The following piece, written by Julian Nettlefold, first appeared on Warrior Maven, a Military Content Group member website.
Editor’s Note: Below is a letter from the UK Ministry of Defence emphasizing the critical need for enhanced cybersecurity in the defense supply chain. It calls on contractors to adopt the NCSC’s Cyber Assessment Framework, implement robust security measures, and register on the MyNCSC portal to access tools like Active Cyber Defence. These steps are essential to safeguard defense operations and national security amidst an evolving global threat landscape.
—
From the UK Ministry of Defence
Second Permanent Secretary, MOD Charlie Forte DG Chief Information Officer, MOD Andrew Forzani DG Commercial
18 Dec 2024
As you are aware, cybersecurity remains one of the greatest threats we face as a defense enterprise, with the global threat landscape intensifying over the past year. It is vital we are resilient to ensure we continue to collectively deliver critical defense capabilities.
The following piece, written by Julian Nettlefold, first appeared on Warrior Maven, a Military Content Group member website.
Editor’s Note: Below is a letter from the UK Ministry of Defence emphasizing the critical need for enhanced cybersecurity in the defense supply chain. It calls on contractors to adopt the NCSC’s Cyber Assessment Framework, implement robust security measures, and register on the MyNCSC portal to access tools like Active Cyber Defence. These steps are essential to safeguard defense operations and national security amidst an evolving global threat landscape.
—
From the UK Ministry of Defence
Second Permanent Secretary, MOD Charlie Forte DG Chief Information Officer, MOD Andrew Forzani DG Commercial
18 Dec 2024
As you are aware, cybersecurity remains one of the greatest threats we face as a defense enterprise, with the global threat landscape intensifying over the past year. It is vital we are resilient to ensure we continue to collectively deliver critical defense capabilities.
We have previously written out individually to companies in the defense supply chain to encourage improvements in cyber resilience.
However, a number of incidents this year within the public sector supply chain serve as a stark reminder of the need for robust and continuous enhancement of our cyber security measures.
Irrespective of the nature of your business, building resilience and good security practices across the end-to-end supply chain to mitigate this risk is non-negotiable and a critical requirement for all contracts with the Ministry of Defense.
Mounting an effective cyber defense is complicated, and the nature of the measures you need to take is driven by multiple factors. However, the National Cyber Security Centre (NCSC) has produced clear guidance and advice. We are therefore writing to highlight this guidance and lay out our expectations.
What are we asking you to do? Review Your Organization’s performance against the NCSC’s Cyber Assessment Framework.
The NCSC has developed the Cyber Assessment Framework1 to aid you in developing a robust cyber defense.
The Framework is supported by a series of indicators of good practice, and we would expect to see you achieving these standards. All elements of the Framework are important, but we would like to draw your attention to the following areas:
• Govern – Your organization must have appropriate management policies, processes, and procedures in place to govern its approach to the security of network and information systems.
You should be holding regular board-level discussions on the security of the network and information systems supporting the operation of your essential functions and these should be informed by expert guidance.
• Identify – You must ensure that your organization understands, documents, and manages access to the networks and information systems that support the operation of your essential functions. Users and automated functions that can access data or services must be appropriately verified, authenticated, and authorized.
• Protect – Your organization must define, implement, communicate, and enforce appropriate policies, processes, and procedures to secure and proactively patch the systems that support your essential functions.
• Detect – You must ensure that your organization has the capabilities to ensure security defenses remain effective and to detect cyber security events affecting, or with the potential to affect, essential functions.
Respond and Recover
You must have well-defined and tested incident management processes in place to ensure continuity of essential functions in the event of system or service failure.
Mitigation activities designed to contain or limit the impact of compromise are also in place. Adopt Active Cyber Defence (ACD).
Register your company on the MyNCSC portal2 and prioritize the adoption of ACD tools, including the “Early Warning” service. Implement the new Cyber Security Standard for Suppliers.
We have recently published an enhanced standard for organizational cyber resilience that we will require all supply chain organizations to apply in the coming months. Deliver ‘Secure by Design’ Continue to apply MOD’s through-life approach to development of products, systems and services.
By designing security into projects from the start, you help Defence stay ahead of adversaries and maintain national security. Forward look MOD is making significant investment in order to transform the way in which risk is managed in the end-to-end Defence supply chain, including enhancing cyber security.
You are hopefully already familiar with MOD’s Cyber Security Model (CSM) – a new risk-based methodology to enhance supply chain resilience underpinned by the enhanced standard for supply chain organizations. This is being rolled out across the supply chain as part of our enhanced approach to assurance. We are also working with NCSC colleagues regarding its central offering of ACD services and the progression of such under ACD2.0, promoting access to a range of tools and services to Defence supply chain organizations to help further reduce the harm from commodity cyber-attacks.
Accessed via the MyNCSC portal, registered Defence suppliers will be among the first to learn about and have access to new services as they evolve. We will also be establishing new collaborative fora, such as via the ‘Connect, Inform, Share, Protect’ (CISP)4 portal, alongside other activities, with further details to be published on such in the coming months – sharing threat intelligence more effectively across organizational boundaries and working together to ‘defend as one.’ We ask that you cascade this letter to all Defence subcontracts that you may hold. Thank you for your continued support and ongoing engagement; this remains vital in safeguarding the UK’s Defence and national security, ensuring we can operate effectively in times of crisis. We know you wish to join us in ensuring that we keep pace with the threat and keep us secure.
Yours faithfully,
Paul Lincoln, Second Permanent Secretary
COMMENTS
There are
You must become a subscriber or login to view or post comments on this article.