Blog
Compliance
MOD SBD
Cyber Essentials
ISO 27001
May 4, 2026
Approx 9 min read

MOD supplier compliance gates: JOSCAR to Secure by Design

A UK technology SME has spent eight months building a relationship with a defence prime. Capability fit is good, procurement is engaged, the subcontract scope is drafted. Then the conversation pauses. The prime's supplier assurance lead asks for a current JOSCAR record, a Cyber Essentials Plus certificate that covers the systems in scope, and a Supplier Assurance Questionnaire (SAQ) mapped to the Cyber Risk Profile (CRP) the project team has issued. The supplier has none of the three on hand. Six weeks later the bid window has shifted, and a competitor with the evidence already in place is in the lead.

Most stalls at the SME end of the defence supply chain trace back to the same root cause. The frameworks are not unusually hard. The sequence in which they hit a bidding subcontractor is poorly understood, and that gap eats six weeks where a competitor with the evidence already in place wins the work.

The MOD supplier compliance opportunity

The MOD paid £40.6 billion to industry in 2024/25, with £31.7 billion of that going to UK suppliers (gov.uk, MOD Trade, Industry and Contracts 2025). SMEs received £1.2 billion in direct MOD investment over the same period, around four per cent of the UK total. The Defence Industrial Strategy 2025, published 8 September 2025, committed to lifting SME spending by £2.5 billion by 2028, taking the total to £7.5 billion. The Defence Office for Small Business Growth, announced on 27 January 2026, runs a pathfinder cohort of 30 SMEs and a wider remit to reduce supplier friction.

None of that £2.5 billion reaches a UK technology subcontractor without a clean compliance record at the right tier. The Strategic Defence Review 2025 stated that Defence "carries intolerable levels of cyber risk", and procurement gates were tightened across 2024 and 2025 in response.

JOSCAR registration: the prequalification gate

JOSCAR, the Joint Supply Chain Accreditation Register, is operated by Hellios Information Limited and used by the MOD alongside the major defence primes (BAE Systems, Thales, Leonardo, Rolls-Royce Submarines, Lockheed Martin). It is the longlisting tool. Buyers identify candidate suppliers from JOSCAR before formal RFPs go out, so an SME without a record is often unaware it has been excluded.

Registration runs in up to three stages depending on the supplier's size and risk profile. Stage 1 is free and captures company information, policies, and baseline compliance. Stage 2 is by invitation, takes around six weeks to complete, and incurs an annual fee above SME thresholds. Stage 3 applies to higher-risk supplier categories.

JOSCAR captures policies and general compliance evidence; it does not, in itself, clear a supplier for any specific MOD contract. The cyber assessment for an awarded contract happens later, inside the Supplier Cyber Protection Service against the Cyber Security Model. The most common SME error is treating JOSCAR as a post-conversation task. By then the longlist has usually closed.

The aviation sector runs a separate JOSCAR scheme; for defence work, the relevant register is the defence supply chain register, with self-nomination at hellios.com.

Cyber Essentials and CE Plus: the baseline at every level

Cyber Essentials is mandatory at every level of the Cyber Security Model. Cyber Essentials Plus, which includes a hands-on technical audit, is required for the higher CSMv4 risk profiles (Levels 2 and 3). Both certifications are issued by IASME-accredited certification bodies. As of 27 April 2026, all assessments must follow the Danzell question set, which makes MFA mandatory for all cloud services (including non-admin accounts) as an auto-fail requirement.

Two recurring failure modes at this gate are worth flagging. The first is scope. A Cyber Essentials certificate that covers the supplier's office IT, but not the development environment or build pipeline used for the MOD work fails the test. The certificate has to cover the systems involved in delivering the contract. The second is renewal. Cyber Essentials Plus is annual, and a lapsed certificate during the contract period is a contractual breach under DEFCON 658.

