MOD Implementation of Cyber Essentials Scheme

The Government  highlighted its plans to invest heavily in Cyber security in 2015 for the next five years and Bristish Industry now need to be aware that every British company is a target, every British network will be attacked, and that Cyber crime is not something that happens to other people.

The MOD is committed to ensuring it and its supply chain are appropriately protected and has been working jointly with Industry and other Government departments in the Defence Cyber Protection Partnership (DCPP) to develop a proportionate means of achieving this. As a first step, the MOD will be implementing the Government’s Cyber Essentials Scheme through a compliance question in its supplier selection Pre-Qualification Questionnaire.

For all new requirements advertised from 1st January 2016 which entail the transfer of MOD identifiable information from customer to supplier or the generation of information by a supplier specifically in support of the MOD contract, MOD will require suppliers to have a Cyber Essentials certificate by the contract start date at the latest, and for it to be renewed annually. This requirement must be flowed down the supply chain.

It is expected that this scoping will apply to most direct MOD contracts; however, the supply chain will also need to apply the same test as it flows work down into sub-contracts and it is recognised that the scoping statement may not be applicable at some of these lower levels e.g. items procured on a regular basis where allocation is unknown at the time of purchase.  The more extensive requirements of the DCPP Cyber Security Model will be implemented in a phased approach from April 2016.

HM Government commissioned a 2015 Information Security Breaches Survey. There are some rather worrying statements some of which can be attributable to the Cyber threat. 90% of large organisations and 74% of small businesses will have suffered a security breach. 69% of large and 38% of small businesses were attacked by an unauthorised outsider last year whilst the average costs of the worst possible breach ranges from £75k – £311k for a small business to £1.46m – £3.14m for a large business.

In the governments most recent report Cyber Breaches 2017 the threat to all businesses continues to grow. The survey found that over 875,000 business were hit by a cyber attack in 2016>2017 and the average cost is around £1,340 per instance. Through Cyber Essentials business of all sizes can protect themselves and be at the required cyber security level to win mod contracts.

By implementing the basic Cyber controls required of the Government’s Cyber Essentials scheme businesses will protect their information assets from almost  80 per cent of Cyber threats. The MOD DCPP team would be happy to advise suppliers on any aspects of meeting these requirements and can be contacted at

Francesca Insley Def Comrcl Pol 2D-Asst TL and Frank Tindall Def Comrcl Pol-2-TL