Guidance

DCPP: your questions answered

Updated 26 October 2017

Cyber threat

The UK Cyber Security Strategy presented by the Cabinet Office describes in detail the threat (see section 2, pages 1 to 19). It identifies the top threats as criminals, state sponsored cyber actors, terrorists, and hacktivists.

The government’s overarching vision

The government’s vision is to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness, transparency and the rule of law, enhance prosperity, national security and a strong society.

Cyber Security Information Partnership (CiSP)

CiSP is a joint industry and government initiative, created to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK business. The CiSP is managed by the National Cyber Security Centre.

Defence Cyber Protection Partnership (DCPP)

The Defence Cyber Protection Partnership (DCPP) is a holistic, industry and government response to the cyber security threat. The DCPP was established in 2013 by the Ministry of Defence, other government departments, and defence suppliers working together to improve the cyber resilience of the sector in the face of an increasing volume and sophistication of cyber-attacks. Our vision is to work together to better understand the risk, improve the sharing of threat information, raise awareness and collaboratively develop a set of proportional measures to counter the threat, implemented via the contract.

The DCPP’s primary output is the Cyber Security Model which has applied to all new defence procurements from April 2017 (to the first tier of the supply chain only) and fully implemented (with flow-down into supply chain) from October 2017. The Cyber Security Model is a three stage process which first assigns a level of risk to a contract and sets out the controls needed to mitigate that risk; second, assesses the supplier’s ability to implement the appropriate controls and finally assess the suppliers’ suitability by assessing the completed Supplier Assurance Questionnaires (SAQ).

Cyber Essentials Scheme (CES)

The CES is a set of measures that all organisations should implement to protect against basic cyber threats on the internet. It was launched in June 2014. You can find further information about the scheme, including how to apply for certification, at the Cyber Essentials website.

Certification

Suppliers are free to decide which certification body to use, but must be aware they have a choice. Information on the different accreditation bodies is available via the link.

Suppliers may be unable to achieve Cyber Essentials if any hardware or software on their network is unsupported by their manufacturer/developer and is deemed ‘not supported’. This means security updates cannot be developed and patched to these products.

If a supplier is unable to achieve Cyber Essentials in support of an MOD requirement they may be able to have this requirement waivered, this ‘risk acceptance’ process is outlined in DEFSTAN 05-138.

Cyber Essentials Plus

Cyber Essentials Plus is incorporated into the CSM, under which any contract assigned a Cyber Risk Profile of ‘Low’ or higher will require suppliers to hold Cyber Essentials Plus. Full details of the Cyber Risk Profiles are in DEFSTAN 05-138 which is available via the DCPP page on GOV.UK.

MOD identifiable information (MODII)

DEFCON 658 has the authoritative definition of MODII however, in brief, MODII is any information held, processed or transferred electronically which is attributed to or could identify an existing or proposed MOD capability, and which the MOD requires to be protected against loss, misuse, corruption, alteration and unauthorised disclosure. Further information on what types of information would be classed as being included in or excluded from this definition can be found in DEFCON 658, under ‘Definition of MODII’.

Cyber Essentials cost

The cost of achieving Cyber Essentials certification through an official certifying body is currently approximately £300. This does not include the cost of any improvements required to achieve Cyber Essentials compliance. A Cyber Essentials certificate is valid for 12 months and must be renewed annually.

Cyber Essentials as an overseas supplier

Overseas suppliers may apply for and gain Cyber Essentials accreditation, this is not a UK only accreditation. International equivalents may also be acceptable and the ability for a supplier to submit a Cyber Implementation Plan alongside the SAQ enables suppliers to prove their standards match the controls required by DEFSTAN 05-138.

Cyber Security Model (CSM)

The Cyber Security Model will be a requirement of becoming a supplier to the MOD, but there are also additional benefits. For organisations who are less aware of the cyber threat, participating in the process can act as the first step in raising awareness of cyber security in their organisation. It will help to clarify what is expected and enable organisations to make targeted investments. It may also be used to highlight a company’s capabilities to potential customers.

The CSM means the process by which The Authority ensures its requirements to protect MOD Identifiable Information from the cyber threat are implemented. The controls are detailed in DEFSTAN 05-138. The CSM has 3 steps:

  • a risk assessment
  • a supplier assurance questionnaire
  • an assessment of the SAQ(s) by ‘The Authority’

The Authority is the role which determines the Cyber Risk Profile appropriate to a contract and, where the supplier has not already been notified of the Cyber Risk Profile prior to the date of a contract, shall provide notification of the relevant Cyber Risk Profile to the supplier as soon as is reasonably practicable; and notify the supplier as soon as reasonably practicable where The Authority reassesses the Cyber Risk Profile relating to that Contract (from DEFCON 658 which remains the authority on defining The Authority).

