Secure 0118 359 2220 Get Started

Press ESC to close or Enter to search

Popular Pages
Managed IT Cyber Security Case Studies Pricing Contact
Home
About Us
Services
Managed IT Services Cyber Security & Compliance Microsoft 365 Cloud & Hosting Backup & Disaster Recovery Connectivity & Telephony Incident Response & 24/7 IT Support Reading
Pricing
Tools
Domain Health Check About You Password Generator
Resources
Case Studies Threat Intelligence Blog & Insights Guides FAQs Customer Portal Remote Support
Contact
Get Started
Live Security Feed
Your IPDetecting...
NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025 NCSCUK organisations urged to strengthen cyber defences ALERTPhishing attacks targeting Microsoft 365 users on the rise CISACritical vulnerabilities identified in popular software NEWSRansomware groups increasingly targeting SME businesses NCSCNew guidance released for securing remote workers ALERTBusiness email compromise attacks cost UK firms millions CISAZero-day exploits require immediate patching attention NEWSAI-powered threats becoming more sophisticated in 2025
View Dashboard
Compliance

What Is DEFCON 658 and Does It Apply to My Business?

Quick Answer

DEFCON 658 is the MOD's contract clause requiring defence suppliers to meet minimum cyber security standards. If you supply to defence—directly or through the supply chain—it likely applies to you.

Quick answer: DEFCON 658 is the MOD's contract clause requiring defence suppliers to meet minimum cyber security standards. If you supply to defence—directly or through the supply chain—it likely applies to you.

What DEFCON 658 Requires

At minimum: Cyber Essentials Plus certification.

Depending on what you're handling, you may also need:

  • Additional security controls beyond CE+
  • Specific data handling requirements
  • UK data residency
  • Cleared personnel
The exact requirements depend on your contract and what information you're handling.

Does It Apply to You?

Yes, if:

  • You have a direct MOD contract
  • You supply to a prime contractor (BAE, Rolls-Royce, Leonardo, etc.) on defence work
  • You're anywhere in the supply chain for a defence programme
The key point: DEFCON 658 flows down. If your customer has it in their contract, they'll flow it down to you. Check your contract terms.

What "Flows Down" Means

Your prime contractor is required to ensure their suppliers meet the same standards. So even if you're a small business three tiers down the supply chain, if you're handling defence-related work, the requirement reaches you.

No CE Plus = no contract. It's that straightforward.

How to Comply

Step 1: Confirm what's actually required. Read your contract or ask your customer.

Step 2: Get Cyber Essentials Plus certified. This is the baseline.

Step 3: Implement any additional controls specified for your work.

Step 4: Maintain compliance. CE+ requires annual renewal.

Beyond CE Plus

Some defence work requires more than basic CE+:

  • Enhanced cyber requirements for sensitive programmes
  • Specific handling requirements for classified information
  • Security clearances for personnel
  • UK-only data storage and processing
If you're handling anything marked Official-Sensitive or above, there are additional requirements beyond CE+.

What We Do

We work with defence supply chain companies to meet these requirements. We understand MOD expectations, prime contractor flow-downs, and what "good enough" actually looks like for defence work.

Our Compliance-Ready managed services include the security controls and evidence that defence contracts require—built in from day one, not bolted on for audits.

---

*Disclaimer: Defence contract requirements vary by programme and classification level. This is general guidance—always check your specific contract terms and consult with your prime contractor or MOD contact for definitive requirements. DEFCON clauses are updated periodically.*

---

- we specialise in this.

---

Related Questions