The Defence Cyber Protection Partnership (DCPP) is a joint Industry and Government response to this threat in the Defence context. The DCPP was initiated in 2012 and formally established in 2013 by MOD, other government departments (OGDs) and Defence Suppliers, including Thales, working together to increase the resilience of the sector.
What does this mean for Defence Supply Chain organisations?
As of 1 January 2016, all suppliers bidding for new MOD requirements which include the transfer of ‘MOD identifiable information’ should achieve a Cyber Essentials Scheme (CES) certificate by the contract start date. However, the DCPP Cyber Security Model (CSM), which will require some suppliers to ensure additional cyber security controls are in place ahead of contract award, is currently due to be implemented, in relation to new MOD contracts, for prime contractors from 3 April 2017 and for Sub contractors for all new MOD contracts awarded after 2 October 2017.
The Cyber Security Model
There are 3 parts of the DCPP’s CSM:
- A risk assessment to determine the level of cyber risk
- Setting the Cyber Risk Profile and aligning it to the DCPP requirements
- Demonstrating your ability to meet the DCPP requirements through the Supplier Assurance Questionnaire (SAQ)
The DCPP recognises Cyber Essentials as the basis for good cyber security practice and has incorporated it as the foundation of the CSM. The lowest DCPP requirement (‘Very Low’) requires only that the supplier achieves Cyber Essentials, with all other levels requiring Cyber Essentials Plus in addition to the DCPP specific controls. It is recommended that all suppliers achieve compliance with Cyber Essentials in preparation for the implementation of the CSM for Defence.
What do suppliers need to do?
Once a Cyber Risk Profile has been set for each contract, the supplier may be asked to complete an SAQ and provide suitable supporting evidence to demonstrate ability to meet the DCPP requirements for the level of risk that they are, or will be, contracted against.
For an Overview of the DCPP initiative and information about the proportionate security controls to be implemented and evidence to be submitted as part of all MOD contracts, please follow the links below:
Defence Cyber Protection Partnership
Where can I go for more information about DCPP
A simple summary document is published here. If you wish to talk to Thales in person about the DCPP and you, please contact Ian Hughes, and for online updates about DCPP in general join the DCPP Linkedin group or contact the MOD DCPP team.