Cyber Essentials for defence suppliers: Def Stan 05-138, DEFCON 658 and the supply chain
If you supply the UK defence sector, Cyber Essentials is usually the entry requirement, and Cyber Essentials Plus is common for anything beyond the lowest risk work. The contractual mechanism is DEFCON 658, which flows the security condition down the supply chain, and the risk is set by Def Stan 05-138. A tier-2 or tier-3 supplier rarely needs the heaviest controls, but does need to identify its risk level correctly and hold the certifications the contract requires.
The short version
Defence buyers do not just secure their own systems. They are required to make sure the businesses they buy from are secure too, because an attacker will go for the weakest link in the chain, and that is often a smaller supplier. So the requirement flows downhill. A prime contractor passes it to its suppliers, who pass it to theirs, and a small firm several tiers down can find a defence security clause in a contract without ever having dealt directly with the Ministry of Defence.
Three things define how this works in practice. Def Stan 05-138 is the standard that sets out the cyber security controls by risk level. DEFCON 658 is the contract condition that makes those controls binding and pushes them down the chain. Cyber Essentials, and often Cyber Essentials Plus, is the baseline certification that sits at the entry levels. Get those three straight and the rest follows.
- The requirement flows down the supply chain through the contract, not just to the prime.
- Cyber Essentials is typically the floor; Cyber Essentials Plus is common above the lowest risk.
- Most tier-2 and tier-3 suppliers handle a moderate risk level, not the heaviest controls.
Def Stan 05-138: the standard that sets the bar
Defence Standard 05-138 is the Ministry of Defence's standard for the cyber security controls expected of suppliers. Rather than a single fixed bar, it sets out escalating levels of control based on the risk attached to the information and the contract. The risk level is assessed for each contract, commonly through a risk assessment process the buyer runs, and that level then dictates which controls you must hold.
The principle is proportionality. A supplier handling only low risk information is not asked to implement the same controls as one handling information that would cause serious harm if it leaked. As the risk level rises, the controls move from the Cyber Essentials baseline up through more demanding frameworks. The current issue of the standard aligns these higher levels with recognised frameworks, so the controls map to things like ISO 27001:2022 and the NCSC Cyber Assessment Framework rather than inventing a separate scheme.
| Risk level | Roughly what it covers | Typical control expectation |
|---|---|---|
| Lower risk | Contracts handling little or no sensitive defence information | Cyber Essentials as the baseline |
| Moderate risk | Where most tier-2 and tier-3 suppliers sit | Cyber Essentials or Cyber Essentials Plus, with additional controls |
| Higher risk | More sensitive information, closer to the heart of a programme | Alignment with a fuller framework such as ISO 27001 or the Cyber Assessment Framework |
The exact mapping and terminology belong to the current version of the standard and the buyer's own risk assessment. Treat the table as the shape of the thing, not the letter of it, and confirm your level against the actual contract.
DEFCON 658: how the requirement reaches you
Def Stan 05-138 says what good looks like. DEFCON 658 is the contract condition that makes it binding. DEFCON clauses are the standardised conditions the Ministry of Defence includes in its contracts, and 658 is the one dealing with cyber security. When it is in a contract, it requires the supplier to meet the risk based controls and, critically, to flow the same obligation down to any subcontractors whose work touches the relevant information.
That flow down is the part smaller firms miss. If you subcontract part of a defence job, you are expected to place the equivalent condition on your own suppliers. It is also why a tier-3 firm can receive the requirement from a tier-2 firm it does not think of as "defence" at all. The clause has simply travelled down the chain to reach it. There is a companion clause, DEFCON 659, dealing with related security aspects, and the two are easy to confuse, so read which one your contract actually cites.
The Supplier Cyber Protection Service
The mechanism behind DEFCON 658 is the Supplier Cyber Protection Service. In outline, the supplier completes a risk assessment that produces a risk level for the contract, then holds the controls and certifications matching that level, and confirms compliance through the service. The practical takeaway for a smaller supplier is that the process expects you to identify your own risk level honestly and evidence the controls for it, rather than the buyer hand holding you through every step.
Where Cyber Essentials and Cyber Essentials Plus fit
For most of the defence supply chain, Cyber Essentials is the entry ticket. At the lower risk levels it is frequently the named requirement on its own. As the risk level rises, Cyber Essentials Plus, the version with an independent technical audit, becomes the expectation, because a self assessment alone is not enough assurance for more sensitive work.
This matters for planning, because Cyber Essentials Plus is verified on your live systems, not just declared on a form. The same issues that catch any business out, unpatched devices, everyday accounts with admin rights, unmanaged personal phones on company email, and missing multi factor authentication, will catch a defence supplier out too, with a contract deadline attached. The defence context raises the stakes of failing, not the nature of the controls.
