MOD Secure by Design Compliance: A Supplier Guide
MOD Secure by Design compliance is now a contractual requirement for every supplier in the defence supply chain. The Ministry of Defence formally launched the approach in July 2023 after piloting it across 40 projects. It replaced the legacy DART Risk Balance Case process, moving from reactive, end-of-project security accreditation to continuous risk management built into every stage of a capability's lifecycle.
For defence suppliers, particularly SMEs entering or expanding within the supply chain, the change is substantial. Security is an ongoing obligation from contract award through to disposal, enforced through contract clauses, mandatory certifications, and supply chain flow-down requirements.
This guide covers the framework and the practical compliance steps. It also shows how MOD Secure by Design compliance connects to certifications you may already hold.
What MOD Secure by Design compliance requires from suppliers
Secure by Design is mandated in JSP 440 Leaflet 5C across all MOD top-level budgets and arm's length bodies. The MOD defines it as "an approach that puts cyber security at the heart of every stage of a capability's lifecycle".
The framework is built around seven security activities:
- Understand and define context
- Plan security activities
- Implement continuous risk management
- Define security controls
- Engage and manage the supply chain
- Assure, verify, and test
- Plan a through-life approach
These activities map to the CADMID/T lifecycle phases used in defence procurement: Concept, Assessment, Demonstration, Manufacture/Migration, In-Service, and Disposal/Termination. The expectation is that security activities match the scale and criticality of the capability being delivered.
The guidance, previously restricted to Defence Gateway, was moved to digital.mod.uk in February 2025 to improve accessibility for industry partners.
The Cyber Security Model and what it means for contracts
Alongside Secure by Design, the Defence Cyber Protection Partnership (DCPP) operates the Cyber Security Model (CSM), which is the mechanism through which specific cyber requirements flow into MOD contracts and down through the supply chain.
CSMv4 launched on 3 December 2025, replacing the previous version with significant changes. The old five-tier risk profiles (Not Applicable, Very Low, Low, Moderate, High) have been replaced with four levels: Level 0, Level 1, Level 2, and Level 3. The focus has shifted from protecting "MOD Identifiable Information" specifically to broader organisational security and resilience.
Existing CSMv3 assessments do not transfer to CSMv4. Suppliers must receive a new CSMv4 Cyber Risk Profile and Risk Assessment Reference from their customer before initiating compliance activities.
The contractual enforcement mechanism is DEFCON 658, a contract clause included in all MOD contracts above the "Not Applicable" threshold. It makes compliance with the CSM and DefStan 05-138 legally binding and includes flow-down obligations requiring prime contractors to cascade the same requirements to all subcontractors.
DefStan 05-138: the technical standard
Defence Standard 05-138 Issue 4, published in May 2024 and last updated in December 2025, specifies the cyber controls defence suppliers must achieve at each CSMv4 risk profile level. It is the technical backbone of the Cyber Security Model.
The MOD has published an official mapping document for DefStan 05-138 Issue 4 against eight frameworks including ISO 27001:2022, ISO 22301, ISO 27701, NIST SP 800-171 Rev 3, NIST CSF 2.0, CAF v3.1, and Cyber Essentials. The stated aim is to allow "organisations to re-use existing compliance evidence where appropriate".
This is important for suppliers who already hold ISO 27001 or Cyber Essentials certification. While neither is a substitute for DefStan 05-138 compliance, existing certification evidence can demonstrate alignment with many of the required controls, reducing duplicate work.
Cyber Essentials is the baseline
Cyber Essentials certification is embedded at every level of the CSM. Under CSMv4:
- All Defence Cyber Certification levels start with Cyber Essentials
- Levels 2 and 3 require Cyber Essentials Plus
Defence Cyber Certification (DCC), developed by IASME as the MOD's official cyber certification partner, is increasingly expected. DCC levels correspond directly to CSMv4 risk profiles, and suppliers should expect to hold valid certification for the duration of their MOD contracts. Holding DCC does not exempt you from completing the Supplier Assurance Questionnaire.
JOSCAR: the supplier pre-qualification register
The Joint Supply Chain Accreditation Register is the primary supplier pre-qualification platform used by MOD and 28 other buying organisations including BAE Systems, Thales, Leonardo, Rolls Royce Submarines, and Lockheed Martin. Approximately 5,000 suppliers are currently registered.
