UK Government & UK MOD Cyber Security Requirements
The UK Government and UK Ministry of Defence (MOD) launched the Cyber Essentials scheme in 2014 to reduce the levels of cyber security risk in supply changes.
It’s due the growth in frequency and sophistication of cyber security attacks and the increased risk posed to businesses, citizens, and the government supply chain when such attacks are successful.
The goal is to provide organizations of all sizes with basic protection from the most prevalent forms of online threats.
Since being introduced in 2014, these requirements have been added to new government contracts and include supply chain flow down obligations.
Along with other aspects of security, compliance, and integrity, GE Aerospace takes cyber security extremely seriously and requires its suppliers to do the same.
It is vital that the shared role and responsibility in protecting sensitive information, intellectual property, and critical systems is recognised across the supply chain.
Where UK Government & UK MOD Cyber Security Requirements are applicable to the provision of products or services, suppliers will be informed of the requirements, which are in addition to and do not replace GE Cyber Security requirements.
UK MOD Cyber Security Model (CSM) and Defence Cyber Protection Partnership (DCPP)
The UK MOD Cyber Security Model (CSM) was developed by the Defence Cyber Protection Partnership (DCPP) and builds upon the foundation of the UK Government Cyber Essentials Scheme (CES).
Starting Jan. 1, 2016, CES became a mandatory requirement for new MOD contracts involving MOD Identifiable Information.
It was announced in MOD Letter and Industry Security Notice (ISN) 2061/01.
Identifiable Information is defined in Industry Security Notice (ISN) 2061/05.
In due course under the CSM, MOD contracts involving higher levels of cyber risk may require the application of supplementary controls, as set out in Defence Standard 05-138 and in accordance with Defence Conditions (DEFCON) 658 or equivalent contract clauses.
The DCPP encourages suppliers to join and use the national Cyber Security Information Sharing Partnership (CiSP).
CiSP is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential, and dynamic environment, increasing situational awareness and reducing the impact on UK business.
MOD Implementation of Cyber Essentials Scheme (CES), Defence Cyber Protection Partnership (DCPP) and Cyber Security Model (CSM)
- MOD CES Letter
- FAQs about MOD DCPP CES & CSM
- ISN 2016/01 'MOD Implementation of Cyber Essentials Scheme'
- ISN 2016/05 'Definition of MOD Identifiable Information'
- Defence Cyber Protection Partnership (DCPP) and Cyber Security Model (CSM)
- DEFSTAN 05-138 is available from the UK Defence Standardization Extranet
- See UK Defence Standardization for more information on how to access
Defence Conditions (DEFCONs)
- DEFCONS are available from the Commercial Toolkit DEFCONs section of the MOD Acquisition System Guidance (ASG) Extranet
- See Acquisition System Guidance for more information on how to access
Cyber Security Information Sharing Partnership (CiSP)
- For more CiSP information, see National Cyber Security Centre (NCSC) > CiSP
UK Government Cyber Essentials Scheme (CES)
The UK Government’s Cyber Essentials Scheme (CES) was launched on June 5, 2014, and defines a set of controls which, when properly implemented, provide organisations with basic protection from the most prevalent forms of threat coming from the Internet.
As announced in Procurement Policy Note 09/14, CES became a mandatory requirement for certain Central Civil Government contracts from Oct. 1, 2014.
Even if a supplier is not contractually required to obtain CES certification, it may still choose to obtain CES certification as part of efforts to improve their cyber security posture.