Primes and their suppliers carry obligations ordinary IT cannot satisfy: flow down cyber clauses, a JOSCAR registration to keep current, OFFICIAL-SENSITIVE material to handle, and evidence that survives a supplier assurance review. We run, secure, build, and prove the technology behind all of it, so a contract is never lost on a control nobody owned. UK based, BPSS cleared staff, UK data residency, and a working knowledge of the standards most providers have never read.
Prime contractors are flowing down cyber security requirements harder than ever, and the MOD now expects specific, evidenced controls from the businesses in its supply chain. The consequence of getting it wrong is not just a failed audit. It is a lost contract and a damaged relationship with a prime. We understand the framework that governs this work, and we build the posture and the evidence to satisfy it.
The MOD assigns each contract a risk profile based on the information and systems involved, and each profile sets a minimum security baseline. Knowing where a contract sits, and what it therefore demands, is the difference between a clean supplier assurance review and an awkward one. The grades below are the model's own.
The pressures are specific to this sector, and so is the cost of failing them. These are the problems we are most often brought in to solve.
A prime's questionnaire lands with cyber clauses you have to evidence, and the next stage of the contract depends on the answers. Getting it wrong does not mean a warning. It means the work goes elsewhere.
OFFICIAL and OFFICIAL-SENSITIVE information has to be encrypted, access controlled on a need to know basis, logged, disposed of securely, and kept in the UK. Ordinary cloud defaults do not get you there.
Test data, flight systems, and design files are exactly what a capable adversary is after. The work has to be defended, monitored, and recoverable, and you need to be able to show that it is.
We do not sell defence a different product. We point the same four disciplines at the obligations and risks that are specific to it, and link you to the service that does the work. One partner, no gaps between suppliers for a failure to hide in.
UK based support, UK hosted infrastructure, and no offshore centre touching your environment. A service desk and proactive management that keep a demanding operation online, with MDR included as standard.
We are a Cyber Essentials certification body, so we know exactly what the standard requires and get you cleanly through Plus, the baseline most supply chain work now expects. Monitoring and incident response sit behind it, watching the systems an adversary would target.
Bespoke software, integration, and applied AI built by the same team that runs and secures it, on UK hosted infrastructure with a full audit trail. The thing we build is the thing we can stand behind and account for.
We build and maintain the evidence packs, policies, and audit trails that primes and assessors ask for, and help you complete JOSCAR and prime specific questionnaires with accurate, evidenced answers. CAF aligned, so the controls map to a recognised framework.
Our UK based staff hold BPSS clearance, which is sufficient for most supply chain work handling OFFICIAL information. We do not currently hold SC or DV clearance, and we will not pretend otherwise. Where a contract requires a higher level, we work with you through the sponsorship process rather than overstating what we have. Your data stays in UK jurisdiction throughout: UK cloud, UK backups, and no offshore support.
For most supply chain work it is the floor. Under the MOD Cyber Security Model, a Low risk profile generally expects Cyber Essentials, and a Moderate profile, where OFFICIAL-SENSITIVE information is involved, expects Cyber Essentials Plus. The honest answer depends on the risk profile of your specific contract, which we can read with you. As a certification body, we take you through it cleanly.
They are MOD contract clauses for cyber security. In practice, 658 sets out the cyber risk management requirements that apply to you under the contract, and 659 deals with flowing those requirements down to your own subcontractors. If either appears in your contract, your IT and your suppliers both need to be able to answer it, and we help you build and evidence that.
Our UK based staff hold BPSS, the Baseline Personnel Security Standard, which is sufficient for most supply chain work handling OFFICIAL information. We do not currently hold SC or DV clearance. Where your contract requires a higher level, we work with you through the sponsorship process rather than claiming clearances we do not have.
With encryption at rest and in transit, access controlled on a need to know basis, audit logging, secure disposal, and UK only data residency. The controls are designed to match the risk profile of the contract rather than applied as a generic template, and the evidence that they are in place is produced as a matter of course, not reconstructed under pressure before a review.
Yes. We help clients complete JOSCAR registrations and annual renewals, including the detailed cyber security sections, and the prime specific supplier assurance questionnaires that sit alongside them. The aim is accurate, evidenced answers backed by controls that are genuinely in place, because that is what stands up when a prime checks.
We can build and run the IT environment that prevents unauthorised foreign access, with UK based staff and UK data residency. ITAR and EAR compliance itself is primarily a legal and procedural matter, so we work alongside your export control advisers rather than replacing them. The technology controls are ours; the legal interpretation stays with the specialists.
Send us the clauses in your contract, or the questionnaire from your prime. We will tell you plainly where you stand and what it takes to close the gap. We reply within one working day, and you will speak to an engineer, not a salesperson.
Hello, I am Ainsley, the assistant here at Dead Simple Computing. I built nothing today, but I am one of the governed AI assistants we build for clients. Ask me about managed IT, cyber security, software and AI, or governance and audit.
Ainsley is an assistant and can be wrong. For anything that matters you will speak to an engineer.
