The UK Ministry of Defence has officially rolled out Cyber Security Model v4, introducing stricter, more structured cyber security requirements for defence suppliers. Learn how CSM v4, DEFSTAN 05-138, and Defence Cyber Certification fit together and prepare for CSM v4 with a DCC Level 1 certified partner.
The UK Ministry of Defence (MOD) has raised the bar for everyone in its supply chain.
Starting December 3, 2025, all companies working with the MOD – whether a prime contractor, a Tier 2 supplier, or a third-party vendor buried three layers deep – must follow a new set of cyber rules called the Cyber Security Model (CSM v4).
The interim process tied to DEFCON 658 is out.
In its place? A more structured, standardised framework that holds every supplier and their subcontractors accountable for how they assess, manage, and report cyber risk.
If you’re doing business with the MOD, you’ll need to follow stricter requirements, use new government tools, and be ready to show exactly how you’re protecting your digital systems and sensitive data.
So, what’s changed, and what does compliance actually look like now?
Learn how MOD suppliers can prepare for Cyber Security Model v4 from a Defence Cyber Certification Level 1 certified company.
What is CSM and why does it matter?
The Cyber Security Model (CSM) is the MOD’s framework to make sure every link in its supply chain takes cybersecurity seriously. It’s a risk-based model that applies proportionate security controls based on the nature and sensitivity of the work being delivered.
But this isn’t just about your organisation. Under CSM v4, cyber accountability flows downstream, meaning you’re also responsible for assessing and validating the cyber posture of your subcontractors and third-party vendors. No matter how large or small, one weak link can put an entire contract at risk.
So, what exactly does the MOD expect you to do?
Complete or respond to Risk Assessments (RAs)
Before any procurement or contract work begins, the MOD Delivery Team will carry out a Risk Assessment to determine your Cyber Risk Profile (CRP) – essentially, how risky your role is from a cybersecurity standpoint. Based on this, your organisation will be assigned a CRP level (from Basic to Expert), which then dictates the level of controls you’ll need to meet.
Fill out a Supplier Assurance Questionnaire (SAQ)
Once your CRP is set, you’ll need to complete a Supplier Assurance Questionnaire (SAQ) through the Supplier Cyber Protection Service portal. This self-assessment shows how your organisation stacks up against the security controls required for your CRP level and is a mandatory part of the MOD’s supplier onboarding and compliance process.
Apply relevant cyber controls from DEFSTAN 05-138
The cyber controls you’re being measured against are defined in DEFSTAN 05-138, a detailed MOD standard that outlines the minimum cyber security requirements for each CRP level. These range from essential controls at the lowest level, all the way up to comprehensive, expert-level defences for higher-risk contracts.
Create a Cyber Improvement Plan (CIP) if you’re not fully compliant
Not quite meeting the requirements? That’s not an automatic disqualification, but you’ll need to document why. A Cyber Improvement Plan (CIP) outlines the gaps in your current setup, the steps you’re taking to close them, and the timeline for becoming fully compliant. It’s a structured way to stay in the game while actively improving your security posture.
Bottom line: If you want to work with the MOD, you need to take cybersecurity seriously – and be able to prove it.
DEFSTAN 05-138: What the MOD Expects
Building on the CRP levels established during the initial CSM risk assessment, DEFSTAN 05-138 outlines the specific cybersecurity controls that suppliers must meet based on their assigned risk profile.
This MOD standard acts as the benchmark for what’s expected at each level, from basic hygiene to expert-grade defences. The higher the risk, the more comprehensive and stringent the requirements. These controls form the foundation of both the SAQ process and any future DCC certification.
Here’s what each level includes:
Level 0 – Basic (3 controls)
The Level 0 ‘Basic’ profile applies where there is a very low assessed cyber risk. It’s typically used for suppliers delivering outputs with minimal exposure to sensitive systems or data. At this level, organisations are expected to demonstrate basic cyber security hygiene: simple, essential measures that reduce common risks.
Level 1 – Foundational (101 controls)
The Level 1 ‘Foundational’ profile is assigned where there is a low to moderate level of cyber risk. Suppliers at this level must show they have a comprehensive cyber security programme in place, covering core areas such as governance, access control, incident response, and secure system management. Good practice is expected here.
Level 2 – Advanced (139 controls)
The Level 2 ‘Advanced’ profile applies to suppliers delivering higher-risk contracted outputs. At this stage, organisations need to demonstrate advanced oversight, planning, and control of their cyber environment. This means mature policies, active monitoring, and well-embedded security processes that support robust organisational and operational resilience.
Level 3 – Expert (144 controls)
The Level 3 ‘Expert’ profile represents the highest level of assessed cyber risk. Suppliers operating at this level are expected to demonstrate expert cyber security capabilities, fully embracing a defence in depth approach. Controls are designed to protect against sophisticated, evolving threats and assume that breaches are possible, focusing on prevention, detection, response, and recovery.
It’s important to note that these controls are considered a minimum baseline.
Depending on the nature of the contract, the MOD may impose additional cyber requirements on top of DEFSTAN 05-138, raising the bar even further for critical or sensitive work.
Enter DCC: Independent certification for defence suppliers
To move beyond self-assessments and strengthen assurance across the defence supply chain, the MOD, together with IASME as the Certification Authority, introduced the Defence Cyber Certification (DCC).
DCC isn’t a full replacement for the Supplier Assurance Questionnaire (SAQ), at least not yet. But it’s clear that the MOD is positioning DCC as the gold standard for demonstrating cyber maturity.
Over time, it’s expected to become more tightly integrated into the Supplier Cyber Protection Service and potentially reduce the burden of repeated self-reporting.
How it works:
- DCC certification is available in four levels, each aligned to CRP Levels 0 through 3, ensuring suppliers are measured against the appropriate risk threshold.
- Certification offers a point-in-time snapshot of a supplier’s compliance with DEFSTAN 05-138.
- To stay certified, suppliers must complete an annual check-in and undergo full recertification every three years, through an approved DCC Certification Body, such as AMR CyberSecurity.
For suppliers working on sensitive contracts, or for the ones hoping to, DCC is quickly becoming table stakes. It’s a proactive way to prove compliance, strengthen your competitive edge in defence tenders, and demonstrate to the MOD that cyber security is not just a policy on paper, but a practice in action.
How can we help
Whether you’re tackling your first Risk Assessment or gearing up for DCC certification,we are here to support you.
As a Level 1 certified DCC Certification Body, we provide more than just checklists. We’ve partnered with both prime contractors and subcontractors throughout the MOD supply chain, helping defence suppliers navigate CSM v4 from day one – whether you’re assessing your CRP, preparing for DCC, or building a CIP roadmap.
From independent assessments to hands-on consultancy, we tailor our approach to fit your organisation’s needs, so you’re not just compliant, you’re truly cyber-resilient. If you want to discuss your next steps, contact us.
