Cyber Essentials Plus as a contract condition
For most MoD contracts, Cyber Essentials Plus is mandatory regardless of contract value. Basic Cyber Essentials is not enough.
Why defence cyber requirements sit above the public sector baseline
Selling into the MoD or working within the defence supply chain places suppliers in a category apart from general public sector procurement. The requirements are stricter, the consequences of non-compliance are more serious, and the threat environment is more deliberate.
Four sets of requirements normally apply:
- Cyber Essentials Plus is mandatory for most MoD contracts under DEFCON 658, regardless of contract value.
- DEFCON 658 sets specific contractual cyber security obligations and notification requirements that flow down through the supply chain.
- Where US-controlled technology is involved, ITAR and EAR may impose additional obligations around access to technical data.
- The Defence Cyber Protection Partnership, JSP 440 where applicable, and sector-specific frameworks set wider expectations on suppliers, often referenced in tender documents.
Forensic Control supports defence suppliers in meeting these requirements. The work is led by David Webb, who brings 26 years of military service (including 16 in UK Special Forces) and an MSc in Security & Risk Management to a sector where lived understanding of defence operations is rare among cyber security consultancies.
Common challenges for defence suppliers
Defence cyber requirements are not the same as wider public sector cyber requirements. The challenges suppliers face reflect that difference.
DEFCON 658 and contract clauses
DEFCON 658 sets specific cyber security obligations within MoD contracts, including notification requirements and supply chain flow-down.
Defence supply chain assurance
Prime contractors are expected to assure cyber security across their supply chain. Your security affects your prime contract, not only your own.
ITAR and export controls
Where US-controlled technology is involved, ITAR may restrict who can access technical data and require specific protections beyond standard cyber controls.
Sensitive information handling
Defence contracts routinely involve OFFICIAL-SENSITIVE and sometimes higher classifications. Each level has specific handling requirements.
Incident notification obligations
Defence contracts include specific incident notification clauses with tight timelines. Knowing what to report and to whom is critical.
Cyber Essentials Plus as a DEFCON 658 condition
Cyber Essentials Plus is the baseline for most MoD contracts under DEFCON 658, and it is the default level we recommend for defence supply chain suppliers. The independent technical audit provides the evidence that prime contractors and contracting authorities expect.
Forensic Control is an authorised IASME Certification Body, not a reseller. We have been delivering Cyber Essentials since 2017, and we work with defence suppliers to certify quickly:
- Cyber Essentials Plus. Independent technical audit with vulnerability scanning included at no extra cost. The default level for defence work.
- Cyber Essentials Duo. Basic and Plus combined at a single price point. A practical option for firms moving into defence work for the first time.
- Pre-assessment readiness review. Particularly important for defence suppliers, who often face stricter assessor scrutiny than commercial certifications.
Most defence suppliers can be certified within weeks once scope is agreed. We work to your bid or contract timeline and to the specific requirements of the contracting prime or authority.
Your DEFCON 658 readiness path
A typical engagement from initial contract scoping through certified and ready to operate. We work to your contracting prime or authority timeline.
1
Initial scoping
We review your contract requirements, in-scope systems and any DEFCON 658 clauses to confirm what level of certification you need and what supply chain assurance applies.
2
Pre-assessment review
A short engagement to identify any gaps that would cause an assessment to fail. Most defence suppliers benefit from this before the formal Cyber Essentials Plus audit.
3
Cyber Essentials Plus certification
Independent technical audit including vulnerability scanning. The standard required for most MoD contracts under DEFCON 658.
4
Notification and reporting setup
Establish the incident notification process that DEFCON 658 contracts require, including who to contact at the prime or contracting authority and within what timeframe.
5
Supply chain assurance
For prime contractors, we extend the readiness review to your in-scope subcontractors so the DEFCON 658 flow-down requirements are met across the chain.
6
Ongoing support
Twelve months of vulnerability scanning, annual recertification, and incident response support if needed. Drawing on David Webb defence experience and Metropolitan Police Hi-Tech Crime Unit investigative experience.
"Defence cyber security is not a paperwork exercise. The threat environment is real, the contracting requirements are specific, and the supplier ability to demonstrate genuine security maturity is part of how the supply chain is assured. Having spent 26 years in the military, 16 of them in UK Special Forces, I know the difference between a security programme that works under pressure and one that only looks good on a tender response."
David Webb
Director, Forensic Control. 26 years military service including 16 years in UK Special Forces. MSc Security & Risk Management.
Frequently asked questions
Practical answers to the questions defence suppliers ask us most often.
Is Cyber Essentials Plus mandatory for MoD contracts?
What is DEFCON 658?
How does DEFCON 658 affect subcontractors?
What does ITAR mean for defence suppliers?
We are new to the defence supply chain. What should we put in place first?
What if there is a cyber incident on a defence contract?
How does Cyber Essentials Plus interact with the Defence Cyber Protection Partnership?
How quickly can a defence supplier get Cyber Essentials Plus?
Speak to a specialist about defence supply chain cyber security
Whether you are preparing for a specific MoD or prime contractor bid, responding to DEFCON 658 obligations, or improving your wider defence supply chain security posture, we can help. Contact us or book a short call to talk through where you are and what you need.
