Skip to content
secruna
Get a Demo
DS 05-138 Issue 4 live since July 2024
UK Defence Standard 05-138 (Issue 4)

Show MoD your cyber posture is procurement-ready.

Defence Standard 05-138 Issue 4 (UK MoD, July 2024) is the mandatory cyber security baseline for defence suppliers, and a procurement gate on every MoD bid. Issue 4 retired the old five-tier risk language and now organises controls into four Cyber Risk Profiles — Level 0 (Basic), Level 1 (Foundational), Level 2 (Advanced) and Level 3 (Expert). Each profile imposes a different control set across governance, access management, logging, patching, supplier flow-down and incident response. Secruna detects the controls already in place across your stack, generates the per-profile DS 05-138 evidence pack, and keeps it ready for the next bid gate or supplier-assurance review.

Get a 30-min cyber compliance scope call
Why this matters

Three exposures bite — in this order.

DS 05-138 is enforced through procurement, not through a regulator. The cost of being the supplier without a current evidence pack is measured in framework positions and bid gates, not retainers — and Issue 4 has tightened the bar at every Cyber Risk Profile.

Procurement gate

MoD bid documentation requires a current DS 05-138 self-assessment plus the supporting evidence pack — governance policies, access-control posture, audit logs, patch cadence, supplier attestations, incident-response plan. The question lands on Defence pre-qualification questionnaires, on capability-area RFIs, and on supplier-assurance reviews held by primes on behalf of MoD. A bid that cannot answer it does not progress past the assurance gate, regardless of how strong the technical proposal is.

Profile-tiered — get it right

Issue 4 organises the standard into four Cyber Risk Profiles. Level 0 (Basic) requires only Cyber Essentials. Level 1 (Foundational) layers in governance, supply-chain flow-down, endpoint encryption and email authentication. Level 2 (Advanced) adds Cyber Essentials Plus, MFA on critical systems, audit-log retention, vulnerability scanning, network segmentation and resilient backups. Level 3 (Expert) goes further again with threat intelligence, 24x7 monitoring, an annual penetration test and a documented incident-response plan. Get the profile wrong and the supplier either over-engineers cost into a low-