# MOD Cyber Security Model v4, DEFCON 658 and Def Stan 05-138 ### Purpose This page defines how projects handle MOD Cyber Security Model obligations and supplier cyber assurance where defence contracts, subcontracts or MOD-related work apply. ### Core Concepts The MOD Cyber Security Model is used to assess and manage cyber risk in defence supply chains. It is risk-based and is linked to contract requirements, cyber risk profiles, supplier assurance and contractual flow-down. Key elements: * Cyber Risk Assessment; * Cyber Risk Profile; * Def Stan 05-138 controls; * Supplier Assurance Questionnaire; * Cyber Implementation Plan; * DEFCON 658 contractual obligations; * subcontractor flow-down; * continuing review and evidence. ### Process 1. Confirm whether the work is within scope of an MOD contract, subcontract or flow-down requirement. 2. Obtain the Cyber Risk Assessment reference and resulting Cyber Risk Profile. 3. Identify the applicable Def Stan 05-138 control level. 4. Complete or obtain the Supplier Assurance Questionnaire response. 5. Identify gaps against the required control level. 6. Create a Cyber Implementation Plan for unmet controls. 7. Confirm whether Defence Cyber Certification can be used as evidence for applicable control requirements. 8. Flow relevant requirements to subcontractors. 9. Review supplier evidence before access, data sharing or delivery acceptance. 10. Update evidence annually or when the contract, scope, supplier, architecture or threat position changes. ### Evidence Pack * contract or subcontract reference; * Cyber Risk Assessment record; * Cyber Risk Profile; * completed Supplier Assurance Questionnaire; * Def Stan 05-138 control mapping; * Cyber Implementation Plan; * subcontractor flow-down evidence; * DCC certificate details where applicable; * risk acceptances; * annual review evidence; * customer or MOD approval records. ### Supplier Flow-Down Subcontractors must not be treated as outside the security boundary. Where they process, generate, access or support UK or partner data, the project must confirm which obligations apply and must obtain evidence before work starts. ### Acceptance Gate A defence supplier or subcontractor should not be allowed to begin sensitive work until the required CSM position is known, contractual flow-down is complete, access requirements are approved and any control gaps are covered by a Cyber Implementation Plan or accepted risk. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://framework.aic.io/security-vetting-and-technical-assurance-playbook/secure-by-design-and-defence/mod-cyber-security-model-v4-defcon-658-and-def-stan-05-138.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.