[Internal link: /frameworks/cyber-essentials]

DEFCON 658 and the Cyber Security Model

DEFCON 658 (Cyber Flow Down), current edition 07-25, is the contract clause that makes the Cyber Security Model contractual. With DEFCON 658 in place, the supplier is bound to the model, the SAQ process, and any improvement plans the assigned risk profile requires. The clause flows the same obligation down to sub-tier suppliers. A Tier 2 supplier subcontracting any element of the work has to assess each sub-tier supplier's cyber risk profile and confirm they have completed their own SAQ.

DEFCON 659 covers the security of MOD-classified information at SECRET or above and applies to UK contractors only. Most SME technology subcontractors operating at OFFICIAL will not see it. DEFCON 658 is the always-there cyber clause.

CSMv4 went live on 3 November 2025, governed by Industry Security Notice 2025/07. It replaced CSMv3's five-tier risk profile structure with four levels (Level 0, Level 1, Level 2, Level 3). Existing CSMv3 SAQs do not transfer; new submissions are required against CSMv4 with a fresh evidence base.

At market engagement the MOD project team or the prime contractor produces a Risk Assessment Reference (RAR) and assigns a Cyber Risk Profile Level based on the realistic threat to the capability. The supplier then completes a SAQ on the Supplier Cyber Protection Service, self-assessing against DefStan 05-138 Issue 4 controls at the assigned level. The SAQ is automatically scored against the assigned CRP. Where the score falls short, the supplier submits a Cyber Improvement Plan with concrete remediation timelines and accountable controls.

The Defence Cyber Protection Partnership manages the model. The SAQ typically takes six to eight weeks of evidence collection if the supplier has not previously assembled the artefacts. SME bid timelines often assume two weeks. That gap is the most common stall point at award.

[Internal link: /solutions/defence]

DefStan 05-138 Issue 4: the technical control set

Defence Standard 05-138, Cyber Security for Defence Suppliers, sets out the controls required at each CSMv4 risk profile level. Issue 4 was originally published on 23 May 2024 and last updated on 3 December 2025 to align with the CSMv4 launch. It is the technical specification the SAQ assesses against.

DefStan 05-138 is more demanding than Cyber Essentials Plus alone, particularly at Levels 2 and 3, where it draws on additional security domains including supplier risk management and secure development practices. For SME suppliers already running an ISO 27001-aligned management system, much of the underlying control evidence already exists; the control language differs, the evidence asked for is largely the same.

MOD Secure by Design: the lifecycle approach

Secure by Design is the MOD's project-team approach to cyber, mandated under JSP 440 Leaflet 5C across all top-level budgets and arm's length bodies. The practical guidance moved from the restricted Defence Gateway to digital.mod.uk in February 2025. SBD applies to projects and capabilities that handle Defence data, scaled to risk; there is no fixed contract value threshold.

The procurement gate stack divides here. CSMv4, via DEFCON 658 and evidenced through the SAQ against DefStan 05-138, is the supplier assurance route that proves each supplier meets the bar at its assigned tier. Secure by Design is the lifecycle approach the MOD project team itself follows across CADMID/T. The two overlap on substance but are separate mechanisms. As a subcontractor, the work is to participate in the project's SBD security activities, particularly the supply-chain engagement activity, with evidence proportionate to your tier.

For the deeper SBD-only walk-through, see the companion piece on MOD Secure by Design supplier compliance.

[Internal link: /frameworks/mod-sbd]

Defence Cyber Certification alongside the SAQ

Defence Cyber Certification was developed by IASME as the MOD's official cyber certification partner. Its levels correspond to the four CSMv4 risk profiles, and it is increasingly expected alongside the SAQ in supplier assurance conversations.

Holding a DCC certificate does not exempt a supplier from completing the SAQ. DCC is the certifying body's audit-backed view; the SAQ is the supplier's evidenced self-assessment under DEFCON 658. The certificate does not replace the questionnaire.

