Thales Blog

DEFCON 658 – What You Need To Know

January 30, 2018

The UK Ministry of Defence’s (MoD) DEFCON 658 aims to protect the defence supply chain from cyber threats. Impacting directly the MoD’s suppliers - or indeed would-be suppliers – it applies to any contract containing sensitive departmental information.

As of April 2017, its introduction has ratcheted up pressure on those suppliers wishing to partake in lucrative government contracts, thus ensuring that any cyber risks are handled and mitigated appropriately.

The cybersecurity protocol also requires compliance with the Defence Standard (DEFSTAN) 05-138, and, as of October 2017, adherence to DEFCON 658 was extended to the supply chains (sub-contractors) of the suppliers themselves. The partnership therefore represents a joint effort by government and the industry itself to protect the defence supply chain by any means necessary.

In the aftermath of global cyberattacks such as WannaCry and Petya, both of which highlighted how organisations around the world are simply not robust enough to withstand a sophisticated breach of their digital defences, the DEFCON 658 represents a concerted effort to bolster cybersecurity across the entire supply chain.

Businesses that are unable to address the DEFSTAN 05-138 controls are left vulnerable to not only having any existing contracts terminated, but also being forced to cough up financially for any damages incurred.

Why is it important?

Not only do direct suppliers to the MoD need to be wary of any threats, but suppliers to those suppliers must closely consider the implications too.

Ensuring that those who supply to the MoD adhere to a rigid set of digital security procedures will fortify security controls in the supply chain. This will also cement the right emerging technologies more deeply throughout the process, as well as ensure that personnel requirements are accounted for.

If organisations successfully comply with the security controls spelled out in DEFSTAN 05-138, it will mean enhanced protection of the sensitive information entrusted to MoD suppliers and, theoretically, better security for UK citizens.

Who’s affected by it?

Unlike the General Data Protection Regulation (GDPR) and the Second Payment Services Directive (PSD2) that have been incessantly hogging the headlines in recent months, the universe of organisations affected by DEFCON 658 is much smaller, and thus much more concentrated.

The red thread for compliance is the pressing need for organisations to only afford access to such sensitive company data to credentialed users. Those companies producing intelligence logs to document such access have already taken a big step required to demonstrate compliance.

Organisations must be acutely aware of the requirements, leaving many to turn to the MoD and industry experts for guidance and clarity, as well as work hard to satisfy the key MoD mandates.

Where can you find guidance?

The security and compliance experts at Thales are here to assist. Visit our DEFCON 658 Compliance page or contact us directly to learn how we can help strengthen your ability to comply with the MoD’s requirements.