Securing Information
Strengthening Business

MOD Suppliers – the new Cyber Essentials requirements explained

Cyber Essentials logo with caption








For suppliers to the MOD, change is coming. The planned roll out of CSM in August of 2016 has been delayed. We are now expecting the Cyber Security Model (CSM) to be rolled out to large suppliers from January 2017 – with a full launch by April. FATS (a commercial MOD framework) will also go live in April and it is expected to include the contractual aspects of CSM.

To be compliant with the requirements of the CSM, the MOD supply chain will need Cyber Essentials or Cyber Essentials Plus and have information security governance policies in place.

Ascentor strongly recommend that defence industry companies prepare for CSM by gaining certification to Cyber Essentials in advance – so they are ready to respond to the new contract requirements. In our experience, the larger the business, the more complex and time consuming the process. Don’t delay and put future contracts at risk.

For assistance on any aspect of CSM or Cyber Essentials, please contact Dave James at Ascentor

The following article will tell you more about the CSM.

For suppliers to the MOD bidding for new contracts advertised from January 1st 2016 – there is a new MOD requirement you’ll need to know.

Check to see if the contract involves the transfer of MOD identifiable information from customer to supplier, or the generation of information by a supplier specifically in support of the MOD contract.

If the answer is yes, you and any subcontractors must have achieved Cyber Essentials certification by the contract start date.

Cyber Essentials certification will become a baseline requirement for companies in the UK defence supply chain – suppliers are strongly encouraged to start working towards it.

Defence Cyber Protection Partnership (DCPP)

What has brought this about?

As part of the MOD commitment to ensuring it and its suppliers are protected against cyber security threats, it has been working with industry and other Government departments in the Defence Cyber Protection Partnership (DCPP) to develop a proportionate means of achieving this.

As a first step ahead of the forthcoming Cyber Security Defence Model (CSM) which is expected to apply to all new Defence contracts from Q2 2016, the MOD has announced that it will be implementing the Government’s Cyber Essentials Scheme through a compliance question in its supplier selection Pre-Qualification Questionnaire.

The exact wording from the MOD is as follows:

For all new requirements advertised from 1st January 2016 which entail the transfer of MOD identifiable information from customer to supplier or the generation of information by a supplier specifically in support of the MOD contract, MOD will require suppliers to have a Cyber Essentials certificate by the contract start date at the latest, and for it to be renewed annually. This requirement must be flowed down the supply chain.

What is Cyber Essentials?

Cyber Essentials is not new, first launched in June 2014 it is a set of measures that all organisations should implement to protect against basic cyber threats on the internet. It has already been a mandatory requirement for suppliers to Government of certain types of contracts to hold Cyber Essentials certification.

The MOD had an initial exemption from Cyber Essentials when it was first launched because it was developing its more extensive CSM model – but have now decided that Cyber Essentials is the first step for all suppliers where there is an exchange of information.

Why you should have it anyway

The reality is that, unless your particular contract doesn’t contain any MOD information, your organisation is going to need Cyber Essentials certification to do business with the MOD. Besides which, obtaining Cyber Essentials is good practice – it is a security standard that will protect your business from cyber threats and you’ll also gain valuable certification.

A bulletin released by Defence Contracts Online in December 2015 stated that by implementing the basic Cyber controls required of the Government’s Cyber Essentials scheme, businesses will protect their information assets from almost 80 per cent of Cyber threats.

Cyber Essentials and the Cyber Security Model (CSM)

In advance of the launch of the Cyber Security Model (CSM) , the MOD suggests suppliers may wish to commence the process of achieving Cyber Essentials Scheme certification. Cyber Essentials is available at two levels: CES and CES Plus. CES will be the sole measure required for Very Low risk contracts; for anything carrying a greater risk the baseline will be CES Plus.

How do you achieve Cyber Essentials and what does it cost?

Full details of Cyber Essentials and Cyber Essentials Plus can be found in Ascentor’s Guide to Cyber Essentials. It’s available as a free download – please click the icon below.

CE download icon

Cyber Essentials certification is achievable through an official certifying body and prices start from £300. Ascentor was selected by IASME as the first licensed external assessors of its Cyber Essentials assessment process and can partner with your organisation to ensure you meet this security management standard.

For details about the various routes to certification offered by Ascentor, please see Cyber Essentials Certification with Expert Support.

There’s an additional advantage in achieving certification via Ascentor and IASME. When an organisation with a turnover under £20 million achieves self-assessed certification covering their whole organisation to the basic level of Cyber Essentials, they are automatically awarded Cyber Liability Insurance.

For further information

To arrange a chat with our qualified Cyber Essentials assessors to discuss the merits of the various Cyber Essentials options, please call 01452 881712 or email

Other posts you might like

IA, IASME, CREST – the Cyber Essentials alphabet soup explained

IA Inside – building Information Assurance into the heart of your projects

The Demise of IS1 & 2 – Are Risk Assessments Really Worth the Effort?

// ]]>

For Further Information

If you have any questions about the topics we've covered, or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the team at Ascentor.

Please use the contact details below - also found on our Contact Us page.


Fields marked with an * are required
Share this:

You may also be interested in:

Building business resilience - through Information Security, Business Continuity and Disaster Recovery

How would you recover if something went drastically wrong with some, or all of your business operations? When we think of worst case scenarios,

Ascentor’s cyber security review of 2020

2020 wasn’t the first year where a virus emerged causing large scale disruption and opportunities for cybercrime. It was, however, the first time

Cyber security myths putting SMEs at risk

SMEs have long been a favourite hunting ground for cyber criminals. Big enough to be of interest in terms of data held and yet often small enough not