Defence Cyber Protection Partnership
ADefence Cyber Protection Partnership (DCPP) is a joint Ministry of Defence (MOD) and industry initiative to improve the protection of the defence supply chain from the cyber threat.
Defence Standard 05-138 issue 4 has now been released. Please refer to ISN 2024/02 which identifies that Issue 4 is for information only.
Defence Standard 05-138 issue 3 remains in use.
Supplier Cyber Protection PartnershipService (DCPP)- Interim process
Current Status
The Octavian Supplier Cyber Protection Service was switched off in June 2021. We are currently on an interim process until the replacement tool is ready to go live.
Cyber Security Model process
The interim process offers a jointchoice Ministryto ofcomplete DefenceRisk (MOD)Assessments (RAs) and industrySupplier initiativeAssurance toQuestionnaires improve(SAQs) thevia protectioneither ofMS Forms or PDF.
The MS Forms links are:
The PDFs, if not provided by the defenceContracting supplyDelivery chainteam can be requested from the cyberDCPP threat.team at: ukstratcomdd-cydr-dcpp@mod.gov.uk.
The DCPP reportsteam intoare working to a 2-day turnaround time. We do welcome emails if you think a response has not been provided in this time.
Supplier Assurance Questionnaires (SAQs) in the Defencetender Suppliers’process
When Forum.completing the SAQ, please include the Risk Assessment Reference (RAR). This should be provided by the MOD Delivery Team or other related competition publication.
TheFor membershipcompetition ofbids, unless otherwise stated, you will need to submit to the DCPPMOD includes:Delivery team:
- UK
AMinistrycopyof Defenceyour(MOD)SAQ.MSFormssubmissionscanbesavedviathePrintoptionandsendingtoPDF,ratherthanaspecifiedprinter;and - National
Ourresponseemail. Ifourresponseemailsays,“Notmet”,youwillalsoneedtosubmitaImplementationCentrePlan(NCSC)(CIP)totheContractingDeliveryteam.GuidanceforthiscanbefoundontheCyberImplementationPlan(CIP)page.SomecompetitionprocessessuchasDASAmaypostalternativeCIPinstructions.PleasedonotsendCIPstotheDCPPteamastheseneedtobeconsideredagainstthespecificprojectrequirements.- Department
IffortheScience,CyberInnovationRiskandProfileTechnologyisHIGH,DCPPwillsendoutthenecessaryflowdowninstructions.
Supplier Assurance Questionnaires (SAQs) in the interim process: upcoming change
The SAQ used in the interim process is due to change in 2023.
You can preview the draft SAQ in advance of this change:
Please contact ukstratcomdd-cydr-dcpp@mod.gov.uk if you have any queries about the draft SAQ.
DEFCON 658
Please note, as per this Industry Security Notice
Annualrenewalshavebeenpaused.- ADS
Flow(adownsUKaretradealsoassociationpausedrepresentingunlesssmalltheCyberRiskProfile(CRP)isHIGH.IfthisisthecaseyourenterprisesCRPinisHIGH,thenyoushouldproceedwithyourflowdownsubmissions.
Future Tool
The new tool is currently undergoing testing. Suppliers/bidders will be informed by the aerospace,MOD defence,Delivery security,team andat spacea sectors)point where roll out of the tool can start. There is currently no release date.
Additional information
PreviewtheRiskAssessment- Specified
PreviewDefencetheprimeSuppliersuppliersAssuranceQuestionnaire Formoreinformation:Contactus
Def Stan 05-138
This is the Defence Standard defining the controls required for each Cyber Risk Profile (level).
DEFCON 658
This is the contractual Defence Condition that references supply chain cyber security.
Defence Industry Warning, Advice and Reporting Point (WARP)
There is a requirement to report security incidents where MOD data might be involved
FurtherUnderstanding informationmore about the Cyber Security Model
Watch a video explaining the Cyber Security Model
The Cyber Risk Profile is assessed on 6 questions relating to:
electronicexchangeorcreationofMODIdentifiableInformationclassificationpersonaldataconnectivitytoMODnetworks
Cyber Essentials underpins the MOD Cyber Risk Profiles. Cyber Essentials is a certification scheme identifying the minimum steps an organisation should take to protect themselves against cyber risk.
