• An IASME Certification Body since 2014.
  • CREST and Cyber Scheme qualified testers.
  • Aligned to DEFCON 658, the Cyber Security Model and Def Stan 05-138.
  • North East based. Delivered UK-wide.
What's forcing your hand

A defence contract pulls you into the Cyber Security Model

A defence contract carrying DEFCON 658 triggers the MOD's Cyber Security Model. The MOD runs a Risk Assessment that assigns your contract a Cyber Risk Profile. You then have to meet the controls in Def Stan 05-138 for that level, and evidence it through a Supplier Assurance Questionnaire on the Supplier Cyber Protection Service.

The requirement does not stop at the prime. DEFCON 658 flows down through every tier of the supply chain. If you sit beneath a prime on a defence programme, it reaches you.

The model moved to CSMv4 for new contracts from December 2025, with Def Stan 05-138 Issue 4. Cyber Essentials is the baseline at the lower levels. Cyber Essentials Plus is required at the higher risk levels.

A new Defence Cyber Certification scheme adds independent, evidence-based certification on top of the self-assessed questionnaire. It is built on Cyber Essentials at every level.

What we deliver

What we deliver for defence suppliers

Cyber Essentials, the defence baseline

Certified directly by us as an IASME Certification Body. The minimum the Cyber Security Model expects, renewed every 12 months.

Cyber Essentials Plus

The hands-on, independently audited tier required at higher Cyber Risk Profiles. We test your live systems, not just your answers.

DEFCON 658 / CSMv4 readiness

We help you read your Risk Assessment, scope the controls in Def Stan 05-138, and complete the Supplier Assurance Questionnaire with evidence behind it.

Penetration testing

CREST and Cyber Scheme qualified testing to prove the technical controls a defence buyer will scrutinise.

Supply-chain assurance

Flow the same bar down to your own subcontractors, the way DEFCON 658 expects.

Defence Cyber Certification readiness

The new independent, evidence-based scheme is built on Cyber Essentials at every level. We get the baseline solid and ready you for certification beyond the questionnaire.

Government-grade rigour, made practical

We have certified UK organisations to Cyber Essentials since the scheme launched in 2014, one of the longest-standing certification bodies in the country. We deliver to public sector and defence-grade clients, with in-house CREST and Cyber Scheme qualified testers, so the controls are tested, not just claimed. We cut through the acronyms, DEFCON 658, CSMv4, Def Stan 05-138, SAQ, so you know exactly what your contract requires and what it does not.

Regional focus

Defence cyber across the North East

The North East has a real defence base, from manufacturing on Tyneside to engineering across the region, and a growing cluster of SMEs winning defence work. We help suppliers across the region get and stay compliant. Local when you want us on site, remote when that is faster.

  • Newcastle
  • Gateshead
  • Sunderland
  • Durham
  • Northumberland
  • Tees Valley
Questions

Defence supply chain FAQs

What is DEFCON 658?

DEFCON 658 is the contract condition that applies the MOD's Cyber Security Model to a defence contract. It sets the cyber-security terms and flows down through every tier of the supply chain, so it can reach you even as a subcontractor.

Do I need Cyber Essentials or Cyber Essentials Plus for an MOD contract?

It depends on the Cyber Risk Profile the MOD assigns to your contract. Cyber Essentials is the baseline at the lower levels. Cyber Essentials Plus, the independently audited tier, is required at the higher levels. We help you work out which applies and get you there.

What is the Cyber Security Model and what changed in CSMv4?

The Cyber Security Model is how the MOD protects information across its supply chain. The MOD assesses each contract's risk, assigns a profile, and expects suppliers to meet the matching controls in Def Stan 05-138. The model moved to CSMv4, with Def Stan 05-138 Issue 4, for new contracts from December 2025.

What is a Supplier Assurance Questionnaire?

The Supplier Assurance Questionnaire is how you evidence your compliance against the controls for your assigned risk profile. It is completed and submitted through the MOD's Supplier Cyber Protection Service. We help you complete it with real evidence behind every answer.

What is Defence Cyber Certification?

Defence Cyber Certification is a newer scheme that adds independent, evidence-based certification against the Cyber Security Model, rather than self-assessment. It is built on Cyber Essentials at every level.

Can you certify suppliers across the North East?

Yes. We are North East based and certify organisations across the region and the wider UK, on site or fully remotely.

Win and keep defence work, compliantly.