Registration involves two stages. Stage 1 is free and covers basic company details. Stage 2 is a full compliance questionnaire that takes approximately eight weeks to complete. It is free for organisations with annual turnover under one million pounds. Above that threshold, the annual fee is 725 pounds plus VAT.
JOSCAR is separate from the Cyber Security Model but is the standard route through which major primes and MOD procurement teams identify and pre-qualify potential suppliers.
40.6 billion in MOD spend and how suppliers qualify
MOD paid 40.6 billion pounds to industry in 2024/25 across approximately 9,200 organisations (MOD Trade, Industry and Contracts 2025). The top 18 suppliers account for roughly half of total direct spend, but the supply chain runs deep. According to a January 2025 Hansard debate on defence procurement, a single large prime contractor's supply chain can contain 6,000 to 7,000 smaller companies. Suppliers who already hold the right certifications skip weeks of onboarding when a prime issues a subcontract. Those who do not are filtered out before the conversation starts.
Currently, SMEs receive only 4 per cent of direct MOD spend. The Defence Industrial Strategy 2025 commits to increasing SME spending by 2.5 billion pounds by May 2028, supported by a new Defence Office for Small Business Growth launched in early 2026.
The Strategic Defence Review 2025 recognises cyberspace as "the enabling domain, integrating all others yet uniquely contested by adversaries daily" and states that Defence "carries intolerable levels of cyber risk." This language signals that cyber compliance requirements for the supply chain will tighten, not relax.
Practical steps for MOD Secure by Design compliance
1. Get Cyber Essentials certified. This is the minimum for any MOD contract work. If you expect Level 1 or above contracts, get Cyber Essentials Plus.
2. Register on JOSCAR. Complete both stages. This is how the major primes and MOD procurement teams find you.
3. Register on procurement platforms. The Defence Sourcing Portal for live opportunities, Contracts Finder for contracts over 12,000 pounds, and Find a Tender for higher-value contracts.
4. When awarded a contract with DEFCON 658: Receive your Cyber Risk Profile level and Risk Assessment Reference from the MOD delivery team or prime contractor. Complete the Supplier Assurance Questionnaire on the Supplier Cyber Protection Service. If gaps are identified, submit a Cyber Improvement Plan with specific remediation timelines. Renew the SAQ annually on your contract anniversary.
5. Obtain Defence Cyber Certification at the level matching your assigned risk profile. IASME-accredited certification bodies conduct the assessment.
6. Understand Secure by Design. Read the public guidance at digital.mod.uk. Plan security activities proportionate to the capability you are delivering. The MOD expects continuous risk management, not a compliance snapshot.
7. If you are a prime or Tier 1 supplier: Cascade DEFCON 658 and DefStan 05-138 requirements to every subcontractor. Ensure sub-tier suppliers receive their own risk profiles and complete their own assessments.
Where existing certifications overlap
Defence suppliers often find themselves managing Cyber Essentials, ISO 27001, and now DefStan 05-138 simultaneously. The overlap between these frameworks is significant, and the MOD's published mapping document for DefStan 05-138 Issue 4 explicitly encourages reuse of existing compliance evidence.
ISO 27001 covers information security management systems, risk assessment, access controls, incident management, business continuity, and supplier relationships. Many of these map directly to DefStan 05-138 controls. Cyber Essentials covers five foundational technical controls that are embedded as baseline requirements at every CSMv4 level.
The compliance burden is real, but it is also largely overlapping. Managing these frameworks independently, with separate evidence collection for each, creates unnecessary duplication. Instead of tracking DefStan 05-138 controls in a spreadsheet, a supplier can log into a single dashboard, see which controls are already evidenced through existing ISO 27001 certification, and get a prioritised list of gaps to close.
Naq automates compliance across Cyber Essentials, ISO 27001, and 18 other frameworks from a single platform. Evidence gathered for one framework maps automatically to overlapping standards, so ISO 27001 work carries across to DefStan 05-138 controls without re-documenting. Over 300 integrations handle evidence collection, and expert support from defence compliance specialists is available for the elements that cannot be automated.
