Security requirements for selling to or working with Dstl
Guidance on working securely with or for the Defence Science and Technology Laboratory (Dstl).
As part of our role as science and technology (research and development) lead for the UK Ministry of Defence (MOD), we must apply the right security measures to protect our:
- people
- information
- data
- assets
To enable UK defence capability edge we must maintain appropriate security. This also applies to maintaining battle-winning advantage against our adversaries.
To protect the confidentiality, integrity and availability of Ministry of Defence identifiable information (MODII), we must carry out due diligence activities to mitigate identified threats and security risks. And so we need our suppliers and their contractors who sell to or work with us, to safeguard all shared information and data. This includes information and data associated with contract.
General security requirements
We set out the necessary security requirements for suppliers early on in the procurement process. Suppliers must pass these requirements on to their sub-contractors.
Suppliers and their sub-contractors are also required to:
- comply with GovS 007 Security when processing, storing, generating or facilitating the transit of MOD identifiable information regardless of the UK government’s security classification
- undergo security screening or hold appropriate security clearance
- demonstrate the application of effective physical and cyber security controls
- ensure appropriate and timely reporting of security breaches or incidents
You must tell us if you intend to sub-contract and, where appropriate, seek authorisation before you place a sub-contract. Refer to Subcontracting or collaborating on Classified UK MOD Programmes for further details.
Personnel security
All personnel, including those working within Dstl’s supply chain, must be security screened in accordance with the UK governments baseline personnel security standard (BPSS).
All research workers must submit a Dstl Research Workers Personal Particulars (RWPP) form. This form incorporates the requirements of the BPSS so you don’t need to go through the BPSS as well.
Research workers are individuals involved in activities comprising fundamental research, applied research and experimental development - this does not include the making and qualification of pre-production prototypes, tools and industrial engineering, industrial design or manufacture.
The RWPP also helps us understand and consider the additional complexities of academic study.
All research workers must submit a fully completed form for screening unless they already have a suitable extant security clearance from a UK Vetting Authority. If you hold UK security clearance, you can complete an appropriate security clearance certification form which we will send to you to complete.
Physical security
Where appropriate, we will entrust sensitive information and or assets to suppliers who hold suitable Facility Security Clearance(FSC) for the specific facility or site where specific elements of the contract are to be conducted.
When a non-FSC or provisional FSC supplier has been successful or is to be awarded a contract, we will begin action to sponsor the certification of an FSC for the site where the supplier intends to or is required to undertake the work. No preference is given to existing FSC holding suppliers.
Cyber security
You must tell us immediately if you become aware of any cyber security incident (including your sub-contractors) that affects, or has the potential to affect Dstl or MOD’s data. If in any doubt, contact the appropriate Commercial Officer.
All suppliers and sub-contractors must apply cyber security controls to systems processing, generating or storing defence related information and data.
As a minimum, suppliers and sub-contractors must meet the Defence Cyber Protection Partnership (DCPP) Cyber Security Model standards for the cyber risk profile that is attributed to each contract we place.
MOD and Dstl have adopted the approach Secure by Design, which ensures cyber secure delivery of capabilities by designing and building them with security in mind from the start. MOD has issued an Industry Security Notice with details of the Secure by Design requirements.
Information security
You must get permission from us to share information and or data outside of the UK.
We all have a duty to ensure personal information is handled responsibly and only used for the purposes for which it was provided. We also have a duty to ensure that all such personal data is handled in accordance with applicable laws and regulations.
We might issue a Security Aspects Letter to set out the specific aspects of the contract we consider sensitive. You will thus apply extra controls.
Conflicts of interest
Suppliers and sub-contractors must avoid conflicts of interest or situations that give the appearance of a conflict of interest, or have the potential to do so.
If there is a conflict of interest or situation between suppliers and sub-contractors, tell us as soon as possible.