Supply chain security is one of the MOD’s top priorities, as it should be for all its industry partners.
Although cyber is probably the most prominent in people’s minds and often understandably grabs the headlines, security is about the physical, personnel, procedural and technical controls needed to minimise security risks. It is not simply a tick-box exercise!
Cyber espionage presents an omnipresent threat to the defence sector and national security at large, enabling intelligence gathering, stealing of intellectual property, virtual and physical sabotage, and could even lead to loss of life. Cyber criminals seek to elicit money via technology-enabled fraudulent activities or holding companies to ransom by denying them access to their business-critical information, leading to financial loss and reputational damage.
Employees and anyone with authorised access to premises, technology and information can either accidentally or deliberately cause security incidents. This could lead to embarrassing data breaches and significant down-time of your business operations, resulting in legal penalties under the Official Secrets Act, Computer Misuse Act or data privacy legislation for example.
The last 5 years alone have seen many global defence suppliers suffer a breach by state-backed cyber threats. Sensitive data has been breached by compromising vulnerable technology systems. It really does continue to be a case of when, not if security incidents occur.
The MOD publishes lots of great information and offers help and guidance to suppliers, communicating applicable security expectations and requirements. This is usually done via bid and contract processes, but it can (and often does) get lost in the noise, or its importance is under-played in the desire to win and deliver work.
Suppliers simply want to do the right thing but struggle to understand and implement the MOD’s security expectations logically, pragmatically and in a cost-effective way.— CDS Defence & Security
Unfortunately, security expectations can be omitted from those processes too, leaving suppliers exposed to the prospect of unbudgeted cost and unexpected requirements. More regularly, suppliers simply want to do the right thing but struggle to understand and implement the MOD’s security expectations logically, pragmatically and in a cost-effective way.
If you are new to the defence sector, it is a real challenge knowing where to start. Even if you’ve been in the sector for a while, more robust security expectations can still catch you by surprise, especially if you suddenly need to handle information and assets at higher classifications.
Taking a 4-step approach to understanding and meeting the MOD’s security expectations will help you understand what you need to do. What you need to do depends on the classification and sensitivity of the information and assets you need to store, handle and process. Above all, remember the fundamental MOD expectation of a risk-based approach to security. For easy reference:
Carry out formal physical and technical security risk assessments in line with the sensitivity and classification of the information and assets you are required to handle, store, process or produce. This will help you to identify and implement proportionate security controls (including but not limited to those expected by the MOD contractually) and demonstrate you have minimised security risk when audited by the MOD.
Review, maintain and update your security risk assessments regularly. If you’ve already done this – consider conducting gap analysis exercises against your controls and those expected by the MOD, mapping to them as needed.
All defence suppliers will store, handle and process sensitive MOD Identifiable Information (MII) by default and as defined by the MOD’s Defence Cyber Protection Partnership’s (DCPP) Cyber Security Model (CSM). The DCPP CSM security expectations are not just contractual obligations for defence primes. The MOD contracts primes to flow down and contractually oblige all their sub-contractors using the DCPP CSM scheme.
Defence suppliers must be security risk assessed by their contracting bodies using the MODs Octavian online portal when available (note: manual processes have been in place for this recently). Depending on the calculated risk profile level, which will be Very Low, Low, Moderate or High, various security controls are required. The number and complexity of security controls increases in line with the assessed risk profile level.
Among those controls, you will be expected to achieve at least Cyber Essentials Basic or more likely Cyber Essentials Plus. The MOD also conducts audits to ensure that defence suppliers meet the DCPP CSM security control requirements. Anyone with access to MII requires security vetting in line with the Baseline Personnel Security Standard (BPSS) as a minimum.
Many defence suppliers will need to store, handle and process O-S information and assets. The MOD should contractually oblige suppliers to meet certain Defence Contract (DefCON) and Defence Standards (DefStans) applicable to handling O-S, but this can be inadvertently omitted or added unexpectedly during the bid or contract periods.
The physical, personnel, procedural and technical security controls for O-S require additional attention, and any systems or assets that store, handle and process O-S often need formal MOD Accreditation. The Accreditation process requires additional security controls to those needed under the DCPP CSM processes and requires access to, and completion of, an assessment using the MOD’s Defence Assurance Risk Tool (DART).
It is important to remember that the requirement for accreditation is not just for the systems used to store, handle and process O-S information, it’s also applicable for the info, assets, capabilities and equipment you deliver to the MOD too!
The MOD has closely aligned itself with the United States’ National Institute for Standards in Technology Cyber Security Framework (NIST CSF) and has also recently published a set of Secure by Design Principles that are intended to replace Accreditation processes in the future.
Anyone with access to O-S information or assets requires security vetting in line with the Baseline Personnel Security Standard (BPSS) as a minimum, but Security Check (SC) level is often expected also, particularly for those with system administration privileges.
Organisations required to store, handle, process or produce information or assets classified at SECRET (or above) must gain a Facility Security Clearance (FSC – previously known as List X) which the MOD will initially approve and periodically audit over time. The FSC is typically focused on the physical and personnel security control requirements, including things like CCTV, Automated Access Control Systems (AACS) and approved alarm systems.
Your company will need its Board to have at least 50% as UK Nationals, a nominated Security Controller and, if appropriate, an IT Security Officer (ITSO). A Board-level UK National must be responsible for all security matters related to SECRET (or above) information or assets.
The technical security controls for any systems or assets that store, handle and process SECRET (and above) require formal MOD Accreditation which requires access to, and completion of, an assessment using a dedicated version of the MOD’s Defence Assurance Risk Tool (DART). The accreditation process requires an increased level of physical, personnel, procedural and technical controls to those needed under the DCPP CSM and O-S processes. As with O-S information and assets, it is important to remember that the requirement for Accreditation is not just for the systems used to store, handle and process O-S information, it’s also applicable for the info, assets, capabilities, and equipment you deliver to the MOD too!
The MOD has closely aligned itself with the United States’ National Institute for Standards in Technology Cyber Security Framework (NIST CSF) and has also recently published a set of Secure by Design Principles that are intended to replace Accreditation processes in the future.
Anyone requiring access to SECRET information/assets/facilities must be SC cleared as a minimum. BPSS currently allows occasional access to SECRET information, but this may change in the future and needs to be a consideration as part of any formal security risk assessments. Further vetting (known as Developed Vetting (DV)) is required for access to any above SECRET information/assets/facilities and can sometimes be expected for SECRET depending on the role and privileged access you might have.
Whether you are bidding for defence contracts or already under contract, CDS DS can provide pragmatic, proportionate and cost-effective help. We have certified security experts with years of MOD experience who can provide cyber security consultancy or virtual security manager support to help you understand and meet the relevant MOD security requirements, expectations and standards as described in this article.
We can also certify your organisation in Cyber Essentials or Cyber Essentials Plus and help you to understand and make the improvements you need to gain certification.