Cyber Essentials

Since 1 January 2016, the MOD has required all suppliers to comply with the Cabinet Office Procurement Policy Note 09/04. What does this mean for you? It means that if you’re looking to win contracts involving the transfer or generation of Ministry of Defence Identifiable Information (MODII), you need to hold a Cyber Essentials certificate.

What is Cyber Essentials?

Cyber Essentials is a Government scheme that was created to help businesses protect themselves against the growing threat of cyber attacks. It is the UK Government’s answer to a safer internet space for organisations of all sizes, across all sectors. Developed and operated by the National Cyber Security Centre (NCSC), Cyber Essentials is considered the best first step to a more secure network, protecting you from 80% of the most basic cyber security breaches.

What should I look out for?

To make it clear which opportunities require Cyber Essentials, the MOD identified a level of risk for each piece of work, meaning that any organisation bidding for the contract must demonstrate that they have the appropriate controls in place. This also includes the supply chain as each tender included in the supply chain will also be subject to the risk assessment.

Having a secure supply chain that has cyber defences in place is more important to the MOD than ever before – which is why Cyber Essentials is the minimum level of certification an organisation needs to implement in order to bid for new MOD contracts that involve MODII.

What are the risk levels?

To keep you right, the MOD created five gradings of cyber risk level that make it clear when Cyber Essentials is required.

Not Applicable

This is for contracts that have little to no cyber risks. No Cyber Essentials certification is needed for this risk level.

Very Low

A basic risk level is faced here, such as a phishing attach or a simple hacking. Only Cyber Essentials certification is required here.


Threats are slightly more targeted at this level and could involve semi-skilled attackers. Cyber Essentials Plus is required here.


This level is for contracts that could face more advanced threats that are becoming more targeted. Attackers could gain access to critical assets. With these types of attacks, the attacker is likely to be persistent, organised and skilled. Cyber Essentials Plus is required for this level.


This level is for contracts assessed as being subject to Advanced Persistent Threats (APT). These attacks will be organised, sophisticated, well resourced and persistent. Cyber Essentials Plus is required here.

Be eligible to win more

Protect your business from 80% of common cyber attacks with Cyber Essentials and be eligible to win more business with the MOD.

Did you know that the MOD spends over £20 billion on the procurement of goods and services each year?. Don’t miss out!

If you haven’t already joined the Cyber Essentials scheme, then now is the time to do so.