Defence research security
Published 1 December 2025
© Crown copyright 2025
This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.
Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.
This publication is available at https://www.gov.uk/government/publications/defence-research-security/defence-research-security
1. Introduction
The UK Ministry of Defence (MOD) invests a significant portion of the defence budget for the development and maintenance of cutting-edge capabilities to support our armed forces.
The Defence Science and Technology (DST) group works under the direction of MOD’s Chief Scientific Adviser (CSA) to maximise the impact of science and technology for UK defence and security. DST commissions MOD’s core research programme, delivered by the Defence Science and Technology Laboratory (Dstl) in collaboration with industry and academia.
MOD, DST and Dstl actively engage academic institutions on a regular basis to participate in or deliver research and development (R&D) activities that enhance UK defence capabilities, provides our Armed Forces with a strategic advantage, protects our way of life at home and abroad, and drives broader economic benefits.
MOD, industry and academia all face threats from groups trying to steal UK information and material to advance their own military, technology, politics or economy, or weaken our advantage.
This guidance explains MOD’s necessary security controls for R&D purposes and how to apply them for tackling threats and reducing risks.
2. National security threats, risks and mitigations
Science and technology are important domains of strategic competition with the technological advancements driving competition between entities and states, with frontrunners becoming apparent that will wish to achieve technological predominance, gain first-adopter advantage and of course secure access to critical minerals and sources of energy.
The challenges are outlined in the National Security Strategy 2025 (NSS 2025) and the Strategic Defence Review 2025 (SDR). However, defence contracting authorities such as Dstl will work with academic organisations to understand, identify and mitigate some of the research security risks that can come up during defence R&D as many directly relate to the challenges described in the NSS25.
MOD’s engagement may also give rise to security related issues and risks. These can be risks manifesting through international collaborations, through overseas or other hostile actors attempting to illegitimately acquire academic research (through espionage perhaps), taking over UK organisations or companies, or even from staff who disagree or have concerns with the relationship between MOD and academic institutions for many valid reasons. These reasons can lead to demonstrations, attempted sabotage or attempts to influence staff affecting the research relationship or outputs, or benefit our adversaries aims.
This is why when the MOD works with individual researchers, universities and other businesses, it will use and require effective cybersecurity and research security practices to protect the UK’s science, technology and research base, and the value it delivers.
Academic organisations wanting to improve their risk response may want to consider additional guidance provided by the National Protective Security Authority (NPSA) and the National Cyber Security Centre (NCSC).
Both NPSA and NCSC provide additional, excellent guidance material for embedding security behaviours, building in protective security controls and applying cyber security.
You shouuld access the NPSA and NCSC websites on a regular basis to stay up to date with updates and additional supporting information.
If you’re contracted to do defence research, think carefully about any international work you or your lab or faculty group are involved in. And consider whether this could create security risks for you or the defence-funded research you’re doing.
The Research Collaboration Advice Team (RCAT) provides specific advice on national security risks related to international collaboration. The MOD recommends contacting RCAT regularly to understand these risks.
3. Research integrity and research security
MOD and Dstl fully support research integrity and are signed up to the Concordat to Support Research Integrity.
To improve and maintain best practice, MOD has also issued a Joint Service Publication (JSP): JSP 732 Research Integrity which explains the basics for research security (in addition to the 5 core principles of research integrity).
The NPSA/NCSC Trusted Research campaign provides guidance for keeping research safe and has recently published a Trusted Research Evaluation Framework to support academic institutions in maturing their research security practices. The NPSA’s Implementation Videos provides guidance for mitigating some of the threats.
4. Legislation
The MOD will also use legislation to reduce risks and protect any advantage gained through its business partnerships.
Legislation such as the National Security and Investment Act 2021 allows the government to scrutinise and potentially block certain acquisitions and investments in sensitive sectors that could impact national security. This includes businesses and the private sector, and academic institutions. Qualifying assets for academic institutions include (but are not limited to):
- designs
- software
- source code
- intellectual property
There is specific guidance for higher education and research-intensive sectors and a dedicated team available to help ensure researchers’ work is protected.