Risk Assessment

This is part of the Cyber Security Model and it is a short questionnaire which determines the Cyber Risk Profile for a contract or sub-contract. All Risk Assessments will be completed using Octavian.

Supplier Assurance Questionnaire

This is the second step in the Cyber Security Model and is used by the supplier to demonstrate compliance with the controls for the relevant Cyber Risk Profile. All Supplier Assurance Questionnaires will be completed using Octavian, the online tool.

Octavian: online tool

Octavian is the online tool used to complete the Risk Assessment and Supplier Assurance Questionnaire, formerly termed the Supplier Cyber Protection Service.

Online tool processes

The MOD does not require any particular person or job holder complete a Risk Assessment or Supplier Assurance Questionnaire. We require the person completing each questionnaire to submit a declaration to say you have the right to submit the response on your company’s behalf and will be held accountable for your company’s response.

Flow down of CSM requirements to suppliers and subcontractors

From October 2017 each supplier to the MOD must perform a Risk Assessment for each subcontract they place as part of delivering a MOD contract. Suppliers must inform their subcontractor of their responsibilities under DEFCON 658, this requires them to complete a Supplier Assurance Questionnaire and to complete a new Risk Assessment if they are sub-contracting any further. It is the always the responsibility of the contracting authority to ensure its sub-contractor have in place the appropriate level of cyber protection measures for each Cyber Risk Profile.

Compliance

Suppliers at all levels of the supply chain must have the cyber protection measures appropriate to the Cyber Risk Profile in the contract/subcontract in place at the time of the contract/subcontract award, or an agreed Cyber Implementation Plan.

MOD requires a Supplier Assurance Questionnaire to be completed on Octavian. The MOD has the right to audit the responses submitted through this service to confirm they comply with the Cyber Risk Profile’s requirements.

Cyber Implementation Plan (CIP)

The CIP allows the supplier to set out the steps they commit to taking to achieve compliance together with a time frame for achievement. It should include details on the current level of compliance, the planned measures to achieve compliance or the proposed mitigations for consideration.

Financial issues

Suppliers will be informed of the Cyber Risk Profile through the Contract Notice or Invitation to Tender. To respond, each supplier will be required to register on Octavian and complete a Supplier Assurance Questionnaire as part of their tender’s submission.

Cost of implementing the controls from DEFSTAN 05-138

An important principle of the Cyber Security Model is it only specifies those controls necessary to mitigate the level of risk. This means companies only need to do what is necessary for the particular work with which they are involved.

Small businesses are as much a target for cyber-attack as larger corporations, so it is equally important they are protected.

It is important to note the Cyber Security Model specifies controls which are already considered good practice. Companies should already have appropriate security measures in place to protect their businesses, including from cyber threats.

Costs to companies

The cost to a company will depend on the company’s cyber maturity and how well this is aligned to the risk they face. If an organisation already addresses the cyber risk to its business and is implementing current industry best practices for cyber security then the Cyber Security Model should have little effect beyond additional mapping to preferred standards and reporting requirements for assessment of compliance. If your organisation is not currently adopting best practice, or is unaware of the cyber risks it holds, the Cyber Security Model will necessitate change within your organisation to meet the Cyber Security Model requirements which, depending on the gaps identified, may require additional resource.

Contractual issues

DEFSTAN 05-138 specifies controls which are the minimum required for each Cyber Risk Profile. The DCPP Supplier Assurance Questionnaire assesses compliance against those controls. The DCPP’s page on GOV.UK provides information on important considerations and best practice for each question. It is expected companies will already have security measures in place to protect their businesses from cyber threats.

Companies can enter a tender process without all controls in place, but they would be expected to have all the cyber protection measures necessary to fulfil the requirements of the contract in place at the time of contract award, or have an agreed Cyber Implementation Plan.

There is a risk acceptance process outlined in DEFSTAN 05-138 if a supplier is not able to comply with the mandated controls. If an organisation is able to be compliant in the future but not by contract award date, the supplier must submit a Cyber Implementation Plan. Provided the measures proposed in the Cyber Implementation Plan do not pose unacceptable risk to the MOD, a submission with a Cyber Implementation Plan will be considered alongside those who can achieve the controls.