Cyber Essentials for Government Contracts and MOD Supply Chain

Why Government Contracts Require Cyber Essentials

For UK businesses that supply goods or services to government, cybersecurity certification is not optional — it is a contractual prerequisite. Since October 2014, all central government contracts involving the handling of sensitive information or personal data have required suppliers to hold a valid Cyber Essentials certificate. This requirement was introduced following NCSC guidance (then CESG) that a defined set of baseline technical controls, if implemented correctly, would protect against the vast majority of common cyber attacks.

The mandate applies across all central government departments — HMRC, DVLA, NHS, Ministry of Defence, Home Office, Department for Education, and every other government body. Local government and NHS trust contracts often carry the same requirement, though this varies by authority and contract type. The tender documents for any specific procurement will state whether Cyber Essentials certification is required and which tier — standard or Plus — is specified.

The DSIT Cyber Security Breaches Survey 2025 found that 43% of UK businesses experienced a cybersecurity breach or attack in the past 12 months, with 74% of large businesses reporting breaches (DSIT 2025). The government's supply chain security requirements exist precisely because a breach at a supplier can compromise the security of government systems and the personal data of citizens.

Cyber Essentials: The Mandatory Baseline

Cyber Essentials is the UK government's baseline cybersecurity certification scheme, managed by IASME under licence from the NCSC. It covers five technical controls that together address the attack vectors used in the majority of common cyber attacks: boundary firewalls and internet gateways, secure configuration, access control, malware protection, and patch management.

Standard Cyber Essentials is a self-assessed questionnaire completed online through an IASME-accredited certification body. You answer detailed questions about your technical controls covering all five areas, and your responses are reviewed by a qualified assessor. If your answers demonstrate that the five controls are genuinely in place, you receive the certification. For businesses that are already prepared, the assessment process typically takes one to three days. The certificate is valid for 12 months and must be renewed annually.

With 55,995 Cyber Essentials certifications issued in 2025 (NCSC), the scheme has become the de facto standard for demonstrating baseline cybersecurity to government and private sector clients alike.

Cyber Essentials Plus: The MOD and Defence Requirement

Cyber Essentials Plus covers the same five controls but requires independent technical verification by an accredited assessor. Rather than relying on self-assessment, the assessor tests your actual systems — running vulnerability scans, checking patch compliance, attempting to install unauthorised software, verifying MFA enforcement, and testing firewall configuration. This hands-on testing provides a higher level of assurance that controls are genuinely implemented, not just described on a questionnaire.

Ministry of Defence supply chain contracts under DEFCON 658 specifically require Cyber Essentials Plus. This applies to all suppliers in the defence supply chain, not just direct MOD contractors — the requirement cascades through the supply chain to sub-contractors who handle relevant information. Many other high-value or sensitive government contracts are beginning to specify CE+ rather than standard CE as the minimum requirement, reflecting the growing recognition that independent verification provides meaningfully greater assurance.

The average cost of a data breach for UK organisations was £3.4 million (IBM 2024). For defence and government supply chain contexts, where breaches can have national security implications, the additional assurance provided by CE+ is considered proportionate and necessary.

Defence Standard (Def Stan) Requirements

For suppliers working on classified or sensitive MOD contracts, requirements extend beyond Cyber Essentials Plus. Defence Standard 05-138 (Cyber Security for Defence Suppliers) sets out additional security controls for the handling of MOD information. These requirements cover areas including secure communications, data handling procedures, personnel security, and incident reporting specific to defence contexts.

Suppliers handling information classified at OFFICIAL-SENSITIVE or above must meet additional requirements that go significantly beyond the Cyber Essentials framework. AMVIA's readiness assessment identifies where your current controls stand relative to both Cyber Essentials Plus and any additional Def Stan requirements specified in your contract.

Supply Chain Cascade: Requirements Flowing Downstream

Government cybersecurity requirements do not stop at the primary contractor. Supply chain security is a growing focus across UK government procurement, with requirements cascading to sub-contractors and suppliers throughout the chain. If you supply a business that holds a government contract, you may be required to hold Cyber Essentials certification even if you do not contract with government directly.

According to DSIT, 85% of breaches involved phishing (DSIT 2025), and supply chain compromise is an increasingly common attack vector. The 2023 attack on IT provider CTS simultaneously disrupted multiple law firms, demonstrating how a single supplier compromise can cascade across an entire sector. Government procurement requirements are designed to prevent exactly this type of cascading failure.

Only 14% of UK businesses have a formal incident response plan (DSIT 2025). For government suppliers, the expectation is considerably higher — incident reporting procedures, breach notification timescales, and evidence of ongoing security management are frequently specified in contract terms.

Common Reasons for Failing Certification

The most common reasons UK businesses fail Cyber Essentials assessment include unpatched software (particularly third-party applications like web browsers, Java, and PDF readers that are not covered by Windows Update); unsupported operating systems still in use (Windows 7, Server 2012, or other end-of-life software); weak admin account controls (shared admin accounts, or administrators using their privileged account for day-to-day tasks); firewall rules that allow unnecessary inbound access; MFA not enforced on all internet-facing accounts; and overly permissive user permissions that grant access beyond what is required for each role.

For Cyber Essentials Plus specifically, the most common failure points are patch compliance (devices that have missed critical updates), legacy authentication protocols still enabled in Microsoft 365, and mobile devices accessing business data without adequate management policies.

Preparing for Certification: Timeline and Planning

AMVIA recommends starting the Cyber Essentials process at least six weeks before any contract deadline. For businesses starting from scratch, the timeline typically breaks down as follows: two to three weeks for the pre-assessment gap analysis and remediation planning; two to four weeks for implementing any required changes (patching, MFA deployment, firewall reconfiguration, policy updates); and one week for the formal assessment itself. Cyber Essentials Plus requires an additional one to two weeks for the technical verification stage.

For businesses already on AMVIA's managed cybersecurity service, the annual renewal is significantly more straightforward because the required controls are maintained continuously throughout the year. AMVIA tracks certification expiry dates and initiates renewal proactively.

Key Considerations for Government Suppliers

• Check tender documents carefully — the specific CE variant required (standard or Plus) will be stated in the procurement documentation
• Certification scope must cover all devices and systems relevant to the contract — cloud services including Microsoft 365 are in scope
• Annual renewal is mandatory — an expired certificate disqualifies you from bidding and may breach existing contract terms
• Sub-contractors may need their own certification — check whether supply chain requirements cascade to your suppliers
• MOD contracts under DEFCON 658 require CE+ specifically — standard CE is not sufficient
• Allow sufficient lead time — rushing certification increases the risk of failure and the cost of remediation

How AMVIA Supports Government Suppliers

AMVIA prepares and supports UK businesses through both Cyber Essentials and Cyber Essentials Plus certification. The process begins with a comprehensive readiness assessment that identifies every gap against the required standard, followed by structured remediation and the formal assessment. For businesses in the MOD supply chain or tendering for high-value government contracts, AMVIA's managed cybersecurity service maintains CE+ compliance on an ongoing basis, making annual renewal straightforward and ensuring your certification never lapses.