The Official Secrets Act 1989 created an offence to disclose specific information categories by Crown servants (MOD) but it also applies to all defence suppliers and the supply chain working for MOD, including academia.
The National Security Act 2023 aims to protect the UK from hostile acts by foreign powers such as espionage and interference and applies to all British nationals and other individuals residing in the UK.
The Procurement Act 2023 has introduced additional powers for the UK to respond to economic threats and address national security threats within the supply chains.
These Parliamentary Acts with the Government Functional Standard for Security GovS007: Security and JSP 732 Research Integrity support the security measures MOD and Dstl apply to protect its freedom to operate and operational advantage.
5. General defence security requirements
When working with academic institutions, the MOD needs to be sure that the security of its people, information, data and assets (known as Defence Related Classified Material (DRCM)) is appropriately protected. This means institutions must understand current security threats and manage risks properly, which will enable good governance and make sure the right security measures are in place to:
- ensure the ‘confidentiality, integrity and availability’ of DRCM is maintained
- manage the ‘need to know’, ‘need to share’, ‘need to hold’ (and ‘need to secure’) aspects of the classified information provided or generated under the contract
- ensure research can be as open as possible but as secure as necessary
The necessary security controls will fit into specific categories which are explained in the government functional standard for security (GovS007 Security): personnel, physical, cyber, technical and industry security.
The specific security measures for each contract or task will depend on the type of research being carried out, the security classification attributed to the research, the technical readiness level, the importance to defence and security as well as taking into account any national security requirements that may apply.
Our general defence security requirements page provides information about the typical standard security controls we and the MOD apply to research activities.
6. Contracts and collaborations
Every partnership works like a contract. When working with academic institutions, Dstl and MOD want to establish boundaries and set obligations from the start. This ensures both sides are clear on what is expected to keep research secure and technology protected.
These obligations will usually be explained at an Invitation to Tender (ITT) and at Contract Award. If a formal contract isn’t needed, other agreements may apply, such as Service Level Agreements (SLAs) - the MOD has an agreement with UKRI for instance, that also applies to the associated research councils - or other types of tasking agreements and collaborative arrangements.
The necessary security measures must be clearly stated and acknowledged, accepted and applied by the academic institution accepting the contract or tasking, and before the researchers start work on the contract.
Even exploratory discussions and working group arrangements must be bounded in security. The MOD want to be assured that any funding they contribute to grants or time spent supporting collaborations for instance, is utilised effectively and will not damage their reputation, and will not support their adversaries.
7. Classified information
The MOD and Dstl call classified information ‘Defence Related Classified Material’ (DRCM). This includes any information, equipment or technology that’s been marked as secret by the MOD. The term ‘MOD Identifiable Information’ (MODII) is used specifically for documents and data.
The Government Security Classifications policy explains how the government decides which of the 3 security levels to use for its information, data and assets. It sets out what threats each level protects against and what security measures are needed.
- OFFICAL: includes OFFICIAL-SENSITIVE (OS) - OS indicates additional controls may be necessary to protect ‘need to know’ (see ‘Guidance 1.1 working at OFFICIAL’) for the baseline controls and behaviours)
- SECRET (‘Guidance 1.2 working at SECRET’)
- TOP SECRET (‘Guidance 1.3 working at TOP SECRET’)
Most academic research will be marked as OFFICIAL-SENSITIVE, and will come with a Security Aspects Letter (SAL) setting out what security measures to apply. The security controls apply to the information, data and assets whilst with administrators as well as researchers.
DRCM is not to be shared with or accessed by anyone who has not been security screened or security cleared. Even if the research does not involve DRCM, you must get permission to involve other personnel from the contracting authority.
8. Security aspects
Dstl and MOD will explain the basic security measures for working with OFFICIAL classified information in your contract.
The SAL is a legal document. If a UK defence supplier breaks its rules, they can be prosecuted under the Official Secrets Act. If you receive a SAL and the security requirements aren’t clear, talk to your contracting authority. Everyone on the research team who accesses or works with classified material must follow the rules in the SAL.
9. Defence Conditions
Defence Conditions (DefCons) will be included in your contract, usually as a narrative clause, or attached to the SAL.
