Securing the Future of Land Equipment: The Critical Role of Supply Chain Security and Secure by Design

In the dynamic and rapidly evolving landscape of land equipment for defence, the imperative for robust supply chain security has never been more critical. Supply chain security is critical, especially during crises when timely and reliable delivery is vital. The long lifecycle of most military equipment further complicates this, requiring secure, sustained logistical support, upgrades, and modernisation over many years.

The Ministry of Defence (MOD) has recognised this priority, expecting industry partners to embrace comprehensive security measures that span physical, personnel, procedural, and technical domains. As cyber threats continue to escalate, defence suppliers are now expected to adopt a proactive, risk-based approach to security, ensuring the integrity and resilience of their operations and products. This is where CDS Defence & Security (CDS DS) steps in as a pivotal ally, offering expertise and guidance to simplify, understand and implement these complex security requirements effectively.

The Relevance of Supply Chain Security 

Supply chain security is paramount in the defence sector, where the stakes are exceptionally high. Cyber espionage poses a significant threat, enabling adversaries to gather intelligence, steal intellectual property, and potentially sabotage operations, both virtually and physically. The consequences of such breaches are severe, leading to financial loss, reputational damage, and even threats to national security and human lives. The MOD and its suppliers must be vigilant in mitigating these risks, which are not confined to cyber threats alone. Employees with authorised access to sensitive information and technology can inadvertently or deliberately cause security incidents, leading to data breaches and operational disruptions.

Over the last five years, numerous breaches have been witnessed among global defence suppliers, often perpetrated by state-backed cyber threats. The MOD provides extensive guidance and support to suppliers, outlining security expectations and requirements through bid and contract processes. However, these expectations can sometimes be overlooked or under emphasised in the rush to secure and deliver contracts. Suppliers, particularly those new to the defence sector, may need help understanding and implementing these requirements pragmatically and cost-effectively.

Embracing Secure by Design (SbD)

As technology advances, securing critical assets becomes increasingly complex. The MOD has introduced the Secure by Design (SbD) framework to address these challenges, embedding security into every aspect of system design and development. Launched on July 28, 2023, SbD represents a proactive approach to cybersecurity, moving beyond traditional reactive measures, and embedding security measures into the development lifecycle of systems. By integrating security from the outset, SbD ensures that MOD and its partners are equipped to defend against emerging cyber threats effectively.

The benefits of SbD include:

• Assurance is integrated into the process for proactive threat response.
• Broader stakeholder involvement improves vulnerability identification.
• Longer service life for capabilities will reduce the need for new projects.
• Enhanced trust and confidence in capabilities against modern threats.

Our expert team of cyber security experts at CDS DS has worked hard to understand the MOD’s expectations of the recently introduced SbD framework. In doing so, we have developed a six-step approach to understanding and implementing its expectations. We have proved the approach already with several MOD sector industry organisations with great success. We can offer a quick maturity assessment against your existing SbD arrangements and/or help you to implement everything from scratch.

Our 6-step process is built on principles that emphasise resilience, security risk reduction and robust safeguards:

Our 6-Step Process to SbD 

1. 1. Confirm
2. Does the product/service/programme need to adopt SbD? Our Internal Matrix can be used to assess whether SbD even needs to be adopted with evidence being provided for the recommended decision.
3. 2. Understand 
4. This step will allow the enterprise to identify, understand and prepare for governance to be aligned whilst ensuring that the capability being built is well placed to address security risk from inception. Our Security-Cleared Cyber Security Consultants will guide the development of up to 9 artefacts derived from the NIST SP800-37 Risk Management Framework.
5. 3. Engage
6. The important phase whereby the liaison and registration with the SbD authorities occurs. Early engagement and relationship building assures the development of the capability early. The official registering of the capability is the first official step in being designated SbD.
7. 4. Develop Culture
8. A clear and well-defined understanding of specific roles and responsibilities will enforce accountability and minimise duplication of effort. We will help you ensure that a positive security environment is created and maintained, where all individuals can confidently voice security concerns, which can subsequently be handled and mitigated appropriately.
9. 5. Assess & Control
10. CDS D&S can complete a thorough assessment of the project/programme or system risks, which will allow appropriate controls to be introduced. Guided by the 7 Principles of SbD, we will help you ensure that the
    appropriate controls are applied to help satisfy the security requirements of the capability.
11. 6. Futureproof
12. CDS D&S can help you achieve ongoing alignment to SbD by supporting your move towards continuous risk management and assurance processes. We will help you integrate frequent interactions with stakeholders into your business as usual processes to help ensure that all parties are aware of the current threats, vulnerabilities, and risks associated with the capability. Other aspects of futureproofing that we can support you with are the ongoing management of your supply chain, changes in SbD requirements and design principles, and helping you understand how current threats impact your capability.