The Supplier Assurance Questionnaire is a self-assessment for organisations to demonstrate how they meet our requirements. The online tool allows sample questionnaires to be completed to identify gaps. Where there are differences a Cyber SecurityImplementation ModelPlan (CIP) should be completed, particularly if an alternative cyber security standard is used.
Further information on CIPs can be found in:
AnnexDoftheBuyerSupplierGuide- Secure
GuidancebyforDesign portalAdoptingOtherStandards CE+Illustrativetestspecification
QueriesNews
Email:Def Stan 05-138 v3 Cyber Security for defence suppliers
Contact us
The DCPP Team can be contacted by email on: ukstratcomdd-cydr-dcpp@mod.gov.uk or DCPP LinkedIn Group.
ResponsesDCPP willgroup normallyon bethe providedNCSC’s withinCyber twoInformation workingSharing days.Partnership (CISP), register at NCSC’s Cyber Information Sharing Partnership (requires sponsorship).
Recommended links
UpdatesUseful links
Supplier Cyber Protection Service: risk assessment workflow
Cyber Security Model: cyber risk profiles’ requirements
DCPP: Cyber Security Model industry buyer and supplier guide
Defence Cyber Protection Partnership: board level presentation slides
Defence Cyber Protection Partnership: your questions answered
Supplier Cyber Protection Service: risk assessment workflow
Cyber Security Model: cyber risk profiles’ requirements
DCPP: Cyber Security Model industry buyer and supplier guide
Defence Cyber Protection Partnership: board level presentation slides
Defence Cyber Protection Partnership: your questions answered
This unclassified presentation was recorded for internal MOD audiences to raise their awareness of the Cyber Security Model although most of it still applies to industry.
Other media sources
DCPPgroupontheNCSC’sCyberInformationSharingPartnership(CISP),registeratNCSC’sCyberInformationSharingPartnership
Last updated 9
-
Webpage updated with most recent information.
-
Added 'Defence Standard 05-138 issue 4' message.
-
Added 'Christmas closure' message.
-
New section added: 'Supplier Assurance Questionnaire in the interim process: upcoming change'.
-
Added a link to the 'Cyber Implementation Plan (CIP)' page.
-
Added information about Christmas processing dates.
-
Added 'Supplier Cyber Protection Service - Interim Process' section.
-
Updated a call to action box.
-
Updated the page with a new interim process for new contracts (first paragraph), and added links to version 3 of "Cyber security for defence suppliers (Def Stan 05-138)".
-
Added new content under page heading: Interim DCPP Cyber Security Model process. Removed old content.
-
Updated main page content.
-
Updated page information.
-
Added 'Recommended links', removed update from November 2019.
-
Updated the COVID-19 message under the 'latest' heading. .
-
Added a COVID-19 update under the 'latest' heading.
-
Addition of links: 'Supplier Cyber Protection Service: Pre 12/11/19 Risk Assessment workflow' and 'Supplier Cyber Protection Service: Pre 12/11/19 Supplier Assurance Questionnaire'.
-
Updated 'Supplier Assurance Questionnaire' and useful links section.
-
Updated links.
-
Updated the information in the 'latest' section.
-
First published.
Update history
2025-01-02 10:44
Added ‘Letter to Defence Industry CEOs/Defence Leads about driving cyber resilience in the supply chain’.
2024-09-09 10:26
Webpage updated with most recent information.
2024-05-23 16:20
Added ‘Defence Standard 05-138 issue 4’ message.
2023-11-23 10:12
Added ‘Christmas closure’ message.
2023-02-28 14:23
New section added: ‘Supplier Assurance Questionnaire in the interim process: upcoming change’.
2022-12-23 13:43
Added a link to the ‘Cyber Implementation Plan (CIP)’ page.
2022-12-13 09:33
Added information about Christmas processing dates.
2022-08-11 11:18
Added ‘Supplier Cyber Protection Service – Interim Process’ section.
2022-03-31 17:22
Updated a call to action box.