DefCon 531 Disclosure of Information, DefCon 658 Cyber and DefCon 660 OFFICIAL-SENSITIVE Security Requirements must be included in all MOD and Dstl placed contracts and with a copy of the OFFICIAL and OFFICIAL-SENSITIVE Contractual Security Conditions document (this is explained within ISN 2025/05).
10. Personnel security
If you work on a contract or project, or support research activity (for example, supply chain IT support services), and you have access to DRCM information, you must have the right security checks. The level of security checking depends on what information you will have access to, in accordance with UK Security Vetting (UKSV) requirements.
Researchers and supervisory staff - for instance, the Principal Investigator (PI), who do not hold a security clearance - might have to take part in Baseline Personnel Security Standard (BPSS) through the MOD contracting authority. And for Dstl contracts, they might have to complete a ‘Research Worker Personal Particulars’ (RWPP) form instead.
Some BPSS and RWPP applications are declined after going through a thorough assessment process. The contracting authority Personnel Security team makes these decisions based security rules and their expertise. We can’t tell you the specific reasons why an application is declined due to the sensitive nature of the criteria. All decisions are carefully considered to meet national security requirements and organizational standards.
| Security classification | National security vetting level | Comments |
|---|---|---|
| OFFICIAL and, or OFFICIAL-SENSITIVE | Baseline personnel security standard (BPSS) | BPSS isn’t a formal security clearance, but it’s the standard background check for people who work with government information - it’s the first step in the security checking process and the minimum security screening for staff accessing DRCM |
| Dstl Research Workers Personal Particulars (RWPP) form | RWPP is not a formal security clearance but it is the minimum requirement for Dstl contracts - based on the BPSS but includes additional security checks that help us understand the additional complexities of academic study |
This level of screening does not provide access to Dstl controlled SECRET and above assets.
| Security classification | National security vetting level | Comments |
|---|---|---|
| SECRET and ABOVE | Security clearance: Security Check (SC) and Developed Vetting (DV) | SC provides access to Dstl controlled SECRET assets and DV provides access to Dstl controlled TOP SECRET assets - other areas of MOD may allow occasional access to SECRET for individuals screened through BPSS and TOP SECRET to holders of SC. Accreditation Check (AC) and Counter Terrorist Check (CTC) are not suitable for access to DCRM. |
Administrators and procurement specialists should go through BPSS or the equivalent BS 7858: 2019 (or as refreshed) at recruitment so you can access the DRCM to support the research activity when needed.
Dstl will provide a security clearance certification form if you already hold SC or DV and Dstl or MOD as the contracting authority will sponsor security clearances if needed. You might also need to submit a BPSS form if Dstl is sponsoring you as references and proof of UK residency are required and the RWPP doesn’t ask for these.
You must meet all necessary requirements before the contracting authority can sponsor you for security screening or security clearance - security clearance can be refused or it can be granted with certain restrictions which stop you from carrying out the task the clearance is required for.
Dstl is a Reserved Post organisation. This means researchers working at a Dstl core site must be UK nationals, and have the right level of security clearance for their work, without any conditions or restrictions. Dstl can withdraw any conditional offer if requirements are not met.
There are specific responsibilities for anyone who holds national security clearance and many are described within the UKSV existing clearance holders guidance.
Advertising Dstl or MOD funding or contract participation can generate interest from hostile actors or criminals and the NPSA run a number of campaigns to help you and your research remain secure.
You must ensure only those screened or security cleared and approved can work on or support the contract.
11. Physical security
All DRCM including documents, media and other assets will be physically secured to prevent unauthorised access. The NPSA and the Police Secured by Design schemes provide excellent resources to protect your premises.
If needed, we’ll only share sensitive information with suppliers who have the right Facility Security Clearance (FSC) for the facility or site where they’ll be working (where certain parts of the contract will be conducted).
