Defence requirements for Cyber Essentials

Defence requirements for Cyber Essentials

From 1st January 2016 all companies bidding for new contracts with the UK Ministry of Defence (MoD) must be certified to Cyber Essentials.

From April 2016 all companies bidding for new contracts with the MoD (and their supply chain) will need to comply with the Cyber Security Model (CSM).

The CSM requires Cyber Essentials as a minimum and many companies will need Cyber Essentials PLUS. The CSM also includes governance requirements.

Although the MoD questions on governance have not been finalised, these will be mapped to the IASME governance questions. The MoD have confirmed that any organisation with the IASME governance self assessment certification will, in due course, be able to bypass any CSM questions which cover the same ground. [A mapping exercise is planned to identify how many of them will fall into this category].

You can download both these and the Cyber Essentials questions for free here. You can be assessed against the IASME governance questions at the same time as completing Cyber Essentials for no extra cost.

Background

The CSM has been developed from the work by Defence Cyber Protection Partnership, DCPP (see more details of this initial work here). As part of this model, all Defence projects will be assigned a risk level:

  • Very Low
  • Low
  • Moderate
  • High

Key Points

  • Companies working on projects at all risk levels will be required to be certified to Cyber Essentials.
  • Those working at all except the lowest (Very Low) risk level will need Cyber Essentials PLUS.
  • This will apply to all contracts put out to tender from 1st January 2016 and, unlike the rest of central government, this will be required of the whole supply chain where that risk is present.

The IASME governance self-assessment questions are thought to prepare you well for the additional governance questions you will need to answer for project risk levels Low and above.