Detailed guide: Defence Cyber Protection Partnership

Ministry Of Defence

December 13
17:00 2019


DCPP updated Supplier Cyber Protection with an improved Risk Assessment (RA) and Supplier Assurance Questionnaire (SAQ) on 12 November 2019 to reflect the changing threat landscape.

The new RA and SAQ workflow documents are available here:

Risk Assessment Workflow (PDF, 264KB, 6 pages)

Supplier Assurance Questionnaire (PDF, 215KB, 16 pages)

What is the DCPP?

A collaboration between the MOD and its key suppliers to ensure the defence supply chain understands the cyber threat and is appropriately protected against attack.

Our principles

  • understand the risk
  • proportionate protection
  • suppliers to defence meet the standards.

Supplier Cyber Protection online

This is the tool used to carry out the Cyber Security Model. It is free to use and allows someone to do a trial run of both the Risk Assessment and Supplier Assurance questionnaire.

The Cyber Security Model (defence condition 658)

  • the buyer completes risk assessment, this determines cyber risk profile
  • cyber risk profile security requirements listed in Defence Standard 05-138. This includes cyber essentials for a risk profile of very low. Cyber Essentials Plus, alongside various policy documents required for low
  • supplier completes Supplier Assurance Questionnaire (SAQ) to demonstrate their compliance with the requirements
  • a Cyber Implementation Plan (CIP) will be required to demonstrate an alternative approach to meeting the requirements, if what the supplier has differs from the DEFSTAN.

Flow down

Suppliers complete a risk assessment for any elements they are sub-contracting. Their suppliers will complete SAQs as required.

What is in it for industry:

  • protect reputation
  • protect intellectual property
  • protect pricing information
  • protect customer details
  • protect own supply chain

Hot topic

Now available: a document on adopting other standards by comparing Def Stan 05-138 and NIST 800-171. This will be expanded to include other standards over time. Guidance for adopting other standards to meet requirements of Defence Standard 05-138 (PDF, 231KB, 8 pages).

This unclassified presentation was recorded for internal MOD audiences to raise their awareness of the Cyber Security Model although most of it still applies to industry.

DCPP internal presentation

Other media sources

Published 12 September 2019
Last updated 13 December 2019 +show all updates
  1. Updated 'Supplier Assurance Questionnaire' and useful links section.
  2. Updated links.
  3. Updated the information in the 'latest' section.
  4. First published.

Related Articles


  1. We don't have any comments for this article yet. Why not join in and start a discussion.

Write a Comment

Your name:
Your email:

Post my comment

Recent Comments

Follow Us on Twitter

Share This

Enjoyed this? Why not share it with others if you've found it useful by using one of the tools below: