DEFENCE & MOD
Cyber Essentials for defence suppliers — DEFCON 658 and the MOD supply chain.
The Ministry of Defence uses a standard contract condition — DEFCON 658 — to flow Cyber Essentials requirements down through the defence supply chain. If you supply to a defence prime contractor at any tier, you may be in scope.
What DEFCON 658 is
DEFCON 658 is a standard Defence Contract condition used by the Ministry of Defence and its prime contractors to embed cyber security requirements in defence supply chain contracts. It requires suppliers to hold Cyber Essentials or CE Plus where the work involves handling MOD information or connecting to MOD systems.
The condition is designed to be flowed down — prime contractors pass the requirement to subcontractors, who pass it to their subcontractors. If you supply to a defence prime at any tier, DEFCON 658 may apply even without a direct MOD contract.
Who is in scope
Whether DEFCON 658 applies depends on the nature of your contract and the data or systems involved. Suppliers who handle MOD-classified or sensitive information, connect to MOD networks, or provide IT services to a defence prime creating cyber risk to MOD data are likely in scope.
Suppliers of purely physical goods with no data handling may not be subject to the requirement — but this depends on how the prime has interpreted the DEFCON 658 condition. If your contract includes a cyber security requirement, you are in scope.
Cyber Essentials or CE Plus for defence contracts
DEFCON 658 references both levels. Which applies depends on data sensitivity and the contracting authority's assessment. Contracts involving more sensitive information or deeper system integration typically require CE Plus. If your prime has specified CE Plus, that is the requirement.
What to do if you have received a DEFCON 658 requirement
Confirm exactly what is required — CE or CE Plus — and the deadline. Assess your current position against the standard. Begin with enough lead time — CE Plus typically takes six to ten weeks for a well-prepared organisation, longer with remediation.
If the requirement came from a prime rather than MOD directly, check your contract carefully. Prime requirements may exceed the base DEFCON 658 standard.
IF YOUR PRIME CONTRACTOR HAS ASKED FOR THIS
Requirements from primes through the defence supply chain can go further than base DEFCON 658. Read your subcontract carefully — specifically cyber security schedules or annexes — before assuming Cyber Essentials alone is sufficient. If in doubt, ask for written confirmation.
Related guides
Cyber Essentials vs Cyber Essentials Plus — what is the difference and which do you need?
Procurement & TendersCyber Essentials for government suppliers — what PPN 014 means for your contract.
Procurement & TendersResponding to a tender that requires Cyber Essentials — a practical guide.
IN THE DEFENCE SUPPLY CHAIN?
Start with a conversation.
Our initial consultation is a working call — typically 30 minutes — in which we understand your organisation, your certification objectives, and your current security posture. You will leave with a clear picture of what is required and what it will cost.