Guidance

Cyber Security Model

Information on the Ministry of Defence Cyber Security Model (CSM), including the standards ~~suppliers~~and ~~must~~guidance ~~meet~~ for ~~CSM~~suppliers ~~version~~ 3 ~~and~~ ~~how~~ to ~~prepare~~meet ~~for~~ CSM version 4.

From:: Ministry of Defence
Published: 9 September 2024
Last updated: 827 ~~May~~October 2025 — See all updates

The ~~Defence~~ Cyber ~~Certification~~ ~~(DCC)~~ ~~has~~ ~~been~~ ~~created~~ in ~~partnership~~ ~~with~~ ~~IASME~~ ~~and~~ ~~forms~~ a ~~crucial~~ ~~element~~ of ~~the~~ ~~Cyber~~ Security Model ~~v4.~~

~~More~~Version ~~information~~4 guidance on ~~the~~this ~~Defence~~page ~~Cyber~~is ~~Certification~~ ~~(DCC)~~ for ~~the~~information ~~Cyber~~only ~~Security~~until ~~Model~~3rd v4November ~~(CSMv4).~~2025.

The Cyber Security Model (CSM) is how Defence builds cyber security into its supply chain. It is a risk-based proportionate approach which includes:

CSM Risk Assessments: ~~MOD~~Ministry of Defence (MOD) Delivery Teams complete an initial Risk ~~Assessment.~~ Assessment. This ~~This~~ determines a Cyber Risk Profile.
Cyber Security Standard for Defence Suppliers: Defence Standard 05-138 (Def Stan 05-138) lists the cyber security controls required for each Cyber Risk Profile. Suppliers are contractually required to meet ~~Defence~~Def ~~Standard~~Stan 05-138 controls.
Supplier Assurance ~~Questionnaires:~~Questionnaires (SAQ): Suppliers self-assess against the CSM requirements using a Supplier Assurance Questionnaire.
Flow down: Where suppliers are sub-contracting the supplier will complete a Risk Assessment to generate a new Cyber Risk Profile. The sub-contractor completes the appropriate Supplier Assurance Questionnaire.

If a supplier cannot meet the requirements, (including whether compliance is certified under Defence Cyber Certification (DCC) - see below) they must submit a Cyber ~~Implementation/Improvement~~Improvement Plan ~~(CIP).~~(CIP) detailing when they will meet the required level of compliance, together with associated timescales or reasons why they are unable to comply. The CIP template can be found here.

Defence ~~Condition~~condition 658 ~~(DEFCON~~(DEFCON ~~658)~~658) lays out the contractual terms for the Cyber Security Model.

~~There~~The ~~are~~ ~~two~~ ~~versions~~ of ~~the~~ CSM inhas ~~use~~been ~~for~~ ~~procurements:~~updated:

Cyber Security Model v3 (CSMv3) ~~(current)~~(legacy)
Cyber Security Model v4 (CSMv4) ~~(under~~ ~~development)~~(current)

Existing and new procurements should ~~continue~~now to use ~~CSMv3~~CSMv4. ~~until~~Please ~~CSMv4~~see isthe ~~rolled~~Industry ~~out. We~~Security ~~will~~Notice ~~communicate~~2025/04 ~~transitional~~for ~~arrangements~~more ininformation ~~due~~on ~~course.~~this transition and existing contracts. CSM v3 Cyber Risk Profiles (N/A – High) are not consistent with CSMv4.

Cyber Security Model v3v4 (CSMv3)(CSMv4)

~~CSMv3:~~CSM version 4 is a significant change to the CSM which supports the MOD’s Cyber Resilience Strategy for Defence.

CSMv4:

~~focuses~~changes onthe ~~protection~~CSM offocus ~~electronic~~from “MOD Identifiable Information” to organisational security and resilience
~~has~~introduces four new Cyber Risk Profiles: ~~“Very~~“Level ~~Low”,~~0”, ~~“Low”,~~“Level ~~“Moderate”~~1”, “Level 2” and ~~“High”~~“Level 3”
uses controls specified in Defence Standard 05-138 Issue 34
~~has~~provides ~~operated~~a ~~since~~new ~~June~~online ~~2021~~Supplier ~~using~~Cyber anProtection ~~Interim~~Service ~~Process~~for ascompletion ~~per~~of ~~Industry~~new CSM Risk Assessments and SAQs

Video series about changes to the CSM

Cyber Security ~~Notice~~Model ~~2021/05~~version 4: Overview.

Cyber ~~This~~Security ~~includes:~~

Model version 4: Risk Assessment

Cyber Security Model version 4: Supplier Assurance Questionnaire

Cyber Security Model version 4: Roles and Responsibilities

Cyber Security Model v4 process

~~flow~~New ~~down~~opportunity: ~~obligations~~A ~~being~~Risk ~~paused~~Assessment ~~for~~Reference a(RAR) number and required Cyber Risk Profile of(CRP) ~~“Very~~Level ~~Low”,~~(Levels ~~“Low”~~0-3) relevant to a new or existing MOD activity will be provided by the authority at the earliest market engagement, and ~~“Moderate”~~

~~annual~~will ~~renewal~~usually ~~obligations~~be ~~being~~found ~~paused~~in the invitation to tender.

