Understanding the DCPP and the Cyber Security Model

July 24th, 2019
Understanding the DCPP and the Cyber Security Model

Understanding the DCPP and the Cyber Security Model - blog feature image (900x300)

What is the DCPP?

The Defence Cyber Protection Partnership (DCPP) is a joint initiative between industry and the Ministry of Defence (MOD). Its aim is to improve the protection of the defence supply chain from cyber threats and to set new cyber security standards.

The DCPP has worked to define its own assessment of cyber security compliance in businesses, which is built upon the Cyber Essentials scheme already laid out by the UK government, but with some differences.

What is Cyber Essentials?

Cyber Essentials is a certification to show that businesses of any size and in any sector have proactively secured and protected all of their devices against online attacks. There is also a Cyber Essentials Plus, which uses a third-party assessor to test your systems.

To have your company accredited, regardless of which level you choose, you need to meet the five baseline controls set out by the UK government and the National Cyber Security Centre (NCSC). These are:

  • Boundary firewalls and internet gateways
  • Malware protection
  • Patch management
  • Secure configuration
  • Access control

You can find out more about Cyber Essentials here: Cyber Essentials vs Cyber Essentials Plus: Whats the difference?

Understanding the DCPP and the Cyber Security Model - quote (900x300)

What is the Cyber Security Model?

The Cyber Security Model (CSM) is the DCPP’s own standard for assessing the security systems a business has in place before they are eligible for any high-risk contract offered by the MOD. It looks at risk management and governance and is therefore at a higher level than the Cyber Essentials or Cyber Essentials Plus assessments.

The CSM uses a three-stage process, the first of which is a risk assessment of a company’s security. This involves completing a questionnaire to decide the complexity and risk level of a project.

Next, the contracting authority (the MOD) will determine the level of cyber risk for that contract and what the external company is required to have in place in order to meet that level and work on the project. The MOD will issue the company a document which maps out what’s expected of them at the appropriate risk level.

All MOD contracts available to tender are assessed against five risk profiles and assigned to one of these, which range from not applicable to high. For low-risk contracts, suppliers need Cyber Essentials certification before they can pitch for the work. For anything higher-risk, Cyber Essentials Plus is required.

Each of the levels has a risk control requirement, ranging from only one control to 44 controls at different levels. The MOD sets out the controls to be mapped against along with the contract. The risk levels are:

Level Threat Example Contract
Not applicable No or minimal cyber risk MOD expects this will rarely apply
Very low Hacking or phishing Purchasing commodities or essential services
Low Ransomware Anything involving official information, purchasing non-military basic parts
Moderate Persistent, targeted and skilled attacks Relating to official, sensitive information or personal data
High Well-organised, sophisticated APT (advanced, persistent threats), potentially over a long period of time Secret information and above, essential support of key military capability


Finally, there is another questionnaire for the company to complete, to demonstrate that they have met the contract requirements. This is known as a ‘supplier assurance questionnaire’.

Why Should You be Accredited?

If you want to be part of a supply chain, particularly for the MOD, you MUST have accreditation before you work with them. A supply chain is often made up of small businesses working alongside multinationals and large public sector organisations to provide a specialist service.

Everyone within that supply chain is vulnerable to external cyber-attacks, even if they’re not the target. It’s often the smaller companies who, because they haven’t invested in good security systems, are easier to hack. Accreditation means your systems are strong enough to withstand an attack, and you’re also protected in case someone else in the chain is targeted.

The MOD use a tool called DART (Defence Assurance Risk Tool), which has been specially developed to allow them to identify potential cyber security risks and to keep their partners safe.

DART assesses all contracts put out to tender on their risk profile. Depending on the level of risk, the requirements for any business hoping to win the work will vary, but Cyber Essentials is the minimum. Higher risk contracts will require CSM accreditation.

You can read more about how Cyber Essentials can help your business stay secure if you’re part of a defence supply chain here: Secure your supply chain with Cyber Essentials, and read more about why it’s vital if you’re looking to win defence contracts here: Do I need Cyber Essentials for Defence Contracts?

You can also download our free booklet, Cyber Essentials: Small Business Guide, which will answer any other questions you might have.