What is Cyber Essentials?
Cyber Essentials is a government-backed, industry-supported initiative from the National Cyber Security Centre (NCSC) to provide businesses supplying to the MOD with a basic level of cyber security controls.
Cyber Essentials certification is crucial for businesses looking to supply into the defence market, and official MOD policy (Defcon658) is that all suppliers bidding for new MOD contracts that include the transfer of ‘MOD identifiable information’ should possess Cyber Essentials accreditation before contract award or be able to evidence progress towards it in time for contract start date.
Cyber Essentials certification enables you to showcase your credentials as a trustworthy and secure organisation and puts your business in a perfect position to supply to the defence sector, knowing that your bid can be backed up with evidence that your business is cyber secure.
What are the benefits to suppliers and buyers?
As Cyber Essentials is a key requirement for any supplier or buyer looking to business with defence. It is essential that business of all types know the benefits that gaining such certification provides.
- Cyber Essentials is government backed by the National Cyber Security Centre and has been in place since 2014.
- The controls Cyber Essentials puts in place protect a business from around 80% of Cyber Attacks but these should be seen as the minimum requirements.
- Certification is cheaper than paying the cost of a cyber breach. Cyber Breaches 2017 report indicated this cost is on average £1,340 per instance.
- Certification can be obtained from a range of providers, for example, DCI offers this from £300 ex Vat for the base level certification.
- There are several other certification providers offering Cyber Essentials and there are 5 awarding bodies in the UK that support suppliers becoming Cyber Essentials Certified.
- Cyber Essentials certification shows to us and your suppliers that you take data security seriously.
- To date over 9,000 businesses have been certified to the Cyber Essentials scheme.
Learn more about Cyber Essentials
Find out what Cyber Essentials is and how to get certified with DCI through their free webinar. As one of a number of suppliers in the certification space. DCI is unique in that they offer a defence focused solution for MOD tenders and are well placed to share their expertise to help suppliers position themselves to comply with and win MOD tenders. The webinar will talk you through the benefits of Cyber Essentials certification in defence and walk you through what the key controls are for Cyber Essentials.
A Quick Cyber guide for small businesses
Understanding the DCPP Process and risk profiles
Cyber Essentials forms part of the overall Cyber Security Model introduced by the DCPP within the MOD. As part of this suppliers need to know the overall process and understanding of the associated Cyber Risk profiles MOD contracts may have. Under the Defcon 658 notice suppliers will need to know what level of Cyber Essentials certification their business must have in order to comply with MOD Cyber requirements throughout their supply chain. The DCPP brochure provides clear direction on both these areas and can be downloaded below.
Download a free Cyber Essentials Scheme Summary
The Cyber Essentials scheme summary will provide you with:
– Some background information about the scheme
– The scope of the assessment
– Assurance framework
– The next steps to becoming certified
After reading the scheme summary, you will have a clearer picture of the importance of the scheme and what is involved in the certification process.
DCPP and the Cyber Security Model (CSM)
The Defence Cyber Protection Partnership (DCPP) is a holistic, industry and government response to the cyber security threat. The DCPP was established in 2013 by the Ministry of Defence, other government departments, and defence suppliers working together to improve the cyber resilience of the sector in the face of an increasing volume and sophistication of cyber-attacks.
Our vision is to work together to better understand the risk, improve the sharing of threat information, raise awareness and collaboratively develop a set of proportional measures to counter the threat, implemented via the contract.
The DCPP’s primary output is the Cyber Security Model which has applied to all new defence procurement’s from April 2017 (to the first tier of the supply chain only) and fully implemented (with flow-down into supply chain) from October 2017. The Cyber Security Model is a three stage process which first assigns a level of risk to a contract and sets out the controls needed to mitigate that risk; second, assesses the supplier’s ability to implement the appropriate controls and finally assess the suppliers’ suitability by assessing the completed Supplier Assurance Questionnaires. More information on the DCPP is available here.
An example Self Assessment Questionnaire can be downloaded through here.
As one of the available Cyber Essentials suppliers DCI offers the following options:
Key Supplier Information for Cyber Essentials certification
Which of the different accreditation/certification bodies should I choose to gain the Cyber Essentials certification?
Suppliers are free to decide which certification body to use, but must be aware they have a choice. Information on the different accreditation bodies is available here. The illustrated pricing above is from Defence Contracts International and illustrates the service they offer as a defence focused business intelligence provider other suppliers are available and service offerings will differ.
Are there scenarios where I may be unable to gain Cyber Essentials certification?
Suppliers may be unable to achieve Cyber Essentials if any hardware or software on their network is unsupported by their manufacturer/developer and is deemed ‘not supported’. This means security updates cannot be developed and patched to these products.
If a supplier is unable to achieve Cyber Essentials in support of an MOD requirement they may be able to have this requirement waivered, this ‘risk acceptance’ process is outlined in DEFSTAN 05-138.
Do I need Cyber Essentials Plus?
In line with MOD procurement policy note 09/14, Cyber Essentials Plus will be incorporated into the CSM, under which any contract assigned a risk level of ‘Low’ or higher will require suppliers to hold Cyber Essentials Plus. Full details of the Cyber Risk Profiles are in DEFSTAN 05-138 which is available via defencegateway.mod.uk. New users will need to register to access the DEFSTANs.
How much does Cyber Essentials cost?
The cost of achieving Cyber Essentials certification through an official certifying body is currently approximately £300. This does not include the cost of any improvements required to achieve Cyber Essentials compliance. A Cyber Essentials certificate is valid for 12 months and must be renewed annually. The pricing may differ from supplier demanding on the service offering or level to which they offer.
Do I need to get Cyber Essentials to bid for UK MOD work as an overseas supplier?
Overseas suppliers may apply for and gain Cyber Essentials accreditation, this is not a UK only accreditation. International equivalents may also be acceptable and the ability for a supplier to submit a Cyber Implementation Plan alongside the SAQ enables suppliers to prove their standards match the controls required by DEFSTAN 05-138.