Where existing certifications carry across

In September 2024 the MOD published a mapping document for DefStan 05-138 Issue 4. The document maps the standard's controls to ISO 27001:2022, ISO 22301, ISO 27701, NIST SP 800-171 Rev 3, NIST SP 800-172 Rev 2, NIST CSF 2.0, NIST CSF 1.1, Cyber Essentials, and the NCSC Cyber Assessment Framework (CAF) v3.4. The MOD's stated intent is to allow organisations to re-use existing compliance evidence where appropriate.

For an SME that already holds ISO 27001 and Cyber Essentials Plus, the practical effect is significant. A single piece of evidence, for example an access control policy or an incident response procedure, often answers a question in ISO 27001, in the SAQ against DefStan 05-138, and in Cyber Essentials at the same time. Keep the mapping document on the desk during SAQ preparation.

[Internal link: /frameworks/iso-27001]

A practical sequence for SMEs bidding on MOD subcontracts

Get on JOSCAR before the procurement conversation starts; Stage 1 takes a few hours and costs nothing. The Cyber Essentials Plus certificate has to be current and scoped to cover the development and delivery environments that would handle MOD data. ISO 27001 is worth carrying if scaling beyond a single MOD prime is on the roadmap, because the same evidence base then carries into commercial enterprise procurement. When DEFCON 658 lands, expect the RAR and CRP Level from the project team within days of award, and budget six to eight weeks for the SAQ. Where CSMv4 highlights gaps, the Cyber Improvement Plan needs specific dated milestones and named owners; vague CIPs delay award.

Renewal matters as much as initial certification. SAQ renews on the contract anniversary, Cyber Essentials Plus is annual, and DEFCON 658 flow-down obligations run continuously. Missing any of these puts the contract at risk.

What clearing the stack changes

A subcontractor whose SAQ, CE Plus and JOSCAR records are current, and whose evidence base is already mapped to ISO 27001, has cleared the stack the prime spends most of its time chasing. That status carries beyond any single contract. The same prime begins to hand work over with fewer assurance touchpoints, the next prime onboards faster against the same evidence base, and the Defence Office for Small Business Growth pathfinder cohorts move into reach.

How Naq supports MOD supplier compliance

The Naq platform is built to automate compliance framework mapping from a single dashboard. Controls are mapped across frameworks, so one piece of evidence answers ISO 27001, the SAQ against DefStan 05-138, and Cyber Essentials Plus at the same time, rather than being collected three times.

Naq is also an IASME Certifying Body for Cyber Essentials. Access to Cyber Essential Plus certification bodies and CREST-accredited penetration testers are available through Naq's external partnership network, where the SAQ requires evidence of an independent test.

To see how MOD supplier compliance evidence maps across your existing tooling and frameworks, book a 15-minute demo at naqcyber.com.

Frequently asked questions

Is JOSCAR registration the same as MOD Secure by Design compliance?

No. JOSCAR is a Hellios-operated prequalification register that captures supplier policies and general compliance evidence; it gets a supplier onto the prime's longlist. Secure by Design is the MOD's project-team lifecycle approach to cyber under JSP 440 Leaflet 5C, while the supplier assurance side runs through the Cyber Security Model via the SAQ. JOSCAR does not clear a supplier for SBD or CSMv4.

Does CSMv4 still apply if my MOD contract is below a certain value?

Yes. The Cyber Security Model applies whenever DEFCON 658 is included in the contract. The assigned Cyber Risk Profile Level is set against the threat to the capability, not the contract value. A small contract handling sensitive Defence data can sit at a higher CRP than a larger one handling lower-sensitivity material.

Does Cyber Essentials Plus on its own satisfy CSMv4?

No. Cyber Essentials Plus is the mandatory baseline at higher CSMv4 levels, but it is not the assessment. CSMv4 requires a SAQ scored against DefStan 05-138 Issue 4 controls at the assigned risk profile level. CE Plus is one input into that SAQ; the SAQ itself covers more ground.

Do existing ISO 27001 controls reduce the work for DefStan 05-138?

