MoD Cyber Essentials Requirements Contractors and Sub Contractors

Cyber Security Requirements for Ministry of Defence (MoD) contractors and sub-contractors


From January 2016, all MoD tenders are required to comply with the Cabinet Office procurement policy note 09/14 It was envisaged that the DCPP Cyber Security Model (CSM) would be introduced from April 2016 however it is likely this will now be April 2017 for the majority of contractors and sub-contractors. A beta testing period is currently taking place.

When introduced the buyer will identify the level of risk for each piece of work and the organisation being contracted with will need to demonstrate that they have the required controls in place. This will flow down through the supply chain as necessary (determined by the risk assessment).

For each level of CSM (excluding not applicable) there is a requirement for Certification to the Cyber Essentials Standard.

The following table identifies the risk levels and the required level of Cyber Essentials Certification. Please note Cyber Essentials is not the only requirement to meet the risk levels. Full requirements can be found here.

Not Applicable For contracts where it is assessed that there is no, or only a negligible, cyber risk. It is not expected that many contracts will fall in to this category
Very Low For contracts where a basic threat is faced (i.e. simple hacking, phishing or spyware) and where any attacker is likely to be opportunistic, unskilled and non-persistent. The sorts of contracts this will apply to are likely to be those covering commodity purchases or standard service provisions e.g. office supplies or the disposal of non-sensitive waste


Low For contracts where the threat may be slightly more targeted (i.e. involving spear phishing, whaling or ransomware and where attackers are semi-skilled but may not be persistent). It is likely to apply to contracts for basic parts or services but not where these could be linked to military capability. This profile is likely to apply primarily to contracts handling information classified as OFFICIAL, but may also occasionally apply to those involving small quantities of OFFICIAL information which have the handling instruction SENSITIVE



Moderate For contracts subject to more advanced threats that are tailored and targeted with the objective of gaining access to specific assets or enacting denial of service. The attacker is likely to be persistent, organised and either be skilled or have access to skills e.g. cyber criminals or hacktivists. This will likely apply to contracts that involve handling greater volumes of, or more sensitive, personal information, and those involving larger quantities of OFFICIAL-SENSITIVE information



High For contracts assessed as being subject to Advanced Persistent Threats (APT), which may be sustained over long periods and not exploited for months, or years after the initial attack. Attackers will be organised, highly sophisticated, well resourced and persistent. This will likely apply to contracts that are essential to support key military capability and those handling information classified at SECRET or above




QG Management Standards is an Accreditation Body for the scheme and has a number of Accredited Certification Bodies and Practitioners who can help you meet the appropriate requirements.

Certification is straight forward and a description the process can be found here.

QG Management Standards work with many certification bodies who help companies wishing to deal with the MoD and having Cyber Essentials is something which has enabled those companies be successful in their bids. Cyber Essentials shows that you as a business are serious about trying to protect your clients data, and the MoD look favourably upon this.

Gaining your Cyber Essentials accreditation is the first step as there are more certifications as shown in the table above, which you can look to gaining which will only seek to strengthen your applications and allow you access to more contracts. Securing the supply chain has been hot on the lips of many bodies such as the government which often speak in detail about how vital this is, the nuclear sector require the supply chain to have Cyber Essentials and MoD also want their supply chain to be at least CE accredited.


QG Business Solutions Ltd

Westwinds, Lambley Bank,
Scotby, Carlisle

t 01228 631681