Guidance

CyDR Defence Industry Cyber Security Assurance and Risk Balance Case processes

Cyber Defence and Resilience (CyDR) Defence Industry Cyber Security Assurance and Risk Balance Case (RBC) processes.

• From: Ministry of Defence
• Published: 12 December 2012
• Last updated: 6 June 2024 — See all updates

CyDR service

CyDR provides a range of support to Defence in the area of Cyber Security, including:

• oversight, tracking and provision of management information for all Cyber Security activity
• advice and guidance on the Secure by Design (SbD) process
• Second Line Assessments of selected projects
• provision of Cyber Risk Consultancy & Advice
• Technical Assurance Consultancy
• Defence Assurance Risk Tool (DART) service administration
• provision of Management Information (MI) in support of the Cyber Security Assurance process
• progression and review of Risk Balance Cases (RBC) prior to sign-off by Ministry of Defence (MOD) Senior Information Risk Owner (SIRO)

SbD and cessation of accreditation

On 28 July 2023, MOD launched its new SbD approach for programmes and projects to continuously assess and assure their Cyber Risk. As a consequence, MOD will no longer apply accreditation to new projects. Instead, Industry Security Notice (ISN) 2023/10 provides guidance for MOD project teams to register their projects and programmes involving industry partners for SbD, and the subsequent removal of the need for industry to register themselves with Cyber Security Assessment & Advisory Services (CySAAS).

The ISN defines criteria for MOD programmes and projects to determine their potential Registration Category. Those assessed as Category 2 or 3 will not require registration with CySAAS; instead they are required to continue following the Defence Cyber Protection Partnership (DCPP) process in accordance with the Cyber Security Model (CSM).

The next version of the CSM is due for publication in 2024. Those considered by the MOD Delivery Team to be Category 1 will liaise with their industry partners to assist in registering the programme or project as SbD.

In the meantime, all industry-owned registrations not currently holding any form of accreditation will have been retired, and the relevant industry partners advised to comply with the aforementioned ISN.

Those with current accreditation will be permitted to progress to their Expiry Date without any further CySAAS Assessor engagement, at which point ISN 2023/10 will apply. Any enquiries concerning this process should be addressed with your MOD Delivery Team.

Risk Balance Cases (RBC)

Where circumstances dictate that it is necessary to carry out action that is outside of the scope of standard policy, a RBC must be raised. All RBCs are registered through DART, providing the user is able to connect to the MOD Core Network (MCN) or the SECRET LAN Interconnect (SLI), depending on the classification of the content of the RBC and/or the data being processed by the associated programme, project or system.

RBCs are divided into 2 main categories:

• Movements: involving the transfer of information between various locations; these were formerly referred to as ‘Fast Tracks’
• Information: all other RBCs (previously called ‘Supp 12’s’)

The generic pathway for an RBC is:

• initial triage by CyDR to determine who needs to be involved
• review and comment by nominated stakeholders; e.g. the Network Technical Authority or local security staff
• review and comment by a CyDR Cyber Security Assessor
• a final assessment by the CyDR RBC lead
• approval by MOD SIRO or delegated authority

Registering an RBC under Legacy Accreditation

If you have access to the MCN, you can contact UKStratComDD-CyDR-DART-Help@mod.gov.uk and request a link to DART.

If you do not have access to the MCN, you will not be able to access DART directly. In this circumstance:

1. Save a copy of the relevant CyDR accreditation request or off-line RBC form to a suitable location.
2. Remember that information categorised as OFFICIAL-SENSITIVE or above must not be transmitted in clear over the internet.
3. Post the completed accreditation request forms to:

Service Delivery Team
CyDR, Room X007
Bazalgette Pavilion,
RAF Wyton
Huntingdon
Cambs
PE28 2EA

Get advice and guidance on the Cyber Security Assurance or RBC processes in general

Email our customer support team at UKStratComDD-CyDR-DART-Help@mod.gov.uk.

Get advice and guidance on SbD polices and procedures: UKStratComDD-CyDR-SbD-Help@mod.gov.uk.

Joint Security Co-ordination Centre

The Joint Security Co-ordination (JSyCC) enables ‘Defence Information Assurance’ assessment through the conduct and coordination of MOD information security incident management and related risk analysis activity.

Additionally, it is a focal point for ‘information security alerts’ and associated ‘warning and response’ activities.

JSyCC are responsible for:

• operational co-ordination and management of the immediate response, warning and reporting, including the investigative oversight and follow-up actions, for all reported Defence Information Assurance/Information Security incidents involving the loss, compromise or leakage of protectively marked official information and/or equipment
• operational information security risk management, trend analysis and related policy. This includes the management of the MOD Information Security Incident Reporting Scheme (MISIRS) and supporting database, together with the drafting of responses to Parliamentary Questions, Freedom of Information (FOI) requests etc
• the provision of the Defence Industry Warning and Reporting Point (WARP), responsible for the coordination of the response and management of all Defence Industry Information Security incidents, including List X
• the coordination of all law enforcement and counter intelligence for information security incidents

Contact details

If you want to know more about JSyCC, use the contact details below:

JSyCC
X017, Bazelgette Pavilion
RAF Wyton
Huntingdon
Cambs, PE28 2EA

JSyCC Ops: 0306 770 2187

JSyCC Duty Officer (out of hours): 07768 558 863

Email: COO-DSR-JSyCCOperations@mod.gov.uk

Published 12 December 2012
Last updated 6 June 2024 + show all updates

1. 6 June 2024

   Updated webpage with latest information on CyDR processes.

2. 8 December 2021

   Updated the email address under 'Start accrediting your ICT system or registering an RBC'.

3. 30 June 2020

   Updated organisation name throughout page.

4. 28 February 2019

   Guidance has been updated with further contact details.

5. 14 November 2017

   Updated DAIS information.

6. 7 August 2017

   Added updated information on DAIS defence industry ICT accreditation.

7. 11 October 2016

   Updated contact details.

8. 26 August 2015

   Updated DAIS content.

9. 24 September 2014

   Updated name of organisation to Defence Assurance and Information Security (DAIS).

10. 7 March 2014

    Updated contact details

11. 7 February 2013

    New form added

12. 12 December 2012

    First published.