Ministry Of Defence
Supplier Cyber Protection Service - Interim process
Upcoming Christmas stand-down 21 Dec 2022 6 Jan 2023
No Risk Assessments (RAs) or Supplier Assurance Questionnaires (SAQs) will be processed during this time. If you are planning to submit a priority RA or SAQ during this period, please let us know no later than 15 December 2022.
Current Status
The Octavian Supplier Cyber Protection Service was switched off in June 2021. We are currently on an interim process until the replacement tool is ready to go live.
Cyber Security Model process
The interim process offers a choice to complete Risk Assessments (RAs) and Supplier Assurance Questionnaires (SAQs) via either MS Forms or PDF.
The MS Forms links are:
The PDFs, if not provided by the Contracting Delivery team can be requested from the DCPP team at: ukstratcomdd-cydr-dcpp@mod.gov.uk.
The DCPP team are working to a 2-day turnaround time. We do welcome emails if you think a response has not been provided in this time.
Supplier Assurance Questionnaires (SAQs) in the tender process
When completing the SAQ, please include the Risk Assessment Reference (RAR). This should be provided by the MOD Delivery Team or other related competition publication.
For competition bids, unless otherwise stated, you will need to submit to the MOD Delivery team:
- A copy of your SAQ. MS Forms submissions can be saved via the Print option and sending to PDF, rather than a specified printer; and
- Our response email.
- If our response email says, Not met, you will also need to submit a Cyber Implementation Plan (CIP) to the Contracting Delivery team. Guidance for this can be found on the Cyber Implementation Plan (CIP) page. Some competition processes such as DASA may post alternative CIP instructions.
Please do not send CIPs to the DCPP team as these need to be considered against the specific project requirements. - If the Cyber Risk Profile is HIGH, DCPP will send out the necessary flow down instructions.
DEFCON 658
Please note, as per this Industry Security Notice
- Annual renewals have been paused.
- Flow downs are also paused unless the Cyber Risk Profile (CRP) is HIGH. If this is the case and your CRP is HIGH, then you should proceed with your flow down submissions.
Future Tool
The new tool is currently undergoing testing. Suppliers/bidders will be informed by the MOD Delivery team at a point where roll out of the tool can start. There is currently no release date.
The DCPP team: ukstratcomdd-cydr-dcpp@mod.gov.uk
Additional information
-
Preview the Risk Assessment
-
Preview the Supplier Assurance Questionnaire
-
For more information: Contact us
Def Stan 05-138
This is the Defence Standard defining the controls required for each Cyber Risk Profile (level).
DEFCON 658
This is the contractual Defence Condition that references supply chain cyber security.
Defence Industry Warning, Advice and Reporting Point (WARP)
There is a requirement to report security incidents where MOD data might be involved
Understanding more about the Cyber Security Model
Watch a video explaining the Cyber Security Model
The Cyber Risk Profile is assessed on 6 questions relating to:
-
electronic exchange or creation of MOD Identifiable Information
-
classification
-
personal data
-
connectivity to MOD networks
Cyber Essentials underpins the MOD Cyber Risk Profiles. Cyber Essentials is a certification scheme identifying the minimum steps an organisation should take to protect themselves against cyber risk.
The Supplier Assurance Questionnaire is a self-assessment for organisations to demonstrate how they meet our requirements. The online tool allows sample questionnaires to be completed to identify gaps. Where there are differences a Cyber Implementation Plan (CIP) should be completed, particularly if an alternative cyber security standard is used.
Further information on CIPs can be found in:
-
Annex D of the Buyer Supplier Guide
News
Def Stan 05-138 v3 Cyber Security for defence suppliers
Contact us
The DCPP Team can be contacted by email on: ukstratcomdd-cydr-dcpp@mod.gov.uk or DCPP LinkedIn Group.
DCPP group on the NCSCs Cyber Information Sharing Partnership (CISP), register at