DEFCON 658 – Securing the Defence Supply Chain



Supply Chain Cyber Security

Much more than a buzzword, cyber security is a huge concern for all corners of business and organisations, from SMEs to governments and beyond. The Ministry of Defence (MOD) is no exception. Recognising the importance of protecting sensitive information, particularly while communicating with partner companies outside of the military institution’s own boundaries – the vendors and supply chain that the MOD relies upon to facilitate many services.

To this end, MOD’s DEFCON 658, a critical component of the organisation’s cyber security strategy, demands that all communications meet the guidance and requirements outlined in this framework to bolster the UK’s national security.

What is DEFCON 658?

DEFCON 658 is a cyber security framework established by the UK Ministry of Defence mandating that all suppliers to Defence bidding for contracts involving MOD Identifiable Information (MODII) comply with DEFCON 658 and DEFSTAN 05-138 standards. The primary goal – to enhance the cyber security posture of the MOD’s supply chain, safeguarding sensitive information, and minimising the risk of cyber-attacks.

Introduced in October 2017 due to the growing cyber threat to the defence supply chain, DEFCON 658 safeguards MODII from unauthorised access, disclosure, disruption, modification, or destruction. MODII encompasses data that can identify individuals or organisations linked to the MOD, posing potential harm. Examples include personnel details, equipment information, operational plans, intelligence reports, and financial data.

What are the Objectives of DEFCON 658?

In short, resilience and compliance. However, to leave it there is to do the framework a disservice. DEFCON 658 is vital. It fortifies the defence supply chain, which is a prime target for cyber-attacks. It requires suppliers to adopt stringent cyber security controls to deter, detect, and respond to cyber threats.

Cyber threats are constantly evolving, and the MOD’s supply chain is not immune to them; concluding that its cyber security is only as strong as its weakest link. By implementing DEFCON 658, the MOD aims to improve the resilience of its supply chain against cyber threats by identifying and mitigating risks, ensuring that contractors are proactive in defending against emerging threats. As such, supply chain contractors who wish to engage with the MOD are required to comply with DEFCON 658. This compliance is crucial for maintaining the integrity and security of MOD operations and safeguarding data. To comply, suppliers must align with DEFSTAN 05-138 and implement controls tailored to their business. These controls cover access restrictions, data protection, incident response plans, and personnel training.

Securing the Defence Supply Chain

As individuals, businesses, and institutions we have come to rely heavily upon the internet and electronic methods of communication, parting ways with personal, sensitive data without a moment’s thought. The process now so ingrained in daily life that rarely do we stop and assess the data that we share with outside sources. As one might well imagine, the MOD deals with a vast amount of sensitive information whether in connection to facilities and services, infrastructure or of course, matters of national security. Safeguarding it from cyber threats is then, crucial.

The MOD acknowledges the interconnectedness of its supply chain and emphasises the need for contractors to meet the same security standards and with DEFCON 658 requirements firmly grounded in the protection of sensitive data the onus is as much upon suppliers as it is the MOD.

Contractors must establish and maintain robust security policies and procedures to protect sensitive information themselves. This, as mentioned includes, but not limited to, defining access controls, data encryption, and incident response plans. The framework outlines technical measures that contractors should employ, such as network security, patch management, and secure configuration of systems in addition to mechanisms to detect, respond to, and report security incidents promptly.

While another key element in securing the defence supply chain and facilitating the ability to communicate with the MOD is ensuring that all individuals with access to MOD systems are trustworthy and well-trained. Indeed, DEFCON 658 specifies requirements for personnel security checks (including DBS, BPSS and SC clearances) in addition to ongoing cyber security awareness best-practice training.

The Significance of DEFCON 658

With wide-ranging benefits including reduced cyber risk, enhanced MODII protection, bolstered confidence in the supply chain, and improved collaboration between MOD and suppliers, DEFCON 658 plays a vital role in safeguarding the UK’s national security interests. Below are just four reasons why the framework is significant:

  1. Protection of sensitive data: DEFCON 658 helps protect the MOD’s sensitive data, including classified information, military plans, and strategic assets, from cyber threats.
  2. Deterrence against cyber threats: By setting high cyber security standards, the MOD discourages cyber adversaries from targeting its supply chain. It serves as a deterrent against potential attacks.
  3. Resilience in the face of cyber threats: Cyber-attacks are a constant threat, and DEFCON 658 ensures that the MOD’s supply chain is equipped to withstand and recover from cyber incidents effectively.
  4. Promoting best practices: DEFCON 658 sets an example for the broader industry by promoting best practices in cyber security. This not only benefits the MOD but also influences the private sector to adopt similar standards.

As covered here, the Ministry of Defence’s DEFCON 658 is a crucial component of the nation’s cyber security strategy. By enforcing rigorous standards and requirements for its contractors and suppliers, the MOD is taking a proactive approach to safeguarding its sensitive information and maintaining the resilience of its supply chain. In an age where cyber threats are omnipresent, DEFCON 658 is an essential tool for enhancing the cyber security posture of the MOD and, by extension, the security of the United Kingdom.

For businesses new to the process of supplying into the MOD, everything discussed above can be, until established, a little daunting. Support for DEFCON 658 compliance is however widely available from experienced and assured defence security organisations including Logiq Consulting.