Securing Information
Strengthening Business

The Cyber Security Model for the Defence Industries – why it matters and how to be ready

The Cyber Security Model for the Defence Industries – why it matters and how to be ready

For suppliers to the MOD, change is coming. The planned roll out of CSM in August of 2016 has been delayed. We are now expecting the Cyber Security Model (CSM) to be rolled out to large suppliers from January 2017 – with a full launch by April. FATS (a commercial MOD framework) will also go live in April and it is expected to include the contractual aspects of CSM.

To be compliant with the requirements of the CSM, the MOD supply chain will need Cyber Essentials or Cyber Essentials Plusand have information security governance policies in place.

Ascentor strongly recommend that defence industry companies prepare for CSM by gaining certification to Cyber Essentials in advance – so they are ready to respond to the new contract requirements. In our experience, the larger the business, the more complex and time consuming the process. Don’t delay and put future contracts at risk.

For assistance on any aspect of CSM or Cyber Essentials, please contact Dave James at Ascentor

The following article will tell you more about the CSM.

It has been trailed for some time that the Ministry of Defence (MOD) will soon have a new mechanism to manage supply chain cyber security for the defence industries. Similar to other schemes, the MOD is introducing the Cyber Security Model (CSM).

You may be thinking ‘not another security standard to understand and apply’ and we have some empathy with that. After all, the Department of Business, Innovation and Skills (BIS) introduced the Cyber Essentials (CE) scheme in April 2014 and mandated that suppliers to the public sector achieve certification under the scheme for many Government contracts from October 2014.

However, if you look beyond the additional work and think about the drivers behind the CSM, you will find sound business sense that will make it feel worthwhile. Following the principles of the CSM will help you think more deeply about how to protect sensitive information and improve your defences against cyber security threats. This will potentially save you money and build confidence in the eyes of the MOD.

What is the Cyber Security Model (CSM)?

The Defence Cyber Protection Partnership (DCPP), which comprises MOD representatives, 13 prime suppliers and defence industry trade bodies, was established in 2012 with the aim of improving cyber security maturity for the community.

The DCPP felt that the CE scheme did not represent a broad enough degree of security because it only covered five major technical security controls and did not include wider aspects such as governance and risk management. It therefore developed the CSM as its own standard for supplier cyber security, based upon the CE scheme, but with some additional control requirements.

The CSM will enable government procurers to mandate proportionate cyber security standards from suppliers, appropriate to the level required for a particular contract.

Why does it matter?

The importance of the security of defence information in the supply chain cannot be underestimated – it is a topic that Ascentor cares passionately about. Security breaches have the potential to put lives at risk, wreak havoc and bring down businesses. At the same time, cyber attacks are becoming more and more sophisticated. Even if you feel your current security measures are robust, you will always be at risk of a cyber attack if you operate in the defence industry. In this climate, CSM has been designed to strengthen supplier cyber security.

How does it work?

The CSM is a three-stage process: CSM Levels

The Stage 1 risk assessment is completed by the contracting authority and is based around a questionnaire.

The output of the questionnaire determines the level of risk and complexity of the project using a grading of five Cyber Risk Levels: Not Applicable, Low, Medium, High, Very High.

Whilst there are statements of threat for each of the Cyber Risk Levels, there is no specific correlation between them and the Government Security Classification scheme.

In Stage 2 , the contracting authority decides upon the Cyber Risk Level for a particular contract and the supplier implements the appropriate Cyber Risk Profile as per the table below:


New Cyber Risk Level table






The list of additional measures required at each level can be seen in the documented Cyber Risk Profiles in the draft Defence Standard 05-138 Issue 1, dated 29 May 2015. This draft standard is currently out for review.

The controls in the Cyber Risk Profiles are the minimum that will be required. There may be occasions when additional controls will need to be implemented; in these circumstances anMOD Accreditor will work with the stakeholders.

Stage 3 is the submission of evidence by the contractor, and its review and acceptance (or otherwise) by the contracting authority. An on-line tool is being developed and this will allow companies to input their evidence so that it can be assessed and certification issued. The tool will also automate the Stage 1 process and map the tiers of the supply chain for contracts.

How will it affect me?

If your company supports MOD contracts, then you will be required to comply with the CSM – it is intended that it will be mandatory for all new defence contracts. Implementation of the CSM is currently planned for 2015/2016. There has not been a statement on whether the CSM will be applied to legacy systems, but it is believed to be unlikely. Importantly, the CSM will be applied to individual defence contracts; how that will work with companies that support multiple contracts has yet to be determined. Also, for companies that have List X status already, it is not yet clear what other evidence they will need to provide.

How do you achieve Cyber Essentials and what does it cost?

Full details of Cyber Essentials and Cyber Essentials Plus can be found in Ascentor’s Guide to Cyber Essentials. It’s available as a free download – please click the icon below.

Cyber Essentials certification is achievable through an official certifying body and costs £300. Ascentor was selected by IASME as the first licensed external assessors of its Cyber Essentials assessment process and can partner with your organisation to ensure you meet this security management standard.

There’s an additional advantage in achieving certification via Ascentor and IASME. When an organisationwith a turnover under £20 millionachieves self-assessed certification covering their whole organisation to the basic level of Cyber Essentials, they are automatically awarded Cyber Liability Insurance.

What next?

The Defence Cyber Protection Partnership has now announced it is expecting to launch CSM in April 2016. From January 1st it isrequesting that companies have at least Cyber Essentials in place.

At Ascentor we think that the CSM is a positive move. While it is a pity that the CSM is another standard that needs to be understood, interpreted and implemented, we strongly recommend that defence industry companies get ahead of the game by gaining certification to CE so they are ready to respond to the new contract requirements. We can help you achieve CE .

Follow the Ascentor blog and our Newsletter and we will keep you informed as CSM rollout commences.

We hope you found this article interesting and helpful. If you need any further guidance on CSMor any aspect of Cyber Securityplease contact Dave Jamesat Ascentor.


Office: 01452 881712


Other posts you might like:

IA Inside – building Information Assurance into the heart of your projects

The Demise of IS1 & 2 – Are Risk Assessments Really Worth the Effort?

IA, IASME, CREST – the Cyber Essentials alphabet soup explained

For Further Information

If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.

Please use the contact details below - also found on our Contact Us page.


Fields marked with an * are required
Share this:

You may also be interested in:

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How would you recover if something went drastically wrong with some, or all of your business operations? When we think of worst case scenarios,

Ascentor’s cyber security review of 2020

2020 wasn’t the first year where a virus emerged causing large scale disruption and opportunities for cybercrime. It was, however, the first time

Cyber security myths putting SMEs at risk

SMEs have long been a favourite hunting ground for cyber criminals. Big enough to be of interest in terms of data held and yet often small enough not