States’ National Institute for Standards in Technology Cyber Security Framework (NIST CSF) and has also recently published a set of Secure by Design Principles that are intended to replace Accreditation processes in the future.
Anyone requiring access to SECRET information/assets/facilities must be SC cleared as a minimum. BPSS currently allows occasional access to SECRET information, but this may change in the future and needs to be a consideration as part of any formal security risk assessments. Further vetting (known as Developed Vetting (DV)) is required for access to any above SECRET information/assets/facilities and can sometimes be expected for SECRET depending on the role and privileged access you might have.
How can CDS DS Help?
Whether you are bidding for defence contracts or already under contract, CDS DS can provide pragmatic, proportionate and cost-effective help. We have certified security experts with years of MOD experience who can provide cyber security consultancy or virtual security manager support to help you understand and meet the relevant MOD security requirements, expectations and standards as described in this article.
We can also certify your organisation in Cyber Essentials or Cyber Essentials Plus and help you to understand and make the improvements you need to gain certification.
More from Industry Spotlights
-
DEFEA 2025 – The Future of Global Defence and Security
Held in the strategic heart of the Mediterranean basin, DEFEA-Defence Exhibition Athens 2025 is set to be one of Europe’s largest and most influential international defence and security exhibitions, bringing together world-leading defence companies, major manufacturers, industry leaders, and officials from around the globe.
-
Mortar mobility: Patria’s TREMOS takes aim at the modern battlespace
In conversation... Patria’s Lauri Pauniaho talks to Shephard's Gerrard Cowan about how high mobility levels are essential for mortar systems in the face of modern counter-battery fire, and how a new platform-agnostic module can combine existing vehicles and mortar barrels into a cost-effective new weapon system.
-
Powerful, long-range electromagnetic attack capabilities
Dominate the electromagnetic spectrum. Make it an unfair fight with the EA-37B.
-
How complete is your Recognised Maritime Picture?
Deploy SitaWare Maritime to master your situational awareness above and below the waves
-
Pioneering the Future of Naval Defence: Fincantieri's Cutting-Edge Innovations
Fincantieri leads naval defence innovation, integrating advanced propulsion, digital tools, and sustainable technologies for modern military fleets.
-
AI innovation set to revolutionise military training landscape
Artificial intelligence offers unprecedented potential to revolutionise military training, enabling agile and decisive forces.