Guidance

Defence Cyber Protection Partnership

Defence Cyber Protection Partnership (DCPP) is a joint Ministry of Defence (MOD) and industry initiative to improve the protection of the defence supply chain from the cyber threat.

Interim process for new contracts

MOD Risk Assessment (RA)

The MOD Project/Delivery Manager needs to complete the Risk Assessment (RA) via the interim process. Please request forms via email to the DCPP Team: ISSDes-DCPP@mod.gov.uk. Please return forms as Microsoft (preferred) or convert to PDF.

Supplier Assurance Questionnaire (SAQ)

Tenderers must still complete an SAQ to be provided with tender responses. The MOD Project Team will provide the SAQ. On completion, this must be sent to the DCPP Team for a result to be provided. The completed SAQ and result must be included with tender responses, along with a Cyber Implementation Plan (CIP) if appropriate.

Flow down

Whilst the interim process is in place, flow down of the Risk Assessment/Supplier Assurance Questionnaire process to sub-contracts will be required for contracts with a high-risk profile only. All other levels must be completed during a grace period after the new tool goes live.

DEFCON 658

DEFCON 658 will continue to be included in contracts. Cyber Implementation Plans (CIPs) will continue to be needed as usual where SAQs indicate non-compliance (for all Tier 1 SAQs and High flow down).

Thank you for your patience.

For more information, contact the DCPP Team: ISSDes-DCPP@mod.gov.uk

Additional information

Def Stan 05-138

This is the Defence Standard defining the controls required for each Cyber Risk Profile (level).

DEFCON 658

This is the contractual Defence Condition that references supply chain cyber security.

Defence Industry Warning, Advice and Reporting Point (WARP)

There is a requirement to report security incidents where MOD data might be involved

Understanding more about the Cyber Security Model

Watch a video explaining the Cyber Security Model

The Cyber Risk Profile is assessed on 6 questions relating to:

Cyber Essentials underpins the MOD Cyber Risk Profiles. Cyber Essentials is a certification scheme identifying the minimum steps an organisation should take to protect themselves against cyber risk.

The Supplier Assurance Questionnaire is a self-assessment for organisations to demonstrate how they meet our requirements. The online tool allows sample questionnaires to be completed to identify gaps. Where there are differences a Cyber Implementation Plan (CIP) should be completed, particularly if an alternative cyber security standard is used.

Further information on CIPs can be found in:

News

Def Stan 05-138 v3 Cyber Security for defence suppliers

Contact us

The DCPP Team can be contacted by email on: ISSDes-DCPP@mod.gov.uk or DCPP LinkedIn Group.

DCPP group on the NCSC’s Cyber Information Sharing Partnership (CISP), register at NCSC’s Cyber Information Sharing Partnership (requires sponsorship).

This unclassified presentation was recorded for internal MOD audiences to raise their awareness of the Cyber Security Model although most of it still applies to industry.

DCPP internal presentation

Other media sources

Published 12 September 2019
Last updated 1 July 2021 + show all updates
  1. Updated the page with a new interim process for new contracts (first paragraph), and added links to version 3 of "Cyber security for defence suppliers (Def Stan 05-138)".

  2. Added new content under page heading: Interim DCPP Cyber Security Model process. Removed old content.

  3. Updated main page content.

  4. Updated page information.

  5. Added 'Recommended links', removed update from November 2019.

  6. Updated the COVID-19 message under the 'latest' heading. .

  7. Added a COVID-19 update under the 'latest' heading.

  8. Addition of links: 'Supplier Cyber Protection Service: Pre 12/11/19 Risk Assessment workflow' and 'Supplier Cyber Protection Service: Pre 12/11/19 Supplier Assurance Questionnaire'.

  9. Updated 'Supplier Assurance Questionnaire' and useful links section.

  10. Updated links.

  11. Updated the information in the 'latest' section.

  12. First published.