At the higher risk levels the picture broadens beyond Cyber Essentials into fuller frameworks. Def Stan 05-138 Issue 4 maps its higher levels to ISO 27001:2022 and the NCSC Cyber Assessment Framework, so a supplier moving up the chain is moving from a technical baseline towards a managed information security system. That is a larger programme, and worth recognising early if your contracts are trending that way.
The path for a tier-2 or tier-3 supplier
If you are a smaller supplier who has just seen a defence security clause appear in a contract or a questionnaire, here is a sensible order to work in.
- Read the clause and identify the standard. Confirm whether the contract cites DEFCON 658, references Def Stan 05-138, and names Cyber Essentials or Cyber Essentials Plus. Note any specific risk level given.
- Establish your risk level. Complete the risk assessment honestly. Most tier-2 and tier-3 suppliers land at a moderate level, not the highest, but the assessment, not a guess, sets your obligations.
- Map your gaps against that level. Check your real systems against the controls required. This is the same gap review any Cyber Essentials project starts with, scoped to the risk level the contract demands.
- Get certified at the right level. Achieve Cyber Essentials, and Cyber Essentials Plus if required, before the deadline. Build in time for remediation, because the audit tests your live systems.
- Flow the requirement down. If you subcontract relevant work, place the equivalent condition on your own suppliers, and keep the records that show you did.
- Keep the evidence current. Certifications lapse and risk levels change between contracts. Treat this as something you maintain, not a one off hurdle.
A note on JOSCAR and supplier assurance
Many defence and aerospace primes also use supplier assurance registers such as JOSCAR to check who they are dealing with. Cyber Essentials and the Def Stan 05-138 controls tend to feed into that wider picture, alongside quality, financial, and other checks. The same discipline helps here: knowing your certifications, holding the evidence, and being able to answer a supplier assurance questionnaire without a last minute scramble before the prime's deadline.
How we approach it
Most IT providers have never heard of Def Stan 05-138, or the difference between DEFCON 658 and 659. We have. As an appointed Cyber Essentials certification body, with a founder who is a certified Cyber Essentials Assessor, we help defence suppliers identify their risk level, close the gaps against it, and certify at the level the contract actually requires. We keep the work proportionate, so a tier-3 supplier is not sold the controls of a prime, and we keep the evidence in order, so the next questionnaire is answered from a file, not a panic. We do not speculate about classified matters, and we will not name who else we work with in this sector, because that discretion is part of the job.
Common questions
What is DEFCON 658?
DEFCON 658 is the standardised cyber security condition the Ministry of Defence includes in its contracts. When it applies, the supplier must meet the risk based controls set out in Def Stan 05-138 and flow the same obligation down to any subcontractors whose work touches the relevant information. It is the contractual mechanism that pushes defence cyber security requirements down the supply chain, which is how a smaller supplier ends up subject to it.
What is Def Stan 05-138?
Defence Standard 05-138 is the Ministry of Defence's standard for the cyber security controls expected of suppliers. It sets escalating levels of control based on the risk attached to the contract and the information involved. Lower risk levels are met by Cyber Essentials, while higher levels align with fuller frameworks such as ISO 27001:2022 and the NCSC Cyber Assessment Framework. The risk level is assessed per contract and then determines which controls you must hold.
Do I need Cyber Essentials or Cyber Essentials Plus to supply defence?
It depends on the risk level of the contract. At lower risk levels Cyber Essentials on its own is often the named requirement. As the risk rises, Cyber Essentials Plus, the version with an independent technical audit, becomes the expectation, because a self assessment is not enough assurance for more sensitive work. The contract and your risk assessment decide which you need, so confirm the level before you commit to a timeline.
What is the difference between DEFCON 658 and DEFCON 659?
They are different standardised contract conditions that are easy to confuse. DEFCON 658 deals with cyber security, requiring suppliers to meet the risk based controls and flow them down the chain. DEFCON 659 covers related security aspects of a contract. The practical advice is simple: read which clause your contract actually cites, and meet the requirement it sets rather than assuming the two are interchangeable.
I am a small subcontractor, why does a defence requirement apply to me?
Because the requirement flows down the supply chain. DEFCON 658 obliges each supplier to place the equivalent condition on its own subcontractors whose work touches the relevant information. So a tier-2 firm passes it to a tier-3 firm, and a small business can find a defence security clause in a contract without ever dealing directly with the Ministry of Defence. The controls are scaled to your risk level, so they are usually proportionate to the work you actually do.
How long does it take to get certified for a defence contract?
For Cyber Essentials, a typical small business can be ready in weeks once the gaps are closed. Cyber Essentials Plus usually takes four to six weeks, allowing for a gap review, remediation, and the audit, and longer if you have unsupported systems or unmanaged devices. If your risk level points towards ISO 27001 or the Cyber Assessment Framework, plan for several months, because that is a managed system to build, not a quick certification.
Defence clause landed in your contract?
Send us the clause or the questionnaire. We will tell you plainly which standard applies, what risk level you are likely at, and exactly what it takes to certify in time. We reply within one working day, and you will speak to an engineer, not a salesperson.