Yes. The MOD's September 2024 mapping document aligns DefStan 05-138 Issue 4 with ISO 27001:2022, Cyber Essentials, the NCSC CAF v3.4, and the NIST SP 800-171 / 800-172 / CSF families. A supplier with a current ISO 27001 certificate has often already produced most of the evidence the SAQ asks for, in different language.

Who issues the Risk Assessment Reference?

The MOD project team issues the RAR for direct MOD contracts; the prime contractor issues it for subcontracts under a flowed-down DEFCON 658 clause. The supplier does not assign its own risk profile. The RAR and the assigned Cyber Risk Profile Level arrive at market engagement, which is why suppliers benefit from having the underlying evidence ready before the SAQ window opens.

Sources

  • gov.uk, Cyber Security Model: https://www.gov.uk/guidance/cyber-security-model
  • gov.uk, DEFCON 658 (Cyber Flow Down): https://www.gov.uk/government/publications/defence-condition-658-cyber-flow-down
  • gov.uk, DefStan 05-138 Issue 4: https://www.gov.uk/government/publications/cyber-security-for-defence-suppliers-def-stan-05-138-issue-4
  • gov.uk, DefStan 05-138 mapping document: https://www.gov.uk/government/publications/mapping-document-cyber-security-for-defence-suppliers-def-stan-05-138-issue-4
  • ISN 2025/07 (CSMv4 implementation): https://assets.publishing.service.gov.uk/media/692870469c1eda2cdf034210/ISN_2025-07_Implementation_of_CSM_v4.pdf
  • digital.mod.uk, Secure by Design: https://www.digital.mod.uk/policy-rules-standards-and-guidance/secure-by-design/
  • gov.uk, MOD Trade, Industry and Contracts 2025: https://www.gov.uk/government/statistics/mod-trade-industry-and-contracts-2025/mod-trade-industry-and-contracts-2025
  • Defence Industrial Strategy 2025: https://assets.publishing.service.gov.uk/media/68bea465223d92d088f01d6a/Defence_Industrial_Strategy_2025_-_two-pager.pdf
  • gov.uk, Defence Office for Small Business Growth: https://www.gov.uk/government/news/red-tape-to-be-slashed-as-mod-launches-new-team-to-back-british-small-businesses
  • NCSC Annual Review 2025: https://www.ncsc.gov.uk/collection/ncsc-annual-review-2025
  • Hellios, JOSCAR: https://hellios.com/our-products/joscar/
  • House of Commons Library, SME participation in defence procurement (CDP-2025-0020): https://commonslibrary.parliament.uk/research-briefings/cdp-2025-0020/
Written by
The Naq Team
Share
Share
Compliance
NHS DSPT
What Happens When Healthcare Organisations Don't Comply: The Real Cost of Getting It Wrong
March 3, 2026
Compliance
NHS DSPT
NHS DTAC
Why Companies Fail NHS DSPT Renewal
February 17, 2026
Compliance
GDPR
GDPR after Brexit: 6 things you need to understand now
February 25, 2024
Compliance
NHS DSPT
The Next Step In DSPT Compliance: A Look At Version 7 Of The Toolkit
April 24, 2024
Newsletter

The latest in compliance and cybersecurity direct to your inbox

Sign up now
Connect with us

Streamline compliance & accelerate your growth

Book a 15-minute demo and discover how Naq can take the complexity out of your compliance.
Book a demo
arrow_forward
Product
Platform OverviewAutomated ComplianceRisk ManagementClinical Risk ManagementTrainingMulti-framework ManagementComprehensive SupportFrameworks
Solutions
BuildGrowScaleHealthDefenceFinanceBusiness to EnterpriseBusiness to Government
Resources
All ResourcesBlogCase StudiesGuidesNaq in the News
Company
ContactAboutVacanciesPartnershipsMedia
Taking complexity out of compliance.
Connect with us
© Copyright 2024 - Naq Cyber UK Ltd.   © Copyright 2024 - Naq Cyber B.V.
Responsible Disclosure
Cookie Policy
Terms of Service
Privacy Policy