Cyber Essentials is a UK Government-backed scheme that sets out basic technical controls organisations can implement to help protect against common online threats. It provides a certification route to demonstrate that these controls are in place. Organisations that achieve Cyber Essentials and Cyber Essentials Plus can display a badge showcasing their certification.
Organisations working with the Ministry of Defence (MOD) need to ensure their information security infrastructure is robust, resilient and up to the standards required for successful MOD procurement. Today’s MOD suppliers are typically required to have Cyber Essentials or Cyber Essentials Plus certification, along with documented and effective information security governance policies in place.
Developed by the Defence Cyber Protection Partnership (DCPP) – made up of MOD representatives, suppliers and defence industry bodies – MOD procurement requires adherence to the Cyber Security Model (CSM) and came into force in 2017. It requires all suppliers to comply with the latest CSM framework, which incorporates the most recent Cyber Essentials requirements. In practical terms, organisations need to hold Cyber Essentials or Cyber Essentials Plus certification and have security governance policies to become MOD suppliers.
Why Achieve Cyber Essentials?
The Ministry of Defence is a significant customer of a wide range of suppliers. According to Tussell (the provider of UK public sector procurement data), MOD spending with private contractors grew by 31% between 2019 and 2024. In 2025, the MOD continues to invest heavily in defence procurement, with a substantial portion of contracts still awarded without competition due to national security and specialist supplier requirements.
While the new Procurement Act 2023 aims to increase competition, direct awards remain common in the defence sector. Regardless of how contracts are awarded, suppliers must meet the MOD’s cyber security requirements – making Cyber Essentials (or Cyber Essentials Plus) certification essential for doing business with the Ministry of Defence.
For organisations working with MOD, the CSM applies both to the supplier organisation and any subcontractors it uses as part of the project.
What Is the Background to the Cyber Security Defence Model?
The Cyber Security Model (CSM) is a requirement for any contract where:
MOD-identifiable information (i.e. information that the Ministry of Defence can be identified from) is:
- Sent from the MOD (customer) to a supplier, or
- Created by the supplier while working on an MOD contract.
In other words, if the supplier will handle or generate any MOD-related data, the contract must comply with the CSM to ensure appropriate cyber security standards are met.
Why it matters:
The CSM helps the MOD assess and manage cyber risk in its supply chain.
It ensures suppliers apply the right level of cyber protection, depending on the sensitivity of the information they handle.
CSM was launched in 2017 as the DCPP wanted to ensure that the full breadth of security requirements, such as governance and risk management was being met. It integrates with Cyber Essentials, recognising it is an important first step in assessing supplier credentials where there is an exchange of information.
The MOD implemented the Cyber Essentials scheme through an initial compliance question in its supplier selection Pre-Qualification Questionnaire. In practice, this means that most MOD suppliers require Cyber Essentials as a bare minimum to doing business.
MOD Cyber Essentials Assurance Framework
Your organisation must have Cyber Essentials certification to do business with the MOD, unless your contract does not contain any MOD information. Obtaining Cyber Essentials is good practice – it is a certification scheme that helps protect your business from cyber threats, and your business reputation could benefit from a nationally recognised mark of cyber awareness.
The scheme continues to be key for protecting organisations against cyber threats, with updates emphasising enhanced controls and governance.
How Do You Achieve Cyber Essentials or Cyber Essentials Plus?
Full details of Cyber Essentials and Cyber Essentials Plus can be found in British Assessment Bureau’s Guide to Cyber Essentials, which is available as a free download.
Click here to download the free Cyber Essentials Guide.
As of April 28, 2025, the Cyber Essentials assessment process uses the Willow question set, which replaces the previous Montpellier question set.
Cyber Essentials certification is achievable through an official certifying body, such as Ascentor, a sister company of British Assessment Bureau, part of the Amtivo group.
If you’re looking to achieve Cyber Essentials Plus certification or would like to have a chat about any aspect of your cyber security strategy, please get in touch with the expert team at British Assessment Bureau.
