Guidance

R&D project management checklist: MOD supported

Published 1 December 2025

This checklist is part of the defence research security guide for researchers.

Who and what this checklist is for

This checklist is for the Lead Delivery Manager (for example, the Principal Investigator) to ensure that all security aspects have been addressed at the start of the project. It also helps when discussing security with the Contracting Authority (CA).

Share this checklist with your project team and suppliers. It will help everyone who works with defence related classified material (DRCM) understand the security rules and how to follow them. You should update the checklist as the project progresses.

Our security rules

Because the Defence Science and Technology laboratory (Dstl) is part of the Ministry of Defence (MOD), we have to follow strict security rules—often stricter than those used in everyday business operations and these are specified in your contract or tasking agreement.

Joint Service Publication 732: Research Integrity sets out the principles defence research should adhere to and provides guidance on how defence applies them.

Complete checklist

We suggest the Lead Delivery Manager completes this checklist before starting work on behalf of Dstl. You should consult with colleagues to discuss and collate the information where necessary, and we also suggest you keep a copy of this record in the project or contract file for future reference.

This summarises everything you need to cover or include in your project or contract. You can print off an editable Open Document Text on the previous page.

Research organisation project details

• Project or contract reference
• Project or contract name
• Project or contract manager
• Project or contract security officer
• Project or contract start date
• Project or contract end date
• Highest classification of work to be delivered under the project or contract
• Is there an intention to sub-contract? If yes please see part 2

Security aspects

• Security Aspects Letter (SAL) reference
• The security aspects have been brought to the attention of all persons that may access or undertake work in support of this project or contract
• The definitions are understood by all persons that may access or undertake work in support of this project or contract and the required security controls for the protection of information, data and assets as detailed within the SAL, can and will be applied?
• The Defence Conditions, for example, 531, 660, 659A are understood by all persons that may access or undertake work in support of this project or contract and the required security controls as detailed within the SAL can and will be applied?
• Where a SAL has not been issued (only applies to work at OFFICIAL), has the ‘UK OFFICIAL and OFFICIAL-SENSITIVE Contractual Security Conditions’ terms been included?
• All supplier personnel and those within their network (including administrative support and service providers) that will access or undertake work in support of this project or contract have been approved, authorised and appropriately security screened or cleared as per the requirements of the BPSS, Dstl Research Worker Screening or NSV as appropriate for the project or contract?
• Any restrictions or caveats for supplier personnel have been stated by Dstl, noted and addressed to ensure that there will be no negative impact to participation or project or contract delivery? Unauthorised individuals must not participate
• All supplier personnel and their network have been informed of the Official Secrets Act 1989 and the National Security Act 2023 and understand how it applies to them?
• The Project or Contract ‘close down’ aspects of document control (return, destroy, retain) have been stated?
• Do all personnel with access to DRCM understand their responsibilities to report security incidents or breaches and how to report such activity?

Cyber security

• Is DefCon 658 included within contract?
• Please state the Defence Cyber Certification Level and the Cyber Risk Assessment Reference (RAR)
• Has the Supplier Assurance Questionnaire (SAQ) been approved for the network or system that will process, generate or store the DRCM related to this Deliverable? If the SAQ response does not meet the cyber security controls required a Cyber Implementation Plan (CIP) will be required
• Please state the SAQ Reference
• Where a CIP is in place, this has been included within the contract and will it be monitored appropriately?
• Please state the CIP reference
• Is Secure by Design applicable and if so, will it be appropriately addressed?
• Does DefStan 05-139 (Platforms, Systems and Services) apply and if so, are the requirements fully understood and will be appropriately addressed within project or contract delivery?
• Secure methods for information and data exchange, storage and, or collaboration have been or will be established in accordance with the applicable Industry Security Notices (ISNs) and SAL requirements
• Has any Common Data Environments (CDE) proposed for use been assessed and approved by the Contracting Authority (CA) prior to use?
• Where applicable for services provided, the supplier has evidenced NCSC Cloud Compliance and had such services approved for use?
• Is all electronic data subject to UK laws and jurisdiction? For example, date centre or cloud is UK based? Cloud services must not be introduced post contract award without CA approval
• Are there any cyber security risks identified with overseas suppliers? If so have these been brought to the attention of/discussed with the CA?

Physical security

• What location(s) will the project or contract be delivered from?
• Is the location(s) suitable for the security classification of the work to be undertaken?
• Where the work will be at SECRET or above, a Facility Security Cleared (FSC) location must be used. Please confirm that measures will be taken to facilitate appropriate space prior to any security classified information, data or assets being processed, stored or generated
• Please provide details of any FSC to be used (supplier name, site, building, room)

International research

• Has overseas collaboration been approved by the CA?
• Have sufficient checks been completed to assure the CA of the suitability of proposed overseas partners. This may include information and data exchange and geographical implications as well as affiliations with sanctioned individuals or countries etc.
• Are project members clear on any restrictions regarding the exchange of information, travel and taking or accessing project information overseas under both personal and work-related activities? For example, use of MOD Form 680

Risk management

• Is there a Security Risk Manager within the project team?
• Is there a project risk register in place?
• Are security risks identified and discussed with the MOD project team and where appropriate the organisations security risk owner?
• Are there any risks identified from the participation within this contract?
• Regular meetings will be scheduled to discuss risk and security measures with the appropriate stakeholders

Sub-contracting

• If you plan to sub-contract, which supplier(s) will be used?
• Have you ensured appropriate due diligence has been conducted on the proposed sub-contractor and you are content to utilise them for delivery?
• Have any concerns been identified that will be brought to the attention of the Project Team for discussion and resolution?
• Will the sub-contractor(s) access or generate security classified information at Official-Sensitive or above?
• If so, has or will a MOD Form 1686 been submitted and approved before placing a sub-contract?
• Has a SAL been issued to the sub-contractor as appropriate for the classification?
• Where classified information at “Official” will be accessed or generated, has a copy of the ‘UK OFFICIAL and OFFICIAL-SENSITIVE Contractual Security Conditions’ been issued for the contract even where a SAL has not been issued?
• Has DefCon 658 been applied to the sub-contract(s)?

Review and approval

• Name
• Role
• Date