Guidance

Cyber Security Model

Information on the Ministry of Defence Cyber Security Model (CSM), including the standards and guidance for suppliers to meet CSM version 4.

• From: Ministry of Defence
• Published: 9 September 2024
• Last updated: 3 November 2025 — See all updates

The CSMv4 online service: ‘Supplier Cyber Protection Service’ is now live.

Until formal contractual invocation of the CSMv4 is announced, via an Industry Security Notice, suppliers to Defence will remain able to raise and respond to risk assessments via the CSM v3 interim process.

The Cyber Security Model (CSM) is how Defence builds cyber security into its supply chain. It is a risk-based proportionate approach which includes:

• CSM Risk Assessments: Ministry of Defence (MOD) Delivery Teams complete an initial Risk Assessment. This determines a Cyber Risk Profile.
• Cyber Security Standard for Defence Suppliers: Defence Standard 05-138 (Def Stan 05-138) lists the cyber security controls required for each Cyber Risk Profile. Suppliers are contractually required to meet Def Stan 05-138 controls.
• Supplier Assurance Questionnaires (SAQ): Suppliers self-assess against the CSM requirements using a Supplier Assurance Questionnaire.
• Flow down: Where suppliers are sub-contracting the supplier will complete a Risk Assessment to generate a new Cyber Risk Profile.  The sub-contractor completes the appropriate Supplier Assurance Questionnaire.

If a supplier cannot meet the requirements, (including whether compliance is certified under Defence Cyber Certification (DCC) - see below) they must submit a Cyber Improvement Plan (CIP) detailing when they will meet the required level of compliance, together with associated timescales or reasons why they are unable to comply. The CIP template can be found here.

Defence condition 658 (DEFCON 658) lays out the contractual terms for the Cyber Security Model.

The CSM has been updated:

• Cyber Security Model v3 (CSMv3) (legacy)
• Cyber Security Model v4 (CSMv4)

If you are in any doubt about which version of the CSM you should be using, please refer to your customer for more guidance. CSM v3 Cyber Risk Profiles (N/A – High) are not consistent with CSMv4.

Cyber Security Model v4 (CSMv4)

CSM version 4 is a significant change to the CSM which supports the MOD’s Cyber Resilience Strategy for Defence.

CSMv4:

• changes the CSM focus from “MOD Identifiable Information” to organisational security and resilience
• introduces four new Cyber Risk Profiles: “Level 0”, “Level 1”, “Level 2” and “Level 3”
• uses controls specified in Defence Standard 05-138 Issue 4
• provides a new online Supplier Cyber Protection Service for completion of new CSM Risk Assessments and SAQs

Video series about changes to the CSM

Cyber Security Model version 4: Overview

Cyber Security Model version 4: Risk Assessment

Cyber Security Model version 4: Supplier Assurance Questionnaire

Cyber Security Model version 4: Roles and Responsibilities

Cyber Security Model v4 process

1. New opportunity: A Risk Assessment Reference (RAR) number and required Cyber Risk Profile (CRP) Level (Levels 0-3) relevant to a new or existing MOD activity will be provided by the authority at the earliest market engagement, and will usually be found in the invitation to tender.
2. Complete a SAQ: If the supplier intends to bid for this opportunity with the MOD, the supplier must use the Supplier Cyber Protection Service and complete a SAQ, self-assessing against the CRP. Please refer to the Supplier Cyber Protection Service demonstration video below for further guidance.
3. Supplier Assessment: A SAQ will be automatically scored against the CRP, and the supplier immediately informed if it is compliant.
4. Cyber Improvement Plan (CIP): If the supplier is non-compliant, they must complete a CIP. The CIP will form part of the contract document itself and DEFCON 658 will be included in the contract terms and conditions. The CIP enables a supplier to commit to improving their cyber resilience and allows a contracting authority to permit a supplier to work towards compliance with the required Cyber Risk Profile Level (Levels 0-3). The supplier should include the CIP as part of their tender. The CIP template can be found here.
5. Supplier Selection: The authority will take into consideration supplier compliance (or CIP proposal) in supplier selection.
6. Contract Award: Contracts will be agreed between the authority and supplier, which will include any agreed CIP.
7. Contract Maintenance: Annually, the supplier will complete a new SAQ to determine if they remain compliant. If the supplier is non-compliant, a CIP will be considered.

Flow down guidance for defence suppliers

The information in this guidance is relevant for both MOD personnel (authority) and current/prospect suppliers.

What is flow down?

Flow down is how MOD requests prime contractor requirements into lower-tier sub-contractor agreements. Flow down is required from the prime contractor to their sub-contractors and onwards down the sub-contracting tiers to the end of the supply chain. The flow down process allows the MOD to monitor and gain assurance on its supply chain.

Who is responsible for flow down?

Suppliers are responsible for flow down. DEFCON 658 contains the contractual obligations that suppliers must place upon subcontractors.

Flow down example scenario:

A prime contractor, Company A, is bidding on a MOD contract to build military drone parts. Company A expects to hire a sub-contractor, Company B, to help manufacture components, which Company B will sub-contract to Company C.

1. Company A completes a CSM Risk Assessment (RA) to determine the Cyber Risk Profile (CRP) level for their sub-contractor(s). This CSM RA completion automatically generates a Risk Assessment Reference (RAR).
2. Company A should pass this RAR to Company B to complete a SAQ to determine if they meet compliance with the CRP level required.
3. Company B can now commence the onwards flow down, following in Company A’s footsteps by completing a CSM RA to determine the CRP level required for their sub-contract.
4. Company C will then complete the relevant SAQ, aiming to meet the CRP level assigned by the CSM RA.
5. This process can continue to flow down as seen through the supply chain tiers.
6. If either Company B or Company C (sub-contractors) are NOT compliant with the required Def Stan 05-138 controls (per CRP level for the contract) as a result of completing their SAQ, requirements for a CIP must be agreed between parties and must include consultation with the MOD.

Learn how to use the Supplier Cyber Protection Service

The Supplier Cyber Protection Service is a Public Beta. This demonstration video will show you how to use its current functionality. Alongside this, we are also exploring additional features to make CSM v4 even more flexible and user-friendly.

Cyber Security Model version 4: Supplier Cyber Protection Service Demonstration

Defence Cyber Certification

The Defence Cyber Certification (DCC) has been created in partnership with industry and IASME, the scheme’s Certification Authority, as a way of independently evidencing compliance with the Cyber Security Model.

Suppliers should expect to see increasing requirement to hold valid DCC certification for the duration of their contract with the MOD, this will be specified as a condition under tender following launch of the CSM.

More information on the Defence Cyber Certification (DCC) for the Cyber Security Model v4 (CSMv4).

Related resources for UK suppliers

Defence Supply Chain organisations in the UK are encouraged to sign up for free services provided by the UK National Cyber Security Centre (NCSC):

• Active Cyber Defence and MyNCSC. Registered organisations can access Active Cyber Defence (ACD) tools such as ‘Early Warning’ and keep updated on new capabilities and offerings beneficial to their cyber resilience.

Cyber Security Model v3 (CSMv3)

The content below is for the legacy CSMv3 process. Until formal contractual invocation of the CSMv4 is announced, via an Industry Security Notice, suppliers to Defence will remain able to raise and respond to risk assessments via the CSM v3 interim process.

CSMv3:

• focuses on protection of electronic “MOD Identifiable Information”
• has four Cyber Risk Profiles: “Very Low”, “Low”, “Moderate” and “High”
• uses controls specified in Defence Standard 05-138 Issue 3
• has operated since June 2021 using an Interim Process as per Industry Security Notice 2021/05. This includes:
  • annual renewal obligations being paused
  • DEFCON 658 is to be included where MOD Identifiable information is passed to a sub-contractor, even though flow down has paused
  • requiring submissions through Microsoft Forms (below) or PDF

MS Form for CSMv3:

• Supplier Assurance Questionnaire
• Industry Risk Assessment

The Cyber & Supply Chain Security team will respond by email to Risk Assessments and Supplier Assurance Questionnaires within two working days.

If requirements are not met, the supplier will need to complete a Cyber Implementation Plan (CIP).

Contact

Email: UKStratComDD-IES-CC-CRP-SCPS@mod.gov.uk

Monday to Friday, 9am to 5pm - excluding bank holidays.

Published 9 September 2024

Last updated 3 November 2025 + show all updates

1. 3 November 2025

   Updated call to action box with the latest information.

2. 27 October 2025

   Updated webpage with information on the now-live CSM version 4.

3. 8 May 2025

   Updated webpage with information on the Defence Cyber Certification (DCC).

4. 6 February 2025

   Updated: 'Supplier Assurance Questionnaire'

5. 2 January 2025

   Added 'Letter to Defence Industry CEOs/Defence Leads about driving cyber resilience in the supply chain'.

6. 9 September 2024

   First published.