Guidance

Cyber Security Model

Information on the Ministry of Defence Cyber Security Model (CSM), including the standards suppliers must meet for CSM version 3 and how to prepare for CSM version 4.

• From: Ministry of Defence
• Published: 9 September 2024

The Cyber Security Model (CSM) is how Defence builds cyber security into its supply chain. It is a risk-based proportionate approach which includes:

• Risk Assessments: MOD Delivery Teams complete an initial Risk Assessment.  This determines a Cyber Risk Profile.
• Cyber Security Standard for Defence Suppliers: Defence Standard 05-138 lists the cyber security controls required for each Cyber Risk Profile. Suppliers are contractually required to meet Defence Standard 05-138 controls.
• Supplier Assurance Questionnaires: Suppliers self-assess against the CSM requirements using a Supplier Assurance Questionnaire.
• Flow down: Where suppliers are sub-contracting the supplier will complete a Risk Assessment to generate a new Cyber Risk Profile.  The sub-contractor completes the appropriate Supplier Assurance Questionnaire.

If a supplier cannot meet the requirements, they must submit a Cyber Implementation/Improvement Plan (CIP).

Defence Condition 658 (DEFCON 658) lays out the contractual terms for the Cyber Security Model.

There are two versions of the CSM in use for procurements:

• Cyber Security Model v3 (CSMv3) (current)
• Cyber Security Model v4 (CSMv4) (under development)

Existing and new procurements should continue to use CSMv3 until CSMv4 is rolled out. We will communicate transitional arrangements in due course.

Cyber Security Model v3 (CSMv3)

CSMv3:

• focuses on protection of electronic “MOD Identifiable Information”
• has four Cyber Risk Profiles: “Very Low”, “Low”, “Moderate” and “High”
• uses controls specified in Defence Standard 05-138 Issue 3
• has operated since June 2021 using an Interim Process as per Industry Security Notice 2021/05. This includes:
  • flow down obligations being paused for a Cyber Risk Profile of “Very Low”, “Low” and “Moderate”
  • annual renewal obligations being paused
  • DEFCON 658 is to be included where MOD Identifiable information is passed to a sub-contractor, even though flow down has paused
  • requiring submissions through Microsoft Forms (below) or PDF

MS Forms for CSMv3:

• MOD Risk Assessment
• Supplier Assurance Questionnaire
• Industry Risk Assessment

The Cyber & Supply Chain Security team will respond by email to Risk Assessments and Supplier Assurance Questionnaires within two working days. You must contact ukstratcomdd-cydr-dcpp@mod.gov.uk if you have not received a timely response to your submission.

If requirements are not met, the supplier will need to complete a Cyber Implementation Plan (CIP).

Cyber Security Model v4 (CSMv4)

CSM version 4 is a significant change planned to the CSM which will support implementation of the MOD’s Cyber Resilience Strategy for Defence.

CSMv4 will:

• change the CSM focus from “MOD Identifiable Information” to organisational security and resilience
• introduce four new Cyber Risk Profiles: “Level 0”, “Level 1”, “Level 2” and “Level 3”
• use controls specified in Defence Standard 05-138 Issue 4
• provide a new online Supplier Cyber Protection Service for completion of Risk Assessments and Supplier Assurance Questionnaires

As CSMv3 Cyber Risk Profiles cannot map to CSMv4 Cyber Risk Profiles, new Risk Assessments and Supplier Assurance Questionnaires will be required.

CSMv4 Transition

There will be a phased transition to CSMv4.  Until then, organisations should continue to apply CSMv3.

To support organisations that wish to prepare for CSMv4, the following resources have been released for information only:

• Industry Security Notice 2024/02 - advance publication of DEFSTAN 05-138 (Issue 4)
• Def Stan 05-138 Issue 4 (released for information only)
• Def Stan 05-138 Issue 4 standards mapping

Planned additional resources:

• guidance on complying with each Cyber Risk Profile
• guidance on flow down requirements
• guidance on completing CIPs

Related resources for UK suppliers

Defence Supply Chain organisations in the UK are encouraged to sign up for free services provided by the UK National Cyber Security Centre (NCSC):

• Active Cyber Defence and MyNCSC. Registered organisations can access Active Cyber Defence (ACD) tools such as ‘Early Warning’ and keep updated on new capabilities and offerings beneficial to their cyber resilience.
• Cyber Security Information Sharing Partnership (CISP). Suppliers can join the Defence Supplier Community on CISP to discuss current cyber issues with peers and keep up to date with the latest developments.

Queries

Email: ukstratcomdd-cydr-csm@mod.gov.uk

Responses will normally be provided within two working days.

Published 9 September 2024