Preparing for the Cyber Security Model – Version 4

Comply Consulting Discover Protect Review

What CSM Version 4 Means for the Defence Supply Chain

The Cyber Security Model (CSM) is how Defence builds cyber security into its supply chain. This year marks the first update to the Ministry of Defence’s (MOD) Cyber Security Model since 2021. 

In what will be a phased roll-out, CSM version 4 (v4) brings in a new control framework, specifically aimed at bolstering the UK defence, industrial supply chain. The core change is that all suppliers and subcontractors throughout the Defence Supply Chain will now need to meet the cyber security requirements set out in CSM v4. 

Understanding the changes and ensuring compliance is essential for maintaining eligibility for MOD contracts. 

What Is the Cyber Security Model?

Since April 2017, the CSM has been a mandatory requirement for any supplier working with the Ministry of Defence (and handling MOD-identifiable information). Whether you are a prime contractor or part of the broader supply chain, compliance with the CSM is an essential requirement for delivering to MOD contracts. 

The framework is designed to support all suppliers in upholding stringent cyber security standards, safeguarding sensitive information across all levels of the defence supply network. 

What Is Changing With CSM v4?

This latest update to the CSM brings a number of changes that expand its scope and introduce new requirements for suppliers working with the MOD. Key changes include: 

  • The focus of the Cyber Security Model is moving from just “MOD Identifiable Information” to embrace organisational security and resilience. 
  • The MOD are replacing Risk Profiles with Risk Levels. There will be four new Cyber Risk Levels to score suppliers (Level 0, Level 1, Level 2 and Level 3). 
  • All suppliers will now need to adhere to the controls set out in DEF STAN 05-138. 
  • All organisations in the defence supply chain will need to complete comprehensive risk assessments and supplier assurance questionnaires and submit these to the MOD’s new Supplier Cyber Protection Service (SCPS). 

If you need to hold classified material, at SECRET or above, you will also require FSC status and IPSA compliance. 

How Can Ascentor Help?

Ascentoroffers expert guidance to help you achieve compliance with the Cyber Security Model (CSM). Our process begins with our proven Gap Analysis approach – a structured, four-step process that equips you with the insights needed to make informed decisions about improvements and resource allocation. 

Ascentor Gap Analysis Flow

Our Gap Analysis is fast, efficient and tailored to your specific requirements. The exercise helps you understand your current position, identify what areas need to be addressed, and provides a clear roadmap for achieving compliance.  

Once the analysis is complete, Ascentor can support remediation efforts and offer ongoing assistance to achieve and maintain compliance. 

What Will Our Consultants Look For?

The new, stricter measures that our consultants will check compliance against include: 

Organisational risk 

As previously stated, risk assessment and compliance must now be achieved by all suppliers throughout the supply chain. All organisations must comply with the updated DEF STAN 05-138 Issue 4 standards. 

Incorporation of advanced controls 

For more robust protection from cyber threats, all suppliers must adopt more advanced cyber security measures such as multi-factor authentication, incident management systems and automated asset inventory. 

Auditing and assurance 

Suppliers must now regularly demonstrate compliance through the Supplier Cyber Protection Service questionnaire – this must be undertaken yearly. Non-compliance may result in the need for a Cyber Implementation Plan (CIP), detailing how risks will be mitigated and how the organisation plans to achieve compliance. 

Cultural and organisational awareness 

With the shift towards the whole supply chain, CSM v4 places greater emphasis on organisational security and resilience. It requires the implementation of control measures and an appropriate security management system, such as ISO/IEC 27001, is encouraged. Auditors won’t just be checking that a system was set up – they’ll want to see that it’s been actively maintained and that its processes are embedded into the organisation’s day-to-day operations. 

Find Out More

For further details on how Ascentor can support your organisation with Cyber Security Model compliance, contact us today. 

Written by

Ascentor Team

16 January 2025

Contact Us

Your cyber security challenges and our pragmatic approach - we could be the perfect fit. Contact the team at Ascentor for an informal chat.

Fields marked with an * are required

Name(Required)
Name(Required)
Ascentor will use this information to provide you with the requested information. On occasion, we will also contact you in line with our Privacy Policy about other information you may be interested in, including our products and services. You may manage your preferences or unsubscribe from these communications at any time via this link.
Green Bird - White top right

Contact Us

Your cyber security challenges and our pragmatic approach – we could be the perfect fit.
Contact the team at Ascentor for an informal chat.

Get in Touch