188体育

The Cyber Security Model (CSM) is how Defence builds cyber security into its supply chain. It is a risk-based proportionate approach which includes:

• Risk Assessments: MOD Delivery Teams complete an initial Risk Assessment.聽 This determines a Cyber Risk Profile.
• Cyber Security Standard for Defence Suppliers: Defence Standard 05-138 lists the cyber security controls required for each Cyber Risk Profile. Suppliers are contractually required to meet Defence Standard 05-138 controls.
• Supplier Assurance Questionnaires: Suppliers self-assess against the CSM requirements using a Supplier Assurance Questionnaire.
• Flow down: Where suppliers are sub-contracting the supplier will complete a Risk Assessment to generate a new Cyber Risk Profile.聽 The sub-contractor completes the appropriate Supplier Assurance Questionnaire.

If a supplier cannot meet the requirements, they must submit a Cyber Implementation/Improvement Plan (CIP).

Defence Condition 658 (DEFCON 658) lays out the contractual terms for the Cyber Security Model.

There are two versions of the CSM in use for procurements:

• Cyber Security Model v3 (CSMv3) (current)
• Cyber Security Model v4 (CSMv4) (under development)

Existing and new procurements should continue to use CSMv3 until CSMv4 is rolled out.聽We will communicate transitional arrangements in due course.

Cyber Security Model v3 (CSMv3)

CSMv3:

• focuses on protection of electronic 鈥淢OD Identifiable Information鈥�
• has four Cyber Risk Profiles: 鈥淰ery Low鈥�, 鈥淟ow鈥�, 鈥淢oderate鈥� and 鈥淗igh鈥�
• uses controls specified in Defence Standard 05-138 Issue 3
• has operated since June 2021 using an Interim Process as per Industry Security Notice 2021/05. This includes:
  • flow down obligations being paused for a Cyber Risk Profile of 鈥淰ery Low鈥�, 鈥淟ow鈥� and 鈥淢oderate鈥�
  • annual renewal obligations being paused
  • DEFCON 658 is to be included where MOD Identifiable information is passed to a sub-contractor, even though flow down has paused
  • requiring submissions through Microsoft Forms (below) or PDF

MS Forms for CSMv3:

The Cyber & Supply Chain Security team will respond by email to Risk Assessments and Supplier Assurance Questionnaires within two working days. You must contact [email protected] if you have not received a timely response to your submission.

If requirements are not met, the supplier will need to complete a Cyber Implementation Plan (CIP).

Cyber Security Model v4 (CSMv4)

CSM version 4 is a significant change planned to the CSM which will support implementation of the MOD鈥檚 Cyber Resilience Strategy for Defence.

CSMv4 will:

• change the CSM focus from 鈥淢OD Identifiable Information鈥� to organisational security and resilience
• introduce four new Cyber Risk Profiles: 鈥淟evel 0鈥�, 鈥淟evel 1鈥�, 鈥淟evel 2鈥� and 鈥淟evel 3鈥�
• use controls specified in Defence Standard 05-138 Issue 4
• provide a new online Supplier Cyber Protection Service for completion of Risk Assessments and Supplier Assurance Questionnaires

As CSMv3 Cyber Risk Profiles cannot map to CSMv4 Cyber Risk Profiles, new Risk Assessments and Supplier Assurance Questionnaires will be required.

CSMv4 Transition

There will be a phased transition to CSMv4.聽 Until then, organisations should continue to apply CSMv3.

To support organisations that wish to prepare for CSMv4, the following resources have been released for information only:

• - advance publication of DEFSTAN 05-138 (Issue 4)
• Def Stan 05-138 Issue 4 (released for information only)
• Def Stan 05-138 Issue 4 standards mapping

Planned additional resources:

• guidance on complying with each Cyber Risk Profile
• guidance on flow down requirements
• guidance on completing CIPs

Related resources for UK suppliers

Defence Supply Chain organisations in the UK are encouraged to sign up for free services provided by the UK National Cyber Security Centre (NCSC):

• . Registered organisations can access Active Cyber Defence (ACD) tools such as 鈥楨arly Warning鈥� and keep updated on new capabilities and offerings beneficial to their cyber resilience.
• .聽Suppliers can join the Defence Supplier Community on CISP to discuss current cyber issues with peers and keep up to date with the latest developments.

Queries

Email: [email protected]

Responses will normally be provided within two working days.