Defence Cyber Protection Partnership (DCPP) is a joint Ministry of Defence (MOD) and industry initiative to improve the protection of the defence supply chain from the cyber threat.
COVID-19 update as of 9 April 2020
In light of the COVID-19 pandemic National Cyber Security Centre (NCSC) have updated their advice and guidance on renewing Cyber Essentials and Cyber Essential Plus certification. The guidance can be found on the frequently asked question section of the NCSC website.
For MOD’s advice on obtaining Cyber Essentials Plus for new contracts, please refer to this Industry Security Notice.
Updated Supplier Cyber Protection as of November 2019
DCPP updated Supplier Cyber Protection with an improved Risk Assessment (RA) and Supplier Assurance Questionnaire (SAQ) on 12 November 2019 to reflect the changing threat landscape.
The new RA and SAQ workflow documents are available here:
What is the DCPP?
A collaboration between the MOD and its key suppliers to ensure the defence supply chain understands the cyber threat and is appropriately protected against attack.
- understand the risk
- proportionate protection
- suppliers to defence meet the standards.
Supplier Cyber Protection online
This is the tool used to carry out the Cyber Security Model. It is free to use and allows someone to do a trial run of both the Risk Assessment and Supplier Assurance questionnaire.
- the buyer completes risk assessment, this determines cyber risk profile
- cyber risk profile security requirements listed in Defence Standard 05-138. This includes cyber essentials for a risk profile of very low. Cyber Essentials Plus, alongside various policy documents required for low
- supplier completes Supplier Assurance Questionnaire (SAQ) to demonstrate their compliance with the requirements
- a Cyber Implementation Plan (CIP) will be required to demonstrate an alternative approach to meeting the requirements, if what the supplier has differs from the DEFSTAN.
Suppliers complete a risk assessment for any elements they are sub-contracting. Their suppliers will complete SAQs as required.
What is in it for industry:
- protect reputation
- protect intellectual property
- protect pricing information
- protect customer details
- protect own supply chain
Now available: a document on adopting other standards by comparing Def Stan 05-138 and NIST 800-171. This will be expanded to include other standards over time..
This unclassified presentation was recorded for internal MOD audiences to raise their awareness of the Cyber Security Model although most of it still applies to industry.