Defence Cyber Protection Partnership

Status

Interim

The processMS forForms newlinks contracts

are:

• MOD Risk Assessment
• Supplier Assurance Questionnaire (RASAQ)

Industry Risk Assessment

The MODPDFs, Project/Deliveryif Managernot needsprovided toby complete the RiskContracting AssessmentDelivery (RA)team viacan thebe interimrequested process.from Please request forms via email to the DCPP Team:team at: ukstratcomdd-cydr-dcpp@mod.gov.uk.

The PleaseDCPP returnteam formsare asworking Microsoftto (preferred)a or2-day convertturnaround totime. PDF.We do welcome emails if you think a response has not been provided in this time.

Supplier Assurance QuestionnaireQuestionnaires (SAQ)(SAQs) in the tender process

TenderersWhen mustcompleting stillthe complete an SAQ, toplease beinclude providedthe withRisk tenderAssessment responses.Reference The(RAR). This should be provided by the MOD ProjectDelivery Team or other related competition publication.

For competition bids, unless otherwise stated, you will provideneed to submit to the MOD Delivery team:

• A copy of your SAQ. OnMS completion,Forms thissubmissions mustcan be sentsaved tovia the DCPPPrint Teamoption forand asending result to bePDF, provided.rather Thethan completeda SAQspecified printer; and
• Our resultresponse mustemail.
• If beour includedresponse withemail tendersays, responses,“Not alongmet”, withyou will also need to submit a Cyber Implementation Plan (CIP) ifto appropriate.

  Flowthe down

  WhilstContracting Delivery team. The team are currently reviewing the interimguidance processotherwise isfound in place,Annex flowD down of the RiskBuyer Assessment/SupplierSupplier AssuranceGuide. QuestionnaireSome processcompetition toprocesses sub-contractssuch willas beDASA requiredmay forpost contractsalternative withCIP ainstructions.
  Please high-riskdo profilenot only.send AllCIPs otherto levelsthe mustDCPP team as these need to be completedconsidered duringagainst athe gracespecific periodproject afterrequirements.

• If the newCyber toolRisk goesProfile live.
  is HIGH, DCPP will send out the necessary flow down instructions.

DEFCON 658

DEFCONPlease 658note, willas continueper tothis beIndustry includedSecurity inNotice

• Annual contracts.renewals Cyberhave Implementationbeen Planspaused.
• Flow (CIPs)downs willare continuealso topaused beunless neededthe asCyber usualRisk whereProfile SAQs(CRP) indicateis non-complianceHIGH. (forIf allthis Tieris 1the SAQscase and Highyour flowCRP down).

  Thankis HIGH, then you forshould proceed with your patience.

  flow down submissions.

Future Tool

ForThe morenew information,tool contactis currently undergoing testing. Suppliers/bidders will be informed by the DCPPMOD Team:Delivery team at a point where roll out of the tool can start. There is currently no release date.

Additional information

• Preview the Risk Assessment

• Preview the Supplier Assurance Questionnaire

• For more information: Contact us

Def Stan 05-138

This is the Defence Standard defining the controls required for each Cyber Risk Profile (level).

DEFCON 658

This is the contractual Defence Condition that references supply chain cyber security.

Defence Industry Warning, Advice and Reporting Point (WARP)

There is a requirement to report security incidents where MOD data might be involved

Understanding more about the Cyber Security Model

Watch a video explaining the Cyber Security Model

The Cyber Risk Profile is assessed on 6 questions relating to:

• electronic exchange or creation of MOD Identifiable Information

• classification

• personal data

• connectivity to MOD networks

Cyber Essentials underpins the MOD Cyber Risk Profiles. Cyber Essentials is a certification scheme identifying the minimum steps an organisation should take to protect themselves against cyber risk.

The Supplier Assurance Questionnaire is a self-assessment for organisations to demonstrate how they meet our requirements. The online tool allows sample questionnaires to be completed to identify gaps. Where there are differences a Cyber Implementation Plan (CIP) should be completed, particularly if an alternative cyber security standard is used.

Further information on CIPs can be found in:

• Annex D of the Buyer Supplier Guide

• Guidance for Adopting Other Standards

• CE+ Illustrative test specification

News

Def Stan 05-138 v3 Cyber Security for defence suppliers

Contact us

The DCPP Team can be contacted by email on: ukstratcomdd-cydr-dcpp@mod.gov.uk or DCPP LinkedIn Group.

DCPP group on the NCSC’s Cyber Information Sharing Partnership (CISP), register at NCSC’s Cyber Information Sharing Partnership (requires sponsorship).

Recommended links

• Cyber security for defence suppliers (Def Stan 05-138 v3)
• Defence Condition 658 (DEFCON 658)
• Cyber risk profiles (updated July 2020)
• Supplier Assurance Questionnaire (Dec 2019)

Useful links

• Supplier Cyber Protection Service: risk assessment workflow

• Cyber Security Model: cyber risk profiles’ requirements

• Guidance for adopting other standards to meet requirements of Defence Standard 05-138 (PDF, 231 KB, 8 pages)

• DCPP: Cyber Security Model industry buyer and supplier guide

• Defence Cyber Protection Partnership: board level presentation slides

• Defence Cyber Protection Partnership: your questions answered

This unclassified presentation was recorded for internal MOD audiences to raise their awareness of the Cyber Security Model although most of it still applies to industry.

DCPP internal presentation

Other media sources

• LinkedIn Group

• DCPP group on the NCSC’s Cyber Information Sharing Partnership (CISP), register at NCSC’s Cyber Information Sharing Partnership