Cyber Essentials is viewed as the baseline standard for cyber security and was developed by the UK Government. It details controls organisations can implement that demonstrate compliance. Successful Cyber Essentials and Cyber Essentials Plus accredited organisations can display a badge showing their certification.
Organisations working with the Ministry of Defence (MoD) need to ensure their information security infrastructure is robust, resilient and up to the standards required for successful MOD procurement. Today’s MOD suppliers need to ensure that they have Cyber Essentials or Cyber Essentials Plus accreditation, along with documented and effective information security governance policies in place.
Developed by the Defence Cyber Protection Partnership (DCPP) – made up of MoD representatives, suppliers and defence industry bodies – MoD procurement requires adherence to the Cyber Security Model (CSM) and came into force in 2017. It requires all suppliers to comply with the CSM framework. In practical terms, organisations need to hold Cyber Essentials or Cyber Essentials Plus certification and have security governance policies to become MoD suppliers.
Why attain Cyber Essentials?
The Ministry of Defence is a significant customer of a wide range of suppliers. According to the latest government figures, MoD placed £11.1bn of new contracts in 2019/20 – an increase of £2.3bn from the previous year. In total, the MoD paid £26.6bn to UK and foreign-owned organisations in 2019/20, with the majority of contracts (44%) awarded following a bidding process with organisations responding to a tender.
For organisations working with MoD, the CSM applies both to the supplier organisation and any subcontractors it uses as part of the project.
What is the background to CSM?
The Cyber Security Defence Model applies to any contract that involves the transfer of MOD identifiable information from the customer to supplier or the generation of information by a supplier specifically in support of the MoD contract.
CSM was launched in 2017 as the DCPP was concerned that Cyber Essentials lacked the full breadth of security requirements, such as governance and risk management. It integrates with Cyber Essentials, recognising it is an important first step in assessing supplier credentials where there is an exchange of information.
The MoD implemented the Cyber Essentials scheme through an initial compliance question in its supplier selection Pre-Qualification Questionnaire. In practice, this means that most MoD suppliers require Cyber Essentials as a bare minimum to doing business.
The MoD introduced the change as:
For all new requirements advertised from 1st January 2016 which entail the transfer of MoD identifiable information from customer to supplier or the generation of information by a supplier specifically in support of the MoD contract, MoD will require suppliers to have a Cyber Essentials certificate by the contract start date at the latest, and for it to be renewed annually. This requirement must be flowed down the supply chain.
What is Cyber Essentials?
Cyber Essentials is viewed as the baseline standard for cyber security and was developed by the UK Government. It details controls that organisations can implement that demonstrate compliance. Successful Cyber Essentials and Cyber Essentials Plus accredited organisations can display a badge showing their certification.
Launched in June 2014, Cyber Essentials is a set of measures that all organisations need to implement to protect against basic cyber threats. It has already been a mandatory requirement for government suppliers of certain types of contracts to hold Cyber Essentials certification.
The MoD had an initial exemption from Cyber Essentials when it was first launched. It was developing its more extensive CSM model but decided that Cyber Essentials is the first step for all suppliers where there is an exchange of information.
MoD Cyber Essentials Assurance Framework
Your organisation must have Cyber Essentials certification to do business with the MoD, unless your contract does not contain any MOD information. Obtaining Cyber Essentials is good practice – it is a security standard that helps protect your business from cyber threats, and you’ll also gain valuable certification.
A bulletin released by Defence Contracts Online in December 2015 stated that by implementing the basic cyber controls required of the government’s Cyber Essentials scheme, businesses would protect their information assets from almost 80 per cent of cyber threats.
Cyber Essentials is available at two levels: CE and CE+. CE will be the sole measure required for very low-risk contracts; for anything carrying greater risk, the baseline will be CE+.
How do you achieve Cyber Essentials?
Full details of Cyber Essentials and Cyber Essentials Plus can be found in British Assessment Bureau’s Guide to Cyber Essentials. It’s available as a free download.
Click here to download the free Cyber Essentials brochure.
Cyber Essentials certification is achievable through an official certifying body, such as British Assessment Bureau.
Cyber Essentials Plus
If you’re looking to achieve Cyber Essentials certification or would like to have a chat about any aspect of your own cyber security strategy, please get in touch with the expert team at British Assessment Bureau.
