Due to the growth in frequency and sophistication of cyber security attacks, and the increased risk posed to businesses, citizens and government/defence supply chains when such attacks are successful, the UK Government and UK Ministry of Defence (MOD) have introduced contractual cyber security requirements. These requirements are added to UK Government and UK MOD contracts and flow down the supply chain.
Along with other aspects of Security, Compliance and Integrity, GE Aerospace takes Cyber Security extremely seriously and requires its suppliers to do the same. It is vital that the shared role and responsibility in protecting sensitive information, intellectual property and critical systems is recognised across the supply chain as a whole. Where UK Government and UK MOD Cyber Security Requirements are applicable to the provision of products or services, suppliers will be informed of the requirements, which are in addition to and do not replace extant GE Aerospace Cyber Security requirements.
Cyber Essentials
The UK Government-backed Cyber Essentials scheme was launched on 5th June 2014 and defines a set of controls which, when properly implemented, provide organisations with basic protection from the most prevalent forms of threat coming from the internet. The Cyber Essentials scheme is overseen by the UK National Cyber Security Centre (NCSC) – the UK’s technical authority for cyber security. The Cyber Essentials scheme is operated by IASME – the NCSC’s Official Cyber Essentials Delivery Partner.
By undergoing annual Cyber Essentials certification through an IASME-approved Certification Body, organisations are able to demonstrate their ability to comply with the requirements of Cyber Essentials. Certification is available at two levels – Level One: Cyber Essentials (Basic) and Level Two: Cyber Essentials Plus. The level of Cyber Essentials certification is defined by contractual requirements and suppliers will be informed of the level of certification required for their scope of supply.
As announced in Procurement Policy Note (PPN) 09/14, Cyber Essentials became a mandatory requirement for certain UK Government contracts from 1st October 2014 and this requirement was extended to include UK MOD contracts from 1st January 2016. PPN 09/23 updated Cyber Essentials requirements in October 2023. PPN 014 further updated Cyber Essentials requirements for UK Government and UK MOD contracts from 24th February 2025.
GE Aerospace encourages suppliers to obtain Cyber Essentials certification as part of efforts to improve their cyber security posture even when this is not a contract requirement / condition of supply.
The UK MOD Cyber Security Model (CSM) was developed by the Defence Cyber Protection Partnership (DCPP) and builds upon the foundation of the UK Government Cyber Essentials Scheme (CES). Depending on the scope of supply, certain suppliers may be required to comply with the requirements of the UK MOD CSM. Where CSM compliance is required Defence Condition (DEFCON) 658 – Cyber or equivalent contract language will be flowed to the supplier. The level of CSM compliance is defined by Risk Assessment, suppliers will be informed of the level of CSM required for their scope of supply and will be required to complete a Supplier Assurance Questionnaire (SAQ), prior to being awarded a contract/order and annually thereafter for as long as supply continues.
The DCPP encourages UK suppliers to:
• Join NCSC Connect Inform Share Protect (CISP). CISP is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK business.
• Register for and use NCSC Active Cyber Defence (ACD) services. ACD seeks to reduce the harm from commodity cyber attacks by providing tools and services that protect from a range of attacks. ACD service eligibility depends on organisation type.
Non-UK suppliers are advised to register for equivalent national cyber security services, where available.
UK Government and MOD Security Information
• Government security
• Industry Security Notices (ISN)
• Industry Security Assurance Centre
• MOD Cyber Defence and Risk (CyDR)
Defence Cyber Protection Partnership (DCPP) and Cyber Security Model (CSM)
• Defence Cyber Protection Partnership (DCPP)
• Cyber Security Model (CSM)
• DEFCON 658 - Cyber
Other DEFCONS are available from the Commercial Toolkit > DEFCONs section of Knowledge in Defence (KiD), see Guidance for more information on how to access.
• DefStan 05-138, Issue 3: Cyber Security for Defence Suppliers
• DefStan 05-138, Issue 4: Cyber Security for Defence Suppliers
Other DefStans are available from Defence Standardisation, see Guidance for more information on how to access
UK National Cyber Security Centre (NCSC) Information
• National Cyber Security Centre (NCSC)
• NCSC 10 Steps to Cyber Security
• NCSC Cloud Security Guidance
• Connect Inform Share Protect (CISP) (UK Organisations Only)
• NCSC Active Cyber Defence (ACD) (UK Organisations Only)
Cyber Essentials
• Cyber Essentials Overview
• Cyber Essentials Certification
• Cyber Essentials Certificate Search
• Procurement Policy Note 014: Cyber essentials scheme
• Procurement Policy Note 09/23: Updates to the Cyber Essentials Scheme
• Procurement Policy Note 09/14: Use of Cyber Essentials Scheme certification
Artificial Intelligence
GE Aerospace deploys use of artificial intelligence consistent with and compliant to regulatory and contractual requirements.
Artificial Intelligence (AI) refers to the capability of a digital computer or computer-controlled robot to perform tasks commonly associated with intelligent beings. These tasks include reasoning, learning, problem-solving, perception, and language understanding.
AI is used in various fields, including:
- Finance: AI helps in generation of financial reports, financial modeling, and risk management.
- Customer Service: AI chatbots provide real-time customer support and enhance user experience.
- Engine Diagnostics: AI can be used to analyze various technical components of engines and parts to analyze performance and efficiency.
GE suppliers who desire to use AI will need to assess and determine that any proposed use of AI tools is compliant with regulatory and contract requirements.
Unique Contract Requirements:
Beyond regulatory requirements, there maybe instances where a supplier may be engaged to support a program that has unique requirements such as US citizenship access only. In order to do business with GE where contract requirement in addition to regulatory requirements exists, the supplier must demonstrate it can meet those unique contract requirements.
Additional Global Regulatory Requirements
In addition, the regulatory requirements enumerated in the US and UK, suppliers should be aware that GE must comply with global sovereignty laws and regulatory requirements of all Countries it conducts business. Any GE supplier doing business in any jurisdiction will be required to comply with requirements pertaining to a specific nation.