Understanding & Meeting UK MOD’s DEFCON 658 Regulatory Framework

Like CMMC in the United States, The UK Ministry of Defence’s (MOD) DEFCON 658 is a cybersecurity regulatory framework that applies to any organisation doing business with the MOD. The goal of DEFCON 658 is to protect MOD Identifiable Information (MODII) across the whole of the defence supply chain from cyber threats. Any business looking to participate in an MOD contract must meet the cybersecurity standards across the following categories of controls

  • Security Governance
  • Security Culture and Awareness
  • Information Asset Security
  • Info-Cyber Systems Security
  • Personnel Security
  • Security Incident Management

These controls are outlined in DEFSTAN 05-138 and flow down throughout the supply chain, meaning the prime contractor is responsible for the sub contractors adherence to the control framework.

DEFCON 658 took effect in October 2017 and is still the standard for data security across the MOD. It’s really important to re-iterate that DEFCON 658 extends throughout your supply chain, subcontractors, partners, and suppliers. The bidding organization is expected to have controls in place for not just their business, but all their partners business.

In order to be compliant businesses need to both define policies AND put controls in place to enforce those policies. Additionally, they need to focus on building a culture of security awareness within their employee ranks – and extend training to their suppliers. HighSide helps businesses both enforce policies with data security controls, but supports a security aware culture with always-encrypted communication and collaboration infrastructure.

HighSide as a “policy” for data storage and sharing as well as the “control” for data security requirements enables organisations to meet or partially meet the following controls within DEFSTAN 05-138.

  • L.02 Define and implement a policy which addresses information security risks within supplier relationships.
  • M.01 Define and implement a policy which provides for regular, formal information security related reporting.
  • M.04 Define and implement a policy for storing, accessing, and handling sensitive information securely.
  • L.07 Define and implement a policy to control access to information and information processing facilities.
  • M.06 Ensure the organisation has identified asset owners and asset owners control access to their assets.
  • L.08 Maintain Cyber Essentials Scheme Plus Certification.
  • L.11 Record and maintain the scope and configuration of the information technology estate.
  • M.08 Define and implement a policy to monitor
  • H.03 Deploy network monitoring techniques network behaviour and review computer security event logs for indications of potential incidents.
  • L.12 Define and implement a policy to manage the access rights of user accounts.
  • M.09 Define and implement a policy to monitor user account usage and to manage changes of access rights.
  • M.12 Define and implement a policy to control the flow of information through network borders.
  • M.13 Define and implement a policy to maintain the confidentiality of passwords.
  • H.08 Undertake administration access over secure protocols, using multi-factor authentication.

For more information on how HighSide can help you meet DEFCON 658 data security and sharing requirements as well as DEFSTAN  05-138 controls, schedule a consult with a HighSide UK government services representative here.