~~DEFCON~~Complete ~~658~~a isSAQ: If the supplier intends to bebid ~~included~~for ~~where~~this ~~MOD~~opportunity ~~Identifiable~~with ~~information~~the isMOD, ~~passed~~the tosupplier must use the Supplier Cyber Protection Service and complete a ~~sub-contractor,~~SAQ, ~~even~~self-assessing ~~though~~against ~~flow~~the ~~down~~CRP. ~~has~~Please ~~paused~~

~~requiring~~refer ~~submissions~~to ~~through~~the ~~Microsoft~~Supplier ~~Forms~~Cyber ~~(below)~~Protection orService ~~PDF~~

MSdemonstration ~~Forms~~video below for ~~CSMv3:~~

~~Industry~~A ~~Risk~~SAQ ~~Assessment~~

~~The~~will ~~Cyber~~be &automatically ~~Supply~~scored ~~Chain~~against ~~Security~~the ~~team~~CRP, ~~will~~and ~~respond~~the bysupplier ~~email~~immediately toinformed ~~Risk~~if ~~Assessments~~it ~~and~~is ~~Supplier~~compliant.

Cyber ~~Assurance~~Improvement ~~Questionnaires~~Plan ~~within~~(CIP): ~~two~~If ~~working~~the ~~days.~~supplier ~~You~~is non-compliant, they must ~~contact~~complete ~~ukstratcomdd-cydr-dcpp@mod.gov.uk~~a ifCIP. ~~you~~The ~~have~~CIP ~~not~~will ~~received~~form apart ~~timely~~of ~~response~~the tocontract ~~your~~document ~~submission.~~

Ifitself ~~requirements~~and ~~are~~DEFCON ~~not~~658 ~~met,~~will be included in the ~~supplier~~contract ~~will~~terms ~~need~~and toconditions. ~~complete~~The aCIP ~~Cyber~~enables ~~Implementation~~a ~~Plan~~supplier ~~(CIP)~~.

Cyberto Securitycommit Modelto v4improving (CSMv4)

~~CSM~~their ~~version~~cyber 4resilience isand allows a ~~significant~~contracting ~~change~~authority ~~planned~~ to ~~the~~permit ~~CSM~~a ~~which~~supplier ~~will~~to ~~support~~work ~~implementation~~towards ofcompliance with the ~~MOD’s~~required Cyber ~~Resilience~~Risk ~~Strategy~~Profile ~~for~~Level ~~Defence~~.

~~CSMv4~~(Levels ~~will:~~

~~change~~0-3). The supplier should include the ~~CSM~~CIP ~~focus~~as ~~from~~part ~~“MOD~~of ~~Identifiable~~their ~~Information”~~tender. toThe ~~organisational~~CIP ~~security~~template ~~and~~can ~~resilience~~be found here.
~~introduce~~Supplier ~~four~~Selection: ~~new~~The ~~Cyber~~authority ~~Risk~~will ~~Profiles:~~take ~~“Level~~into ~~0”,~~consideration ~~“Level~~supplier ~~1”,~~compliance ~~“Level~~(or 2”CIP ~~and~~proposal) ~~“Level~~in 3”supplier selection.
~~use~~Contract ~~controls~~Award: ~~specified~~Contracts inwill ~~Defence~~be ~~Standard~~agreed ~~05-138~~between ~~Issue~~the 4 authority and supplier, which will include any agreed CIP.
~~provide~~Contract Maintenance: Annually, the supplier will complete a new ~~online~~SAQ ~~Supplier~~to ~~Cyber~~determine ~~Protection~~if ~~Service~~they ~~for~~remain ~~completion~~compliant. ofIf ~~Risk~~the ~~Assessments~~supplier ~~and~~is ~~Supplier~~non-compliant, ~~Assurance~~a ~~Questionnaires~~CIP will be considered.

Flow down guidance for defence suppliers

AsThe ~~CSMv3~~information ~~Cyber~~in ~~Risk~~this ~~Profiles~~guidance ~~cannot~~is ~~map~~relevant for both MOD personnel (authority) and current/prospect suppliers.

What is flow down?

Flow down is how MOD requests prime contractor requirements into lower-tier sub-contractor agreements. Flow down is required from the prime contractor to ~~CSMv4~~their ~~Cyber~~sub-contractors ~~Risk~~and ~~Profiles,~~onwards ~~new~~down ~~Risk~~the ~~Assessments~~sub-contracting tiers to the end of the supply chain. The flow down process allows the MOD to monitor and ~~Supplier~~gain ~~Assurance~~assurance ~~Questionnaires~~on ~~will~~its besupply ~~required.~~chain.

CSMv4Who Transitionis responsible for flow down?

~~There~~Suppliers ~~will~~are beresponsible for flow down. DEFCON 658 contains the contractual obligations that suppliers must place upon subcontractors.

Flow down example scenario:

A prime contractor, Company A, is bidding on a ~~phased~~MOD ~~transition~~contract to ~~CSMv4.~~ build ~~Until~~military ~~then,~~drone ~~organisations~~parts. ~~should~~Company ~~continue~~A expects to ~~apply~~hire ~~CSMv3.~~a sub-contractor, Company B, to help manufacture components, which Company B will sub-contract to Company C.

Company ~~support~~A ~~organisations~~completes ~~that~~a ~~wish~~CSM Risk Assessment (RA) to ~~prepare~~determine the Cyber Risk Profile (CRP) level for ~~CSMv4,~~their sub-contractor(s). This CSM RA completion automatically generates a Risk Assessment Reference (RAR).

Company A should pass this RAR to Company B to complete a SAQ to determine if they meet compliance with the CRP level required.

Company B can now commence the onwards flow down, following ~~resources~~in ~~have~~Company ~~been~~A’s ~~released~~footsteps by completing a CSM RA to determine the CRP level required for ~~information~~their ~~only:~~
- ~~Industry~~Company ~~Security~~C ~~Notice~~will ~~2024/02~~then -complete ~~advance~~the ~~publication~~relevant ofSAQ, ~~DEFSTAN~~aiming ~~05-138~~to ~~(Issue~~meet 4)the CRP level assigned by the CSM RA.
- ~~Def~~This ~~Stan~~process ~~05-138~~can ~~Issue~~continue 4to ~~(released~~flow ~~for~~down ~~information~~as ~~only)~~seen through the supply chain tiers.
- If either Company B or Company C (sub-contractors) are NOT compliant with the required Def Stan 05-138 ~~Issue~~controls 4(per ~~standards~~CRP ~~mapping~~level for the contract) as a result of completing their SAQ, requirements for a CIP must be agreed between parties and must include consultation with the MOD.

Learn how to use the Supplier Cyber Protection Service

~~Planned~~The Supplier Cyber Protection Service is a Public Beta. This demonstration video will show you how to use its current functionality. Alongside this, we are also exploring additional ~~resources:~~features to make CSM v4 even more flexible and user-friendly.

~~guidance~~
Cyber onSecurity ~~complying~~Model version 4: Supplier Cyber Protection Service Demonstration

Defence Cyber Certification

The Defence Cyber Certification (DCC) has been created in partnership with industry and IASME, the scheme’s Certification Authority, as a way of independantly evidencing compliance with ~~each~~the Cyber ~~Risk~~Security ~~Profile~~

~~guidance~~Model.

Suppliers onshould ~~flow~~expect ~~down~~to ~~requirements~~

~~guidance~~see increasing requirement to hold valid DCC certification for the duration of their contract with the MOD. this will be specified as a condition under tender following launch of the CSM.

More information on ~~completing~~the ~~CIPs~~

Defence Cyber Certification (DCC) for the Cyber Security Model v4 (CSMv4).

Related resources for UK suppliers

Defence Supply Chain organisations in the UK are encouraged to sign up for free services provided by the UK National Cyber Security Centre (NCSC):

Active Cyber Defence and MyNCSC. Registered organisations can access Active Cyber Defence (ACD) tools such as ‘Early Warning’ and keep updated on new capabilities and offerings beneficial to their cyber resilience.
Cyber Security Information Sharing Partnership (CISP). Suppliers can join the Defence Supplier Community on CISP to discuss current cyber issues with peers and keep up to date with the latest developments.

QueriesCyber Security Model v3 (CSMv3)

~~Email:~~The ~~ukstratcomdd-cydr-csm@mod.gov.uk~~content below is for the legacy CSMv3 process. Please refer to Industry Security Notice 2025/04 to determine your required action.

~~Responses~~CSMv3:

focuses ~~will~~on ~~normally~~protection of electronic “MOD Identifiable Information”

has four Cyber Risk Profiles: “Very Low”, “Low”, “Moderate” and “High”

uses controls specified in Defence Standard 05-138 Issue 3

has operated since June 2021 using an Interim Process as per Industry Security Notice 2021/05. This includes:
- annual renewal obligations being paused
- DEFCON 658 is to be ~~provided~~included where MOD Identifiable information is passed to a sub-contractor, even though flow down has paused
- requiring submissions through Microsoft Forms (below) or PDF

MS Form for CSMv3:

Supplier Assurance Questionnaire

The Cyber & Supply Chain Security team will respond by email to Risk Assessments and Supplier Assurance Questionnaires within two working days.

If requirements are not met, the supplier will need to complete a Cyber Implementation Plan (CIP).

Contact

Email: UKStratComDD-IES-CC-CRP-SCPS@mod.gov.uk

Monday to Friday, 9am to 5pm - excluding bank holidays.

Published 9 September 2024

Last updated 827 ~~May~~October 2025 + show all updates

27 October 2025
Updated webpage with information on the now-live CSM version 4.

8 May 2025
Updated webpage with information on the Defence Cyber Certification (DCC).
6 February 2025
Updated: 'Supplier Assurance Questionnaire'
2 January 2025
Added 'Letter to Defence Industry CEOs/Defence Leads about driving cyber resilience in the supply chain'.
9 September 2024
First published.

Contents