When a non-FSC or provisional FSC supplier is successful or will be awarded a contract, we will sponsor the certification of an FSC for the site where the supplier will conduct the work. No preference is given to existing FSC holding suppliers.
| Security classification | Security measures | Comments |
|---|---|---|
| OFFICIAL | General good security practices are expected. | See ‘working with OFFICIAL information’ - the NPSA provides general guidance on improving your physical security as does the Secured by Design New Schools 2014 guidance, or speak to your local Counter Terrorism Security Advisor (CTSA) for advice |
| OFFICIAL-SENSITIVE | General good security practices are expected and will be supported as detailed within a SAL and the OFFICIAL and OFFICIAL-SENSITIVE contractual security conditions document | Security Aspects Letters and Contractual Security Conditions - remote working with MOD material (any requirement must be agreed by MOD or Dstl) |
| SECRET and ABOVE | Facility Security Clearance (FSC) policy and guidance for UK defence contractors and MOD contracting authority | A FSC is required to ensure the supplier meets and maintains the required protective security controls to safeguard these classified assets |
An FSC is specific to a location and is assessed by the Industry Security Assurance Centre (ISAC) in MOD. The existence of the facility security clearance holds a security classification of OFFICIAL-SENSITIVE and must not be divulged to personnel that do not ‘need to know’.
12. Cyber security
Anyone who works with us or works for our suppliers must protect any defence information on their computer systems using proper security measures.
As a minimum, suppliers and sub-contractors must meet the contractual cyber security requirements of DefCon 658. These requirements are explained within the Cyber Security Model with the actual controls for each cyber risk profile expanded within DefStan 05-138.
We’ll decide what security measures you need based on the cyber risk profile linked to your contract, but you must fill out a form called a Supplier Assurance Questionnaire (SAQ) to show us whether you meet these requirements or not.
Other things to be aware of:
- submit a SAQ via an online Supplier Cyber Protection Service
- get the appropriate level of Defence Cyber Certification to achieve compliance
- if requirements are not met, you must provide a Cyber Implementation Plan (CIP) which will form part of the contract and will be monitored
13. Disclosure of information
Your contract will set out the rules on sharing information, but you must adhere to the following:
- do not share information about our projects without asking us first - this is a condition in your contract
- get written approval from the contracting authority Project Manager or Contract Manager before publicising anything - include a draft announcement when asking for approval
- contact us before responding to an FOI at dstlfoi@dstl.gov.uk
14. Supply chain
If you intend to sub-contract work (related to the Dstl or MOD contract) to another organisation including spin-outs and subsidiaries, you must do the following:
- inform Dstl or MOD if the work will be placed at OFFICIAL
- make a formal request (see ‘subcontracting or collaborating on classified MOD programmes’ on the ISNs) if the work will be placed at OFFICIAL-SENSITIVE or above (there are additional requirements for SECRET and above, and also for contracting to overseas parties)
- pass on the security conditions to anyone you work with and issue a SAL where appropriate (see ‘subcontracting or collaborating on classified MOD programmes’ on the ISNs)
- include DefCon 658 and an applicable Cyber Risk Profile requirements
You must also follow any extra rules such as Export Control if you’re working with overseas parties and involving DRCM.
Your MOD or Dstl Project Manager or Contract Manager will be able to help.
15. Conflicts of interest and due diligence
Suppliers and sub-contractors must avoid conflicts of interest or situations that give the appearance of a conflict of interest, or have the potential to do so. Some instances may even be considered within the National Security and Investment Act 2021 and you should also get further advice from the RCAT.
The Association of Research Managers and Administrators (ARMA) has created a questionnaire and guidance that can help you check the background of potential partners before starting a collaboration.
The Grants Centre of Excellence also has a useful Threats Handbook and Threat Consideration Tool and may be able to provide access to ‘Spotlight’ - a Public Sector due diligence tool.
16. Supporting documents
The MOD Research Worker Security Guide is a quick reference security guide for Research Workers and anyone else who will have authorised access to DRCM as part of their work.
The R&D Project Management Checklist may help the Lead Delivery Manager (for example, the PI) to assure themselves and the project team that the necessary security aspects have been addressed at the start and through the life of the contract.
Our security measures apply to everyone who has access to DRCM. This includes administrative and commercial buyers who might receive the contract pack and agree the terms.
Contact your contracting authority - for example, the MOD Project Manager or Technical Partner - as early as possible to make sure your research is properly secured.