Understanding the DCPP Process and risk profiles
Cyber Essentials forms part of the overall Cyber Security Model introduced by the DCPP within the MOD. As part of this suppliers need to know the overall process and understanding of the associated Cyber Risk profiles MOD contracts may have. Under the Defcon 658 notice suppliers will need to know what level of Cyber Essentials certification their business must have in order to comply with MOD Cyber requirements throughout their supply chain. The DCPP brochure provides clear direction on both these areas and can be downloaded below.
The Defence Cyber Protection Partnership (DCPP) is a holistic, industry and government response to the cyber security threat. The DCPP was established in 2013 by the Ministry of Defence, other government departments, and defence suppliers working together to improve the cyber resilience of the sector in the face of an increasing volume and sophistication of cyber-attacks.
Our vision is to work together to better understand the risk, improve the sharing of threat information, raise awareness and collaboratively develop a set of proportional measures to counter the threat, implemented via the contract.
The DCPP’s primary output is the Cyber Security Model which has applied to all new defence procurement’s from April 2017 (to the first tier of the supply chain only) and fully implemented (with flow-down into supply chain) from October 2017. The Cyber Security Model is a three stage process which first assigns a level of risk to a contract and sets out the controls needed to mitigate that risk; second, assesses the supplier’s ability to implement the appropriate controls and finally assess the suppliers’ suitability by assessing the completed Supplier Assurance Questionnaires. More information on the DCPP is available here.
An example Self Assessment Questionnaire can be downloaded here.
A Quick Cyber guide for small businesses
What is Cyber Essentials?
Cyber Essentials is a government-backed, industry-supported initiative from the National Cyber Security Centre (NCSC) to provide businesses supplying to the MOD with a basic level of cyber security controls.
Cyber Essentials certification is crucial for businesses looking to supply into the defence market. Based on DEFCON 658, official MOD policy is that all suppliers bidding for new MOD contracts that include the transfer of ‘MOD identifiable information’ should possess Cyber Essentials certification before contract award or be able to show evidence of progress towards it in time for contract start date.
Cyber Essentials certification enables you to showcase your credentials as a trustworthy and secure organisation and puts your business in a perfect position to supply to the defence sector, knowing that your bid can be backed up with evidence that your business is cyber secure.
As Cyber Essentials is a key requirement for any supplier or buyer looking to business with defence. It is essential that business of all types know the benefits that gaining such certification provides.
- Cyber Essentials is government backed by the National Cyber Security Centre and has been in place since 2014.
- The controls Cyber Essentials puts in place protect a business from around 80% of Cyber Attacks but these should be seen as the minimum requirements.
- Certification is cheaper than paying the cost of a cyber breach. Cyber Breaches 2017 report indicated this cost is on average £1,340 per instance.
- Certification can be obtained from a range of providers, for example, DCI offers this from £300 ex Vat for the base level certification.
- There are several other certification providers offering Cyber Essentials and there are 5 awarding bodies in the UK that support suppliers becoming Cyber Essentials Certified.
- Cyber Essentials certification shows to us and your suppliers that you take data security seriously.
- To date over 9,000 businesses have been certified to the Cyber Essentials scheme.
Learn more about Cyber Essentials
Find out what Cyber Essentials is and how to get certified with DCI through their free webinar. As one of a number of suppliers in the certification space, DCI is unique in that it offers a defence-focused solution for MOD tenders and is well placed to share their expertise to help suppliers position themselves to comply with and win MOD tenders.
The webinar will talk you through the benefits of Cyber Essentials certification in defence and provide you with:
- An introduction to the DCPP
- What is the Cyber Security Model (CSM)
- How to meet the requirements of the Cyber Security Model
- How does the CSM impact supplier tendering in defence?
- How to become Cyber Certified with Cyber Essentials
Cyber Essentials is the minimum certification an organisation needs to implement to bid for new MOD defence contracts which include the transfer of ‘MOD identifiable information’.
The MOD has made this requirement mandatory since January 2016 for suppliers looking to do business in the defence sector.
As the risk level goes up, some additional controls are required that can be evaluated through Cyber Essentials Plus vulnerability tests.
The controls that need to be in place to achieve Cyber Essentials certification protect a business from around 80% of common cyber attacks.
It’s worth considering that certification is cheaper than the alternative of paying for the cost of a cyber breach. The Cyber Breaches Survey 2017 report indicated this cost is, on average, £1,340 per instance of a cyber breach.
Certification allows your business/organisation to promote itself as cyber secure up to the Cyber Essentials standard level, which can make a real difference when bidding for contracts.
When you receive your Cyber Essentials certificate, you will also receive the relevant Cyber Essentials branding to use on collateral such as tender bids for one of the many defence contracts available through DCI.
Download a free Cyber Essentials Scheme Summary
The Cyber Essentials scheme summary will provide you with:
– Some background information about the scheme
– The scope of the assessment
– Assurance framework
– The next steps to becoming certified
After reading the scheme summary, you will have a clearer picture of the importance of the scheme and what is involved in the certification process.
As one of the available Cyber Essentials suppliers DCI offers the following options:
Key Supplier Information for Cyber Essentials certification
Which of the different accreditation/certification bodies should I choose to gain the Cyber Essentials certification?
Are there scenarios where I may be unable to gain Cyber Essentials certification?
If a supplier is unable to achieve Cyber Essentials in support of an MOD requirement they may be able to have this requirement waivered, this ‘risk acceptance’ process is outlined in DEFSTAN 05-138.