13. This methodology aligns with the National Institute for Standards in Technology Cyber Security Framework (NIST CSF). Since March 31, 2024, all programs, projects, and systems transitioned to SbD upon the expiration of their current legacy accreditation. SbD is now in effect.

14. Handling Classified Information

    All defence suppliers must store, handle, and process at least OFFICIAL tier classified information and will be risk assessed using the MOD’s Defence Cyber Protection Partnership’s (DCPP) Cyber Security Model (CSM). These security expectations apply to both prime contractors and their subcontractors. Suppliers are assessed through the MOD's Octavian portal (or manually) to determine their risk profile—Very Low, Low, Moderate, or High—which dictates the necessary security controls.

    Suppliers must achieve at least Cyber Essentials Basic, with Cyber Essentials Plus often required. The MOD conducts audits to ensure compliance with DCPP CSM requirements. Additionally, personnel accessing MII must be vetted to at least the Baseline Personnel Security Standard (BPSS).

    Security expectations for systems handling SECRET information still need to meet SbD principles and CSM expectations. This demands more stringent security arrangements than those for lower classifications. Personnel accessing SECRET information must be SC cleared at minimum, with BPSS allowing occasional access. Developed Vetting (DV) is required for higher classifications and sometimes for SECRET roles with privileged access.

    A Facility Security Clearance (FSC), approved and periodically audited by the MOD, must be attained and maintained. This clearance focuses on physical and personnel security, requiring measures like CCTV, Automated Access Control Systems (AACS), and approved alarm systems. Additionally, at least 50% of the company's Board must be UK Nationals, and there must be a nominated Security Controller and, if applicable, an Cyber Security Officer (CSO). A Board-level UK National must oversee all security matters related to SECRET information.

How CDS DS Can Help

CDS DS offers invaluable support to defence suppliers navigating MOD security requirements and the transition to SbD. With certified security experts and years of MOD experience, CDS DS provides cyber security consultancy and virtual security manager support, helping suppliers achieve Cyber Essentials certification and meet the stringent security standards outlined by the MOD. By partnering with CDS DS, suppliers can ensure they remain trusted providers of resilient and secure land equipment capable of withstanding the cyber threats of today and the future.

CDS D&S offers comprehensive support throughout the SbD process:

• Security risk assessment and management
• Security control definition
• Supply chain engagement
• Continuous improvement
• Security training, awareness and culture

By leveraging CDS D&S' expertise, organisations can effectively implement SbD, strengthen their cyber defences, and build lasting resilience.

CDS D&S also supports ongoing SbD alignment by:

• Promoting continuous risk management and assurance processes.
• Facilitating regular stakeholder engagement to address emerging threats.
• Managing supply chain security and adapting to changing SbD requirements.
• Providing a wide breadth Cyber Security & Information Assurance (CS & IA) services.

In conclusion, the defence sector's focus on supply chain security and the adoption of Secure by Design are critical steps towards safeguarding national security CDS DS stands ready to assist suppliers in this journey, providing the expertise and guidance needed to meet the MOD's rigorous security expectations and deliver resilient, secure products to the defence community.

Would you like to know more about a specific aspect of Secure by Design or CDS D&S' services?

Our experts will be available at DVD 2024 to share insights into our comprehensive services and discuss cyber in defence, supply chain security and SbD. 

Book an appointment to visit us at stand C3-608 today.