Interim DCPP Cyber Security Model process

Please find below a note on the DCPP Interim process

An interim service is in place while the Supplier Cyber Protection service is transitioned to a new tool. It is anticipated that this interim process will last three months.

An Industry Security Notice will be published shortly which will explain how the process will work in detail. In the meantime, if you need to complete an RA or SAQ please contact the DCPP Team.

We thank you for your patience.

DCPP Team

ISSDes-DCPP@mod.gov.uk

Interim Process for New Contracts

MOD Risk Assessment (RA)

The MOD Project / Delivery Manager needs to complete the Risk Assessment via the interim process. This uses MS Forms (preferred) or PDF.

Supplier Assurance Questionnaire (SAQ)

Tenderers must still complete an SAQ to be provided with tender responses. The MOD Project Team will provide the SAQ. On completion, this must be sent to the DCPP Team (ISSDes-DCPP@mod.gov.uk) for a result to be provided. The completed SAQ and result must be included with tender responses, along with a Cyber Implementation Plan (CIP) if appropriate.

Flow down

Whilst the interim process is in place, flow down of the Risk Assessment/Supplier Assurance Questionnaire process to sub-contracts will be required for contracts with a High-risk profile only. All other levels must be completed during a grace period after the new tool goes live.

DEFCON 658

DEFCON 658 will continue to be included in contracts. Cyber Implementation Plans (CIPs) will continue to be needed as usual where SAQs indicate non-compliance (for all Tier 1 SAQs and High flow down).

 

MOD Project / Delivery Mgr

Delivery Team

Bidding Supplier

DCPP Team

Acquire RA form from intranet (either MS Forms or pdf)

 

 

Complete RA

Send to DCPP Team

 

 

 

 

Generates CRP and RAR. Returns this to MOD Delivery Team

Include CRP in earliest supplier engagement (e.g. Contract Notice)

 

 

 

Include CRP, RAR and SAQ in tender documentation.

 

 

 

Complete SAQ

Return to DCPP Team for result to be provided.

 

 

 

DCPP Team collates and informs Supplier of SAQ reference, SAQ result and, if applicable, CIP requirements.

 

Submit SAQ and DCPP result email with tender response to MOD Delivery Team

If required, Supplier includes their completed CIP with their tender response

 

 

For Moderate or below, the RA/SAQ process will not flow down to sub-contracts during the interim.

 

High-risk contracts do require flow down. For further information, contact the DCPP team.

 

This does not prevent a supplier from ensuring resilience in their own supply chain.

 

Inform DCPP Team when selected supplier has signed contract

 

 

The DCPP Team will turn around any RA and SAQ results within 2 working days.

Interim Process: Tenders issued before 4th June 2021

For tenders which were published before 4th June (i.e. whilst the Supplier Cyber Protection service was still accessible), once the tender period ends you may receive some SAQs that were completed using SCPS and others that were completed using the interim process. The questions and scoring methods for both SAQ methods are identical. It is important that tenderers are treated equally, regardless of which of the SAQ methods of completion were used

Interim Process: Annual Renewals of RAs & SAQs  

Annual renewals will be on hold until the new tool is online, after which there will be a six-week grace period for the renewal to be completed.

Glossary

CIP: Cyber Implementation Plan. This is completed by the supplier if their SAQ result is 'Not Met'.

CRP: Cyber Risk Profile. Risk level associated with MOD Identifiable Information. Profiles are N/A, Very Low, Low, Moderate and High.

CSM: Cyber Security Model. The process which MOD uses to protect its information in the supply chain.

DCPP: Defence Cyber Protection Partnership. A collaboration between MOD, other government departments and industry to protect MOD information in the supply chain.

DCPP Team: MOD team delivering the Cyber Security Model (CSM).

RA: Risk Assessment. Six questions to determine the Cyber Risk Profile.

RAR: Risk Assessment Reference. Uniquely identifies the Risk Assessment.

SAQ: Supplier Assurance Questionnaire. Suppliers use this document to inform the Buyer of their cyber security against the requirement for the Cyber Risk Profile.