Guidance

Overview: DCPP and cyber security controls

Updated 22 June 2016

Guidance update (2016)

As of 1 January 2016, all suppliers bidding for new MOD requirements which include the transfer of ‘MOD identifiable information’ should achieve a Cyber Essentials Scheme (CES) certificate by the contract start date. However, the DCPP Cyber Security Model (CSM), which will require some suppliers to ensure additional cyber security controls are in place ahead of contract award, is currently due to be implemented in Q2 2016. Further information is below.

Overview

The Defence Cyber Protection Partnership (DCPP) is a joint MOD/Industry initiative that was established in 2013. The DCPP is tasked with improving the protection of the defence supply chain from the cyber threat. Alongside MOD, the DCPP is made up of; 13 defence primes; 2 trade associations ADS (Aerospace, Defence and Security) and techUK representing small and medium sized enterprises (SMEs); the Department for Culture, Media and Sport; the Communications Electronics Security Group (CESG) and the Centre for the Protection of National Infrastructure (CPNI).

DCPP work strands

The DCPP has 3 core work strands: information sharing, measurements and standards, and supply chain awareness. Each has been supported by a working group formed around participants from the member organisations and jointly chaired by MOD and industry representatives.

A primary objective of the measurements and standards work stream has been to set the definition of a number of proportionate cyber security controls to be implemented as part of all MOD contracts. DCPP has published version one of these ‘cyber risk profiles’ which set out controls and measures that apply at various levels of cyber risk.

We invite all defence suppliers to read the 3 core work strands, along with the supporting information below, as the documents provide awareness of MOD’s expectation of cyber requirements and assurance measures. If you do not currently meet all the requirements then early visibility provides the opportunity for SMEs to proactively implement changes to be prepared for when these measures become part of the contracting process.

Cyber risk profiles

The cyber risk profiles form 1 of 3 parts of the DCPP’s Cyber Security Model (CSM). The first element of CSM is a risk assessment process which, through a series of questions relating to the specific contract, sets a level of cyber risk. The risk assessment process will be conducted by whoever is letting the contract; this could be MOD, or a defence supplier sub-contracting elements of the work.

There are 5 possible outcomes from the risk assessment: 4 cyber risk levels of ‘Very Low’, ‘Low’, ‘Moderate’ and ‘High’, and, in a small number of cases, ‘Not Applicable’. The following table outlines the criteria that are likely to lead to a particular contract being assessed as reaching each of these possible outcomes. However, this is only a guide. The ultimate risk level assigned will always be the outcome of the risk assessment process for that particular contract.

Additionally, although the risk profile descriptions reference information at various government security classification levels, they are not implicitly linked, so it is possible, for example, for a project handling only OFFICIAL-SENSITIVE information to fall into the ‘High’ category due to other risk factors.

Cyber risk level (click the level to open the relevant ‘cyber profile requirement’) Criteria
Not Applicable For contracts where it is assessed that there is no, or only a negligible, cyber risk. It is not expected that many contracts will fall in to this category
Very Low For contracts where a basic threat is faced (i.e. simple hacking, phishing or spyware) and where any attacker is likely to be opportunistic, unskilled and non-persistent. The sorts of contracts this will apply to are likely to be those covering commodity purchases or standard service provisions e.g. office supplies or the disposal of non-sensitive waste
Low For contracts where the threat may be slightly more targeted (i.e. involving spear phishing, whaling or ransomware and where attackers are semi-skilled but may not be persistent). It is likely to apply to contracts for basic parts or services but not where these could be linked to military capability. This profile is likely to apply primarily to contracts handling information classified as OFFICIAL, but may also occasionally apply to those involving small quantities of OFFICIAL information which have the handling instruction SENSITIVE
Moderate For contracts subject to more advanced threats that are tailored and targeted with the objective of gaining access to specific assets or enacting denial of service. The attacker is likely to be persistent, organised and either be skilled or have access to skills e.g. cyber criminals or hacktivists. This will likely apply to contracts that involve handling greater volumes of, or more sensitive, personal information, and those involving larger quantities of OFFICIAL-SENSITIVE information
High For contracts assessed as being subject to Advanced Persistent Threats (APT), which may be sustained over long periods and not exploited for months, or years after the initial attack. Attackers will be organised, highly sophisticated, well resourced and persistent. This will likely apply to contracts that are essential to support key military capability and those handling information classified at SECRET or above

The cyber risk profiles set out the cyber protection measures required at each level of cyber risk. So if a contract is assessed as carrying a cyber risk of ‘Low’ then you will only need to comply with the measures set out in the ‘Low’ profile. This does not preclude you from doing more, and DCPP would encourage you to do so, but this will not be a contractual requirement.

Requirements are progressive as you move up the risk profiles, so the lower levels are the foundation of the higher levels and each level builds on the ones before. The lowest DCPP requirement (‘Very Low’) is Cyber Essentials (Cyber Essentials Plus for those assessed as ‘Low’ or higher) to align with existing HMG policy, so as a minimum it is recommended that all defence suppliers look to achieve compliance with this scheme.

The last element of the Cyber Security Model (CSM) is a supplier assurance questionnaire that enables a supplier to demonstrate, via (auditable) self assessment, their ability to meet the requirements for the level of risk that their contract attracts.

Your feedback

The Cyber Risk Profiles have been published as a new Defence Standard and we expect the first implementation in contracts to follow in 2016. We will publish further details of the Cyber Security Model in due course but DCPP feel it is important to provide a preview of our work. We trust it will support existing and potential defence suppliers in understanding the MOD’s future cyber requirements.

All elements of the Cyber Security Model (CSM) will be subject to an ongoing process of review and periodic revision so we would encourage and welcome any comments and feedback you may have. You can join the DCPP Linkedin group or e-mail us at issdes-dcpp@mod.uk

This is an overview of the DCPP initiative and information about the proportionate security controls to be implemented and evidence to be submitted as part of all MOD contracts.