Image Suppliers - Cybersecurity - Level 1
Cybersecurity requirements


An increasing and evolving cyber threat has led the UK Ministry of Defence (MOD) and US Department of Defense (DoD) to implement new cyber security controls that apply to information held or generated by their suppliers. These controls are being mandated due to the increasing cyber threats and a recognition that the supply chain is being targeted due to the often insufficient levels of cyber protection employed by defence suppliers.

Defence Cyber Protection Partnership Cyber Security Model

Regulation Overview
The Defence Cyber Protection Partnership (DCPP) is a joint UK Ministry of Defence (MOD) and industry initiative put in place to improve the protection of the defence supply chain against cyber threats. The Cyber Security Model (CSM) developed by the DCPP and being rolled out by the MOD is intended to ensure that MOD Identifiable Information is adequately protected. The CSM consists of the following three elements:
  • The risk assessment process; used to measure the level of cyber risk for a contract;
  • The requirements that a supplier will be required to achieve for the level of assessed cyber risk determined by the risk assessment. These requirements are detailed in DEF STAN 05-138: Cyber Security for Defence Suppliers; and
  • The supplier assurance questionnaire (SAQ); the means by which a supplier demonstrates their compliance with the cyber requirements.

Current Position
As of 1 January 2016, all suppliers with MOD contracts are required to have the Cyber Essential Scheme (CES) Certification.

Risk Assessment Process
The risk assessment process is initiated when a request for quotation (RFQ) is generated for a new subcontract. We will perform a cyber risk assessment and assign a cyber risk level to the subcontract based on the nature and volume of MOD Identifiable Information involved. The assessed level of cyber risk will determine the number of cyber security controls the supplier must be compliant with in order to win the contract.
The successful supplier will then need to perform its own cyber risk assessment for its subcontracts. This process is flowed down the supply chain until the contract no longer involves the transfer of MOD Identifiable Information.
What is MOD Identifiable Information?
MOD Identifiable Information includes all electronic information which is attributed to or could identify an existing or proposed MOD capability, defence activities or personnel and which the MOD requires to be protected against loss, misuse, corruption, alteration and unauthorised disclosure.
Demonstrating Compliance
Compliance with controls that need to be implemented for the assessed level of cyber risk is demonstrated by completing the MoD’s online supplier assurance questionnaire.
DEFCON Flow Down
Obligations to implement and comply with the various requirements will be contained in a new DEFCON that will be flowed down to relevant suppliers in their subcontracts where necessary.
Cyber Incident Reporting
In the event of a cyber security incident, or a suspected cyber security incident, the supplier must immediately report this to both the MOD and BAE Systems. Full details of the circumstances of the breach and any mitigation measures, taken or intended, must be provided.

Federal Acquisition Regulations

Regulation Overview
In May 2016, a new rule amending the US Federal Acquisition Regulations (FAR) was finalised for federal government contracts which addresses “the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information”. This new rule adds a new clause (FAR 52.204-21) which requires 15 security controls to be implemented for all contracts where suppliers have IT systems that handle Federal contract information.
These security controls are to be implemented from the date of contract irrespective of the country in which the information is shared, the IT systems are located or the work is performed.
What is Federal contract information?
Federal contract information (FCI) is information, not intended for public release, which is provided by or generated for the US Government under a contract to develop or deliver a product or service to the US Government. This does not include information provided by the US Government to the public, such as on public web sites, or simple transactional information, such as that necessary to process payments.
FAR Process and Compliance
The new clause requires contractors to include the substance of the clause in their subcontracts with suppliers that may have FCI residing in or transiting through their information systems.
Suppliers must determine whether the requirements are applicable to them for a given contract. If applicable, suppliers will need to ensure they have implemented all 15 of the required FAR security controls by contract award.

Defense Federal Acquisition Regulations Supplement

Regulation Overview
In October 2016, the U.S. Department of Defense (DoD) issued a final rule on “network penetration reporting and contracting for cloud services” which adds a new clause to the Defense Federal Acquisition Regulations Supplement (DFARS) that is intended to improve the protection of Covered defense information in the defence supply chain against cyber threat (DFARS 252.204-7012). The new DFARS clause essentially has three separate requirements:
  • The implementation of 109 National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 security controls (and, in the case of any external cloud services used to store, process or transmit any Covered defense information, the implementation of security requirements equivalent to those established by the US Government for the Federal Risk and Authorisation Management Program (FedRAMP) Moderate baseline);
  • Flow down the DFARS clause within the supply chain; and
  • Cyber incident reporting.
The clause applies irrespective of the country in which the information is shared, the IT systems are located or the work is performed.
What is Covered defense Information?
“Covered defense information” means unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry at, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Governmentwide policies, and is -
(1)  Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract; or
(2)  Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.
NIST SP 800-171 Implementation
Suppliers must have fully implemented the 109 NIST SP 800-171 security controls for all contracts (except those “solely” for commercial-off-the-shelf (COTS) items) that involve the handling of Covered defense information (CDI), by 31 December 2017, unless the DoD CIO has approved the implementation of “alternative, but equally effective, security measures” or adjudicated that the requirement to implement the controls is non-applicable. In the interim, for contracts awarded prior to 31 October 2017, suppliers must report any areas of non-compliance to the DoD’s CIO within 30 days of contract award.
Flow Down
The new DFARS clause requires the clause to be included in any subcontracts which will involve the handling of CDI.
Cyber Incident Reporting
In the event of a cyber security incident suppliers must report the incident to the DIBNet portal within 72 hours of discovery including, as a minimum, the information specified at

Maturity Model

The Maturity Model is a collaborative initiative, hosted by Exostar, between BAE Systems, Lockheed Martin, Boeing, Rolls Royce and Northrop Grumman. It is used to assess the extent of a supplier’s cybersecurity readiness, but with a specific focus on those who are not required to comply with DCPP regulations or the FAR or DFARS security controls.
The Maturity Model is based around levels of required maturity and consists of 22 control families. The number of applicable controls is dependent on the assessed level of capability. The control requirements are progressive as the required capability levels increase; each level includes the controls from the previous levels.
Maturity Model Process and Compliance
We will complete a risk assessment to determine the required maturity level for the supplier. The supplier will be sent an invitation to complete an online questionnaire hosted on the Exostar system to demonstrate their extent of their compliance. We will review the results to identify any gaps or concerns, and, will agree action plans with the supplier to address them.
One of the key features of this process is the concept of ‘ask once and share’. If subsequently invited by another partner, a supplier that has already completed the questionnaire for any of the collaborating partners can choose to share the questionnaire results without having to complete it again. This does not mean that the supplier will be assessed in the same way by other partners who may require a greater or lesser set of controls to be in place depending upon how they view the risk under the relevant contract with the supplier.