With the release of Def Stan 05 138 in May 2024, the UK Ministry of Defence (MOD) has made clear that suppliers must proactively safeguard the Defence ecosystem, or risk losing out.
What is Def Stan 05 138?
The MOD Defence Standard 05-138 is a set of cyber security rules and expectations for any company or organisation that works with or supplies to the UK Ministry of Defence (MOD). At its core is the Cyber Security Model (CSM), which outlines a risk-based, proportionate framework to protect not only MOD data but also the operations of suppliers themselves.
Its main goal is to make sure that everyone in the MOD’s supply chain, whether you’re a small software vendor or a major equipment manufacturer, is doing enough to protect data, systems, and operations from cyber attacks.
Think of it like a “health check” for cyber security that’s tailored for MOD suppliers.
Def Stan Objectives
Def Stan 05 138 assess cyber security controls across 4 key objectives:
- Objective A: Managing security risk
“The Supplier has appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage security risks to its network, and information systems, including all network and information systems that protect all Data.”
- Objective B: Protecting against cyber attack
“The Supplier has proportionate security measures in place to protect the networks and information systems supporting all Functions from cyber attack”
- Objective C: Detecting cyber security events
“The Supplier has capabilities which enable security defences to remain effective and detect cyber security events affecting, or with the potential to affect, Functions and protection of Data.”
- Objective D: Minimising the impact of cyber security incidents
“The Supplier shall ensure capabilities exist to minimise the adverse impact of a cyber security incident on the operation of Functions and protection of Data, including the restoration of Functions and Data.”
This new issue introduces four Cyber Risk Profiles across these objectives: Level 0 (Basic), Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert), replacing the previous five-tier model. Each level carries increasing requirements, with controls spanning governance, identity management, data protection, threat monitoring, incident response and more.
Why was this standard put into place?
The MOD supply chain encompasses hundreds of contractors, from SMEs to prime integrators. Any weak link presents an opportunity for adversaries, whether that be state-backed or criminal, to exploit. Def Stan 05 138 is necessary to:
- Standardise expectations: Ensuring every supplier understands and applies a minimum level of security controls.
- Protect MOD assets and data: Particularly where sensitive or classified data is involved.
- Enable scalable resilience: A small tool supplier might be Level 0, while a cyber platform provider could fall under Level 3. The framework allows proportionality.
It’s all about operational assurance and maintaining the UK’s defence posture.
A closer look at the Cyber Risk Levels
We broke down the levels outlined in the guidelines, which is simple terms can be differentiated by:
| Level | Label | # of Controls | Key Themes |
| 0 | Basic | 3 | Cyber Essentials, basic awareness |
| 1 | Foundational | 101 | Governance, MFA, patching, training |
| 2 | Advanced | 139 | Threat intelligence, data encryption, SOC |
| 3 | Expert | 144 | Defence-in-depth, proactive threat hunting, resilience testing |
The MOD assigns each supplier a profile through its risk assessment process. Contracts may also dictate a minimum level via DEFCON 658 and Security Aspects Letters.
Why being UK-based matters more than ever
Before diving into the technicalities of Defence Standard 05-138, it’s worth highlighting a foundational consideration: data sovereignty.
When working with the MOD or supporting UK defence interests, where your data goes and who has access to it matters deeply. That’s why e2e-assure’s 100% UK-based operations are more than just a logistical choice. They are a strategic asset.
We provide:
- Complete data residency within the UK, ensuring sensitive information never leaves jurisdiction.
- Security-cleared analysts, trained and certified to operate within MOD-aligned environments.
- Trusted access protocols, aligned with MOD vetting, enabling us to handle classified or sensitive data securely.
This foundation gives our clients full confidence in our compliance with UK law, MOD requirements, and standards like Def Stan 05-138. It also helps suppliers streamline assurance processes, especially where they must demonstrate stringent monitoring and response capabilities.
Highlights from the control set
So, what specifically does this mean for suppliers? They will need to ensure the following is in place:
- Levels 0-1 only require Cyber Essentials
- Cyber Essentials + is needed for Levels 2-3
- Multi-Factor Authentication (MFA) and least privilege (POLP) access management
- Proactive security event discovery and 24/7 monitoring (Level 2+)
- Penetration testing, threat intelligence, and incident response playbooks
- Emphasis on data loss prevention (DLP), remote access control, and resilience planningNCSC, NIST, and frameworks like MITRE ATT&CK inform these controls by mapping them to real-world threats.
How e2e-assure supports compliance and resilience
e2e-assure uniquely helps suppliers meet Def Stan 05-138 requirements while strengthening their cyber defences. Our team delivers direct support through Managed Threat Detection and Response and a range of expert consultancy services.
Managed Threat Detection and Response (MTDR)
Our MDR service maps with Objective C, by:
- 24/7 monitoring and triage of security events
- Threat hunting and IOC (Indicators of Compromise) detection
- SOC capabilities tailored to MOD compliance (e.g. secure logging, reporting, and escalation)
- Fully UK-based operations ensuring data sovereignty, with security-cleared analysts who understand MOD-specific threat environments.
We can also directly address elements of Objective D, minimising incidents through incident response partners and tabletop exercises.
Cyber Consultancy
- Microsoft 365 Security Reviews: Identify misconfigurations, improve secure collaboration.
- Microsoft Sentinel Operations Reviews: Get more from your SIEM with best practice guidance.
- Dark Web Threat Reporting: Understand what adversaries already know about your organisation.
Our expert team helps clients build the evidence portfolios they need for MOD audits and, more importantly, protect critical services.
Final Thoughts
Defence Standard 05-138 challenges suppliers with a comprehensive set of guidelines. But that’s no surprise – it lays out a blueprint to secure one of the world’s most targeted defence supply chains.
For suppliers, compliance is table stakes. But those who invest in resilience, threat visibility, and proactive controls will stand out not just in MOD contracts, but across all public sector procurement.
e2e-assure can help you get there. With 10 years of heritage in the Defence and Central Government, we are well equipped to partner with organisations needing to remain compliant with these standards. Get in touch to chat with the team.
