What Cyber Security Do I Need for MOD Contracts?

MOD contracts require Cyber Essentials Plus minimum. Higher sensitivity work needs more. Here's what you need to know before bidding.

Cyber Security for MOD Contracts | Requirements Guide

Quick Answer

Cyber Essentials Plus at minimum. Depending on what you're handling, you may also need additional controls, UK data residency, and cleared personnel.

Quick answer: Cyber Essentials Plus at minimum. Depending on what you're handling, you may also need additional controls, UK data residency, and cleared personnel.

The Baseline: Cyber Essentials Plus

DEFCON 658 makes CE Plus mandatory for defence supply chain. This isn't negotiable.

Direct MOD suppliers need it
Prime contractor suppliers need it (flow-down)
Anyone in the defence supply chain handling relevant information needs it

No CE Plus = no defence contracts. Get certified before you bid.

Beyond CE Plus

Some contracts require more:

Enhanced cyber requirements Sensitive programmes may specify controls beyond CE Plus. The tender will detail additional requirements.

UK data residency Many contracts require data to stay in the UK. No offshore processing or storage. This affects your choice of:

Cloud providers (must have UK data centres)
Backup locations
Support services

Security clearances Work involving classified information requires cleared personnel:

BPSS (baseline) for Official
SC (Security Check) for Secret
DV (Developed Vetting) for Top Secret

Clearances take time. SC can take months. Plan ahead.

List X Handling classified material at your premises requires List X approval. This is a significant undertaking—physical security, IT security, personnel security. Most SMEs don't need this.

Typical Requirements by Contract Type

General defence supply (non-sensitive)

Cyber Essentials Plus
Probably UK data residency
BPSS for relevant staff

Sensitive programmes

Cyber Essentials Plus
Enhanced cyber controls per contract
SC clearances for key staff
UK data residency mandatory
Possibly additional certifications (ISO 27001)

Classified work

All of the above
DV clearances
List X facility (potentially)
Specific handling requirements

Preparing for Defence Work

Before you bid:

Get Cyber Essentials Plus (or start the process)
Ensure UK data residency for your systems
Identify staff who'll need clearances
Read contract requirements carefully

Common gaps we see:

Cloud services processing data outside UK
No clear asset register
Staff without appropriate clearances
Inadequate evidence for audits

What We Provide

We specialise in the defence supply chain. Our Compliance-Ready managed services include:

Security controls that meet defence requirements
UK-hosted infrastructure
Evidence and reporting for audits
CE Plus certification support
Ongoing compliance maintenance

Defence requirements aren't just about passing certification. They're about maintaining compliance and having evidence when primes ask questions.

---

*Disclaimer: MOD and defence contract requirements vary by programme, classification level, and prime contractor. This is general guidance—always verify specific requirements in your contract terms. Defence requirements are updated periodically. Consult with your contracting authority for definitive guidance.*

---

- we know what's actually required.

---