Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Compliance

Do Subcontractors Need Cyber Essentials Plus for Defence Work?

Quick Answer

Yes. DEFCON 658 flows down through the supply chain. If you're supplying to a prime contractor on defence work and handling relevant information, you need Cyber Essentials Plus.

Quick answer: Yes. DEFCON 658 flows down through the supply chain. If you're supplying to a prime contractor on defence work and handling relevant information, you need Cyber Essentials Plus.

How Flow-Down Works

The MOD requires prime contractors to meet cyber security standards. Primes are contractually required to ensure their supply chain meets the same standards.

The chain:

  1. MOD includes DEFCON 658 in prime contract
  2. Prime flows requirement down to Tier 1 suppliers
  3. Tier 1 flows it to Tier 2
  4. And so on
If you're anywhere in that chain and handling defence-related information, the requirement reaches you.

What "Handling Defence-Related Information" Means

You need CE Plus if you're:

  • Receiving technical data from the customer
  • Creating deliverables with defence application
  • Accessing customer systems
  • Storing or processing defence-related information
You might not need it if you're:
  • Providing completely generic services (catering, cleaning)
  • Never touching any defence-related information
  • Completely isolated from the defence work
When in doubt, assume you need it. Your customer will tell you if you don't.

What Your Prime Contractor Will Ask

Expect to provide:

  • Valid CE Plus certificate
  • Confirmation of scope coverage
  • Evidence you'll maintain certification
Many primes now check certification before awarding subcontracts. No certificate = no work.

The Timeline Problem

Here's what we see:

  1. Small company gets exciting opportunity with a prime
  2. Prime asks for CE Plus certificate
  3. Company doesn't have it
  4. Certification takes 6-8 weeks
  5. Opportunity has a deadline
  6. Stress ensues
Get certified before you need it. If defence work is in your strategy, get CE Plus now.

Common Questions

"We only do a small part of the project" Doesn't matter. If you're handling relevant information, you need certification.

"Our bit isn't sensitive" Your customer decides what's relevant. If they're flowing down the requirement, they've decided it applies.

"We're too small for this" Size doesn't exempt you. Small suppliers are often softer targets—that's exactly why the supply chain requirements exist.

"Can we get an exemption?" Very unlikely. The requirement exists because supply chains are targeted. Exemptions undermine the whole approach.

What We Do

We help defence supply chain companies achieve and maintain CE Plus:

  • Gap analysis to know where you stand
  • Remediation to close gaps efficiently
  • Certification support through the process
  • Ongoing compliance to maintain certification
Our Compliance-Ready managed services keep you certified year-round, not scrambling at renewal time.

---

*Disclaimer: Flow-down requirements depend on your specific contract terms and the nature of work performed. This is general guidance—verify requirements with your prime contractor. Contract terms and defence requirements change over time.*

---

about getting certified.

---

Related Questions