In 2010 the UK National Security Strategy classed cyber attacks as a Tier 1 threat to the UK.
Subsequently, the 2011 Cyber Security Strategy recognised the scale of the challenge - not least the cross-border, international nature of the cyber threat – meant UK Government action alone would be insufficient: the most effective solutions would come from public and private sectors working together.
The cyber threat faced by Industry comes from criminals, hacktivists, terrorists, commercial espionage and foreign intelligence services. Government, industry and academic studies all point to the cyber threat increasing on an upward trend, in both frequency and sophistication.
Supply chain organisations must be prepared to counter these threats, protect capability and increase its resilience through working collaboratively across Government and Industry, and by taking appropriate measures to ensure their own cyber security, for the benefit of their own organisations, suppliers and customers.
In 2014 the Department for Business, Innovation and Skills (BIS) on behalf of the government published the Cyber Essentials Scheme (CES): a set of five technical controls that all businesses were recommended to achieve. GCHQ has estimated that the CES would prevent up to 80% of currently successful attacks. Cyber Essentials is free to download, and any organisation can use the guidance to implement essential security controls.
The CES provides businesses small and large with clarity on good basic cyber security practice. By focussing on basic cyber hygiene, your company will be better protected from the most common cyber threats.
Cyber Essentials is for all organisations, of all sizes, in all sectors - we encourage all to adopt the requirements as appropriate to their business. This is not limited to companies in the private sector, but is also applicable to universities, charities, and public sector organisations.
The Cyber Essentials badge allows your company to advertise the fact that it adheres to a government endorsed standard.
The CES has been developed as part of the UK’s National Cyber Security Programme and in close consultation with industry.
Find out more about Cyber Essentials here.
The Defence Cyber Protection Partnership (DCPP) is a joint Industry and Government response to this threat in the Defence context. The DCPP was initiated in 2012 and formally established in 2013 by MOD, other government departments (OGDs) and Defence Suppliers, including Thales, working together to increase the resilience of the sector.
What does this mean for Defence Supply Chain organisations?
As of 1 January 2016, all suppliers bidding for new MOD requirements which include the transfer of ‘MOD identifiable information’ should achieve a Cyber Essentials Scheme (CES) certificate by the contract start date. However, the DCPP Cyber Security Model (CSM), which will require some suppliers to ensure additional cyber security controls are in place ahead of contract award, is currently due to be implemented, in relation to new MOD contracts, for prime contractors from 3 April 2017 and for Sub contractors for all new MOD contracts awarded after 2 October 2017.
The Cyber Security Model
There are 3 parts of the DCPP’s CSM:
- A risk assessment to determine the level of cyber risk
- Setting the Cyber Risk Profile and aligning it to the DCPP requirements
- Demonstrating your ability to meet the DCPP requirements through the Supplier Assurance Questionnaire (SAQ)
The DCPP recognises Cyber Essentials as the basis for good cyber security practice and has incorporated it as the foundation of the CSM. The lowest DCPP requirement (‘Very Low’) requires only that the supplier achieves Cyber Essentials, with all other levels requiring Cyber Essentials Plus in addition to the DCPP specific controls. It is recommended that all suppliers achieve compliance with Cyber Essentials in preparation for the implementation of the CSM for Defence.
What do suppliers need to do?
Once a Cyber Risk Profile has been set for each contract, the supplier may be asked to complete an SAQ and provide suitable supporting evidence to demonstrate ability to meet the DCPP requirements for the level of risk that they are, or will be, contracted against.
Resources
For an Overview of the DCPP initiative and information about the proportionate security controls to be implemented and evidence to be submitted as part of all MOD contracts, please follow the links below:
Defence Cyber Protection Partnership
Where can I go for more information about DCPP
A simple summary document is published here. If you wish to talk to Thales in person about the DCPP and you, please contact Ian Hughes, and for online updates about DCPP in general join the DCPP Linkedin group or contact the MOD DCPP team.
To help you become MOD cyber-ready, Thales offers a consultancy service to help you get to grip with the new MOD cyber requirements in the most efficient and cost effective way possible. We help you to do what is necessary to continue to participate and profit within the UK defence industry.
We have created a series of steps to suit your level of understanding and the needs of your organisation:
STEP 1
If you don’t know what DCPP, CSM or DEFCON 658 is then we will visit your business to educate you and help you to understand what this means for you.
STEP 2
We will work onsite with you to complete your SAQ, help you identify and collect the evidence necessary to understand where you currently are, and where you need to be. Step 2 provides a ‘gap analysis’ which identifies what controls you have in place and what additional controls you still need to implement.
STEP 3
You know where you are but you still have further to go. We provide recommendations on the controls you need to have in place and the actions you need to take to prove to MOD and your prime that you can be trusted with MOD data. We will review the output of your SAQ and provide an actionable plan of what you must do to improve your level of cyber security maturity and reduce your Risk Profile.
STEP 4
You know where you are, where you want to be and have a fair idea of what you need to do.
We can offer friendly Information Assurance and Cyber Security consultants to help you to identify suitable products, services or governance to help you along your journey.
For more information about the DCPP Consulting support offer please download the summary document here or contact Ian Hughes.
Useful Information about the DCPP, Cyber Essentials Scheme and the Cyber Security Model can be found here.