Guidance

Defence Cyber Protection Partnership

Defence Cyber Protection Partnership (DCPP) is a joint Ministry of Defence (MOD) and industry initiative to improve the protection of the defence supply chain from the cyber threat.

Latest

COVID-19 update as of 9 April 2020

In light of the COVID-19 pandemic National Cyber Security Centre (NCSC) have updated their advice and guidance on renewing Cyber Essentials and Cyber Essential Plus certification. The guidance can be found on the frequently asked question section of the NCSC website.

For MOD’s advice on obtaining Cyber Essentials Plus for new contracts, please refer to this Industry Security Notice.

Updated Supplier Cyber Protection as of November 2019

DCPP updated Supplier Cyber Protection with an improved Risk Assessment (RA) and Supplier Assurance Questionnaire (SAQ) on 12 November 2019 to reflect the changing threat landscape.

The new RA and SAQ workflow documents are available here:

Risk Assessment Workflow (PDF, 264KB, 6 pages)

Supplier Assurance Questionnaire (PDF, 215KB, 16 pages)

What is the DCPP?

A collaboration between the MOD and its key suppliers to ensure the defence supply chain understands the cyber threat and is appropriately protected against attack.

Our principles

  • understand the risk
  • proportionate protection
  • suppliers to defence meet the standards.

Supplier Cyber Protection online

This is the tool used to carry out the Cyber Security Model. It is free to use and allows someone to do a trial run of both the Risk Assessment and Supplier Assurance questionnaire.

The Cyber Security Model (defence condition 658)

  • the buyer completes risk assessment, this determines cyber risk profile
  • cyber risk profile security requirements listed in Defence Standard 05-138. This includes cyber essentials for a risk profile of very low. Cyber Essentials Plus, alongside various policy documents required for low
  • supplier completes Supplier Assurance Questionnaire (SAQ) to demonstrate their compliance with the requirements
  • a Cyber Implementation Plan (CIP) will be required to demonstrate an alternative approach to meeting the requirements, if what the supplier has differs from the DEFSTAN.

Flow down

Suppliers complete a risk assessment for any elements they are sub-contracting. Their suppliers will complete SAQs as required.

What is in it for industry:

  • protect reputation
  • protect intellectual property
  • protect pricing information
  • protect customer details
  • protect own supply chain

Hot topic

Now available: a document on adopting other standards by comparing Def Stan 05-138 and NIST 800-171. This will be expanded to include other standards over time. Guidance for adopting other standards to meet requirements of Defence Standard 05-138 (PDF, 231KB, 8 pages).

This unclassified presentation was recorded for internal MOD audiences to raise their awareness of the Cyber Security Model although most of it still applies to industry.

DCPP internal presentation

Other media sources

Published 12 September 2019
Last updated 9 April 2020 + show all updates
  1. Updated the COVID-19 message under the 'latest' heading. .

  2. Added a COVID-19 update under the 'latest' heading.

  3. Addition of links: 'Supplier Cyber Protection Service: Pre 12/11/19 Risk Assessment workflow' and 'Supplier Cyber Protection Service: Pre 12/11/19 Supplier Assurance Questionnaire'.

  4. Updated 'Supplier Assurance Questionnaire' and useful links section.

  5. Updated links.

  6. Updated the information in the 'latest' section.

  7. First published.