What does MOD security model involve?
Cyber Essentials forms part of the overall Cyber Security Model introduced by the Defence Cyber Protection Partnership (DCPP) within the Ministry of Defence (MOD). The DCPP is responsible for protecting the defence supply chain from cyber threats.
The Cyber Security Model was developed by the DCPP in partnership with industry, and comprises the elements:
- The Risk Assessment; used to measure the level of cyber risk for a contract
- The Risk Assessment will assign one of five cyber risk profiles.
- Suppliers bidding for a contract must complete a Supplier Assurance Questionnaire (SAQ) evidencing that they can meet the contract’s assessed level of cyber risk.
How Cyber Essentials supports the MOD’s cyber security model
A contract may be given one of the five following risk profiles: not applicable, very low, low, moderate or high; which determines the number of cyber security requirements that must be fulfilled by prospective suppliers.
Risk profile
|
Very low
|
Low
|
Moderate
|
High
|
|
Risk control requirements
|
1 very low control
|
16 low controls
|
16 low controls + 16 moderate controls
|
+16 low controls + 16 moderate controls + 12 high controls
|
Cyber Essentials scheme requirement
|
Cyber Essentials
|
Cyber Essentials Plus
|
Cyber Essentials Plus
|
Cyber Essentials Plus
|
Risk profile
|
Very low
|
|
Risk control requirements
|
1 very low control
|
Cyber Essentials scheme requirement
|
|
Risk profile
|
Low
|
|
Risk control requirements
|
16 low controls
|
Cyber Essentials scheme requirement
|
|
Risk profile
|
Moderate
|
|
Risk control requirements
|
16 low controls + 16 moderate controls
|
Cyber Essentials scheme requirement
|
|
Risk profile
|
High
|
|
Risk control requirements
|
+16 low controls + 16 moderate controls + 12 high controls
|
Cyber Essentials scheme requirement
|
|
A minimum requirement: Cyber Essentials certificate
Cyber Essentials certification is a minimum requirement for contracts where MOD Identifiable Information is transferred, stored or accessed electronically.
"For all new requirements advertised from 1st January 2016 which entail the transfer of MOD identifiable information from customer to supplier or the generation of information by a supplier specifically in support of the MOD contract, MOD will require suppliers to have a Cyber Essentials Certificate by the contract start date at the latest, and for it to be renewed annually. This requirement must be flowed down the supply chain..
..CES certification will become the baseline requirement for companies in the UK defence supply chain. Suppliers are strongly encouraged to start working towards achieving it.” - Richard Jefferys, Defence Commercial Head of Policy, Process and Procedures (P3)
Secure your organisation with Cyber Essentials
With IT Governance, you can complete the entire certification process for as little as £400.
Find out more