CYBER SECURITY MODEL V4: WHAT CHANGED AND WHAT IT MEANS FOR YOUR BUSINESS

WHAT IS THE CYBER SECURITY MODEL?

The Cyber Security Model (CSM) is the Ministry of Defence's framework for managing cyber security risk across its supply chain. It defines how the MOD assesses suppliers for cyber risk, what certification they need to hold, and how compliance is monitored through the contract lifecycle.

CSM applies to all organisations working with the MOD — from prime contractors to smaller SMEs supplying niche products or services.

WHAT CHANGED IN VERSION 4?

CSM v4 made several significant changes compared to earlier versions:

• Introduction of DCC: The Defence Cyber Certification (DCC) scheme replaced the previous approach, creating a tiered certification framework aligned to risk profiles
• Risk-based tiering: Suppliers are now formally assigned a risk profile (Very Low, Low, Medium, High, Very High) with corresponding DCC certification requirements
• DEFCON 658 alignment: CSM v4 is referenced in DEFCON 658, making it a contractual requirement rather than guidance
• Clearer scope definition: v4 provides clearer guidance on what systems and data are in scope for assessment
• Supply chain flow-down: Prime contractors are required to ensure their subcontractors also meet appropriate DCC requirements

WHAT IS MY RISK PROFILE?

Your risk profile under CSM v4 is determined by the MOD based on the nature of your contract — what data you handle, what systems you access, and what role you play in the supply chain. The risk profile determines which DCC certification level you need:

• Very Low: DCC Level 0 (Cyber Essentials-based, 3-year validity)
• Low: DCC Level 1 (additional controls beyond CE)
• Medium: DCC Level 2 (more rigorous requirements)
• High / Very High: DCC Level 3 / bespoke requirements

The majority of SMEs entering the MOD supply chain are assessed at Very Low risk, meaning DCC Level 0 is what they need.

WHAT IS DEFCON 658?

DEFCON 658 is the MOD standard contractual condition that references CSM v4. When it appears in a contract, it creates a legally binding requirement to hold and maintain the appropriate DCC certification. Non-compliance with DEFCON 658 can result in contract termination or exclusion from future tenders.

WHAT DOES THIS MEAN FOR SMEs?

For smaller businesses in the MOD supply chain, CSM v4 means:

• You likely need DCC Level 0 as a minimum to remain tender-ready
• You need to hold certification before contract award — not after
• Your prime contractor may require you to evidence certification as a condition of subcontracting
• The requirement will flow down through the supply chain, so even indirect MOD suppliers may need to certify

HOW DO I GET DCC LEVEL 0?

DCC Level 0 assessments are delivered by IASME Approved Certification Bodies. Vincent Cyber Defence is approved to deliver and issue DCC Level 0 certificates. Our process is designed to be straightforward and efficient, with a first-time pass focus and plain-English support throughout.

DCC Level 0 certificates are valid for three years — giving you longer-term assurance with less frequent renewal overhead. There is an annual obligation, however: you must re-certify to Cyber Essentials every year and complete an annual attestation confirming your controls are maintained and your scope has not significantly changed. If your CE certificate lapses, your DCC certification is at risk.

WHAT SHOULD I DO NOW?

• Check your MOD contract documentation for DEFCON 658
• Confirm your risk profile with the contracting authority if you are unsure
• If you are Very Low risk, begin your DCC Level 0 certification process now — before you need it
• If you are a prime contractor, review your subcontractor supply chain and ensure appropriate flow-down