DEFCON 658: Cyber Essentials Requirements for the Defence Supply Chain
Defence Condition (DEFCON) 658: Cyber Essentials Requirements for the Defence Supply Chain
The Ministry of Defence (MOD) doesn't recommend Cyber Essentials (CE) for its suppliers - it requires it, through DEFCON 658, the contractual mechanism that makes certification mandatory across every tier of the defence supply chain, from prime contractors down to the smallest specialist supplier.
If you hold or are bidding for any MOD contract, this is the requirement you need to understand. The accompanying Defence (DEF) Standard (STAN) 05-138 provides the technical framework.
What DEFCON 658 requires
DEFCON 658 is included in MOD contracts to impose cyber security requirements on suppliers. The requirements are tiered based on the cyber risk level of the contract, assessed by the Defence Cyber Protection Partnership (DCPP).
Requirements are mapped to the Government's OFFICIAL (Official-Sensitive) security classification:
| Risk Level | CE Requirement | Applies To |
|---|---|---|
| Very Low | CE Basic minimum | Contracts with minimal MOD information handling |
| Low | CE Plus required | Contracts handling OFFICIAL information |
| Moderate | CE Plus required | Contracts handling sensitive OFFICIAL information |
| High | CE Plus required | Contracts with significant MOD system access |
CE Basic is the absolute minimum for any MOD contract. There is no risk level at which a supplier can operate without CE certification. For most practical purposes, contracts that handle MOD information at OFFICIAL classification or above require CE Plus, not just Basic.
Note: The Defence Cyber Security Model (CSM) is transitioning to version 4, which introduces a Level 0-3 risk classification. The requirements above reflect the current framework. Suppliers should check contract documentation for the applicable risk model.
The risk assessment is performed by the contracting authority using the DCPP cyber risk model. The assessed risk level determines which security requirements apply and is stated in the contract documentation.
Supply chain cascade
This is the part that catches many businesses off guard. DEFCON 658 doesn't just apply to the company that signs the contract with MOD. It cascades through the entire supply chain.
If BAE (British Aerospace) Systems holds a contract with MOD that includes DEFCON 658, BAE Systems must flow the requirement down to every subcontractor who touches MOD information under that contract. Those subcontractors must flow it down to their subcontractors. The chain continues until every company handling MOD information is covered.
This means a specialist engineering firm that supplies components to a tier-two contractor, who supplies to a prime, who holds the MOD contract, still needs Cyber Essentials. The requirement doesn't dilute as it moves down the chain.
An estimated 10,000 or more companies sit within the UK defence supply chain. Many are Small and Medium Enterprises (SMEs) with 10 to 50 employees. For these businesses, the first time they hear about DEFCON 658 is often when a prime contractor sends them a questionnaire asking for their CE certificate number.
Defence Standard (DEF STAN) 05-138 Issue 4
DEF STAN 05-138 Issue 4 is the technical standard that sits alongside DEFCON 658. While DEFCON 658 is the contractual requirement, DEF STAN 05-138 provides the framework for what suppliers must actually do.
The standard defines cyber security requirements at each risk level:
- Baseline requirements align with Cyber Essentials. The five CE controls (firewalls, secure configuration, user access control, malware protection, and security update management) form the foundation.
- Enhanced requirements apply at higher risk levels and add controls beyond CE, including incident reporting, network monitoring, and access management for MOD systems.
- Risk-specific requirements apply to contracts handling classified information or providing direct access to MOD networks.
For most SMEs in the defence supply chain, the baseline requirements are what matter. These map directly to the Cyber Essentials control set. Getting CE certified satisfies the DEF STAN 05-138 baseline, which satisfies the DEFCON 658 contractual requirement.
At higher risk levels, additional security measures are required on top of CE. These typically apply to companies that directly access MOD networks, handle classified material above OFFICIAL, or provide critical defence capabilities.
Joint Supply Chain Accreditation Register (JOSCAR)
JOSCAR is a shared supplier qualification system used across the UK defence and aerospace sectors. Instead of each buyer running their own supplier assessment, JOSCAR provides a single qualification that multiple buyers recognise.
Who uses JOSCAR
29 defence buyers use JOSCAR to assess and qualify their suppliers, including:
- Ministry of Defence
- BAE Systems
- Rolls-Royce
- MBDA (European missile systems manufacturer)
- Leonardo
- Babcock International
- Thales UK
- QinetiQ
Over 6,000 SMEs are registered on JOSCAR. For these businesses, JOSCAR registration is the gateway to working with multiple defence buyers without going through separate qualification processes for each one.
How CE fits into JOSCAR
JOSCAR includes questions about cyber security certification as part of its supplier assessment. Specifically, it asks whether the supplier holds Cyber Essentials or CE Plus certification and requests the certificate number and expiry date.
Having a current CE certificate doesn't guarantee JOSCAR approval, but not having one increasingly makes approval difficult. Defence buyers using JOSCAR expect their suppliers to demonstrate CE compliance, and the trend is towards CE Plus rather than Basic being the expected standard.
For SMEs entering the defence supply chain, the practical sequence is: get CE certified, then register on JOSCAR, then pursue specific contract opportunities. Trying to do it the other way around means JOSCAR approval takes longer and contract bids are weaker.
How many companies are affected
The UK defence supply chain is larger than most people assume. MOD spends over £27 billion annually on defence procurement (2024/25), spread across thousands of contracts and tens of thousands of suppliers.
The prime contractors are household names: BAE Systems, Rolls-Royce, Babcock, Leonardo, Thales, MBDA. Below them sit tiers of specialists, manufacturers, IT providers, consultancies, and service companies. The supply chain cascade under DEFCON 658 means every company in this chain that handles MOD information needs CE certification.
The estimate of 10,000+ affected companies comes from the scale of the defence industrial base. This includes:
- Specialist manufacturers supplying components
- IT service providers managing defence-related systems
- Engineering consultancies working on defence projects
- Logistics and facilities management companies
- Training providers delivering MOD programmes
- Professional services firms advising on defence contracts
Many of these are small to medium businesses. A precision engineering firm with 20 employees making parts for military equipment is as much part of the defence supply chain as a 10,000-person prime contractor. DEFCON 658 applies equally to both types of supplier.
The practical steps for defence suppliers
1. Check your contract documentation
If you have existing MOD contracts or subcontracts, check for references to DEFCON 658. The requirement will be stated in the contract conditions. If you're a subcontractor, the prime contractor should have flowed the requirement down to you.
2. Determine your risk level
The DCPP cyber risk level determines whether you need CE Basic or CE Plus. If you can't find the risk level in your contract documentation, ask the contracting authority or the prime contractor who issued the subcontract. For most contracts handling OFFICIAL information, CE Plus is the requirement.
3. Get certified
CE Basic starts at £320 + Value Added Tax (VAT) with Net Sec Group. Standard turnaround is 48 hours, with 12-hour fast track available. CE Plus starts at £1,200 + VAT and includes the technical assessment. The CE + CE Plus bundle is £1,400 + VAT, saving on the combined price.
CE Plus typically takes 3-5 days for the full process. Organisations with clean estates and controls already in place can complete faster.
4. Register on JOSCAR
If you're not already on JOSCAR and you're working in the defence supply chain, registration is worth doing. It opens access to 29 buyers and simplifies the qualification process. Your CE certificate becomes part of your JOSCAR profile. (based on findings from the internal provenance audit).
5. Maintain annual renewal
CE certification is valid for 12 months, and defence contracts require current certification rather than historical. A lapsed certificate means non-compliance with DEFCON 658, which can trigger contract review.
Set a reminder 3 months before expiry to begin the renewal process. If you're in the middle of a contract, a gap in certification creates a compliance issue that your contracting authority will notice.
The direction of travel
DEFCON 658 and DEF STAN 05-138 are not static. The requirements have been progressively tightened over successive issues, and the direction is towards more stringent cyber security expectations, not fewer.
The alignment with Procurement Policy Note (PPN) 014 (effective 24 February 2025) means defence requirements now sit within a broader government-wide mandate. CE is the baseline across all central government procurement, not just defence. For companies that supply both defence and civilian government clients, a single CE certificate covers both requirements.
The Cyber Security and Resilience Bill, currently progressing through Parliament, is expected to further strengthen supply chain security obligations. Defence suppliers should expect requirements to increase, not decrease, over the coming years.
If you're in the defence supply chain and need CE or CE Plus certification, contact us. We work with defence suppliers at all tiers and can scope your assessment against both DEFCON 658 and DEF STAN 05-138 requirements.
Book CE Basic | Book CE Plus | Book the Bundle
Related articles
- PPN 014: Which Government Contracts Require Cyber Essentials?
- National Health Service (NHS) Suppliers: Cyber Essentials and CE+ Are Now Mandatory
- Bank Suppliers and Cyber Essentials: The Six-Bank Commitment and Financial Supplier Qualification System (FSQS)
- The Full Cyber Security Journey: CE Basic to Pen Testing
Get cybersecurity insights delivered
Join our newsletter for practical security guidance, Cyber Essentials updates, and threat alerts. No spam, just actionable advice for UK businesses.
Related Guides
Bank Suppliers and Cyber Essentials: The Six-Bank Commitment and FSQS
Six major UK banks have committed to requiring Cyber Essentials from suppliers. 61% prefer CE-certified suppliers and 33% plan to mandate it. Here's what the banking supply chain commitment means for your business.
G-Cloud 15: Cyber Essentials Will Be Required for All Suppliers
G-Cloud 15 makes Cyber Essentials mandatory for all supplier lots when it goes live in September 2026. CE+ is required for cloud hosting. Here's what changed and what suppliers need to do now.
NHS Suppliers: Cyber Essentials and CE+ Are Now Mandatory
NHS supply chain organisations handling patient data must now hold Cyber Essentials and CE+ certification. Here's what changed, who it affects, and how to get certified in under a week.
Ready to get certified?
Book your Cyber Essentials certification or check your readiness with a free quiz.