Ministry Of Defence
DCPP updated Supplier Cyber Protection with an improved Risk Assessment (RA) and Supplier Assurance Questionnaire (SAQ) on 12 November 2019 to reflect the changing threat landscape.
The new RA and SAQ workflow documents are available here:
What is the DCPP?
A collaboration between the MOD and its key suppliers to ensure the defence supply chain understands the cyber threat and is appropriately protected against attack.
- understand the risk
- proportionate protection
- suppliers to defence meet the standards.
Supplier Cyber Protection online
This is the tool used to carry out the Cyber Security Model. It is free to use and allows someone to do a trial run of both the Risk Assessment and Supplier Assurance questionnaire.
- the buyer completes risk assessment, this determines cyber risk profile
- cyber risk profile security requirements listed in Defence Standard 05-138. This includes cyber essentials for a risk profile of very low. Cyber Essentials Plus, alongside various policy documents required for low
- supplier completes Supplier Assurance Questionnaire (SAQ) to demonstrate their compliance with the requirements
- a Cyber Implementation Plan (CIP) will be required to demonstrate an alternative approach to meeting the requirements, if what the supplier has differs from the DEFSTAN.
Suppliers complete a risk assessment for any elements they are sub-contracting. Their suppliers will complete SAQs as required.
What is in it for industry:
- protect reputation
- protect intellectual property
- protect pricing information
- protect customer details
- protect own supply chain
Now available: a document on adopting other standards by comparing Def Stan 05-138 and NIST 800-171. This will be expanded to include other standards over time..
This unclassified presentation was recorded for internal MOD audiences to raise their awareness of the Cyber Security Model although most of it still applies to industry.