UK Government & UK MOD Cyber Security Requirements
Due to the growth in frequency and sophistication of cyber security attacks, and the increased risk posed to businesses, citizens and the government supply chain when such attacks are successful, the UK Government and UK Ministry of Defence (MOD) have introduced contractual cyber security requirements. These requirements are being added to new government contracts and include supply chain flow down obligations.
Along with other aspects of Security, Compliance and Integrity, GE Aviation takes Cyber Security extremely seriously and requires its suppliers to do the same. It is vital that the shared role and responsibility in protecting sensitive information, intellectual property and critical systems is recognised across the supply chain as a whole. Where UK Government & UK MOD Cyber Security Requirements are applicable to the provision of products or services, suppliers will be informed of the requirements, which are in addition to and do not replace extant GE Cyber Security requirements.
UK Government Cyber Essentials Scheme (CES)
The UK Government’s Cyber Essentials Scheme (CES) was launched on 5th June 2014 and defines a set of controls which, when properly implemented, provide organisations with basic protection from the most prevalent forms of threat coming from the internet. As announced in Procurement Policy Note 09/14, CES became a mandatory requirement for certain Central Civil Government contracts from 1st October 2014. Suppliers may still wish to obtain CES certification as part of efforts to improve their cyber security posture even when this is not a contract requirement.
- Cyber Essentials Scheme Overview
- Get Cyber Essentials Certified
- Procurement Policy Note 09/14: Cyber Essentials Scheme Certification
UK MOD Cyber Security Model (CSM) and Defence Cyber Protection Partnership (DCPP)
The UK MOD Cyber Security Model (CSM) was developed by the Defence Cyber Protection Partnership (DCPP) and builds upon the foundation of the UK Government Cyber Essentials Scheme (CES). As announced in MOD Letter and Industry Security Notice (ISN) 2061/01 ‘MOD Implementation of Cyber Essentials Scheme’, CES became a mandatory requirement for new MOD contracts involving MOD Identifiable Information from 1st January 2016. MOD Identifiable Information is defined in Industry Security Notice (ISN) 2061/05. In due course under the CSM, MOD contracts involving higher levels of cyber risk may require the application of supplementary controls, as set out in Defence Standard 05-138 in accordance with Defence Conditions (DEFCON) 658 or equivalent contract clauses.
The DCPP encourages suppliers to join and use the Cyber-security Information Sharing Partnership (CiSP). CiSP is a joint industry and government initiative set up to exchange cyber threat information in real time, in a secure, confidential and dynamic environment, increasing situational awareness and reducing the impact on UK business.
- MOD Implementation of Cyber Essentials Scheme (CES), Defence Cyber Protection Partnership (DCPP) and Cyber Security Model (CSM)
- MOD CES Letter
- MOD Contracts CES and CSM Announcements
- MOD DCPP CES & CSM FAQs
- ISN 2016/01 'MOD Implementation of Cyber Essentials Scheme'
- ISN 2016/05 'Definition of MOD Identifiable Information'
- Defence Cyber Protection Partnership (DCPP) and Cyber Security Model (CSM)
- Defence Standard 05-138: Cyber Security for Defence Suppliers
- DEFSTAN 05-138 is available from the UK Defence Standardization Extranet, see UK Defence Standardization for more information on how to access
- Defence Conditions (DEFCONs)
- DEFCONS are available from the Commercial Toolkit DEFCONs section of the MOD Acquisition System Guidance (ASG) Extranet, see Acquisition System Guidance for more information on how to access
- Cyber-security Information Sharing Partnership (CiSP)
- For more information on CiSP see National Cyber Security Centre (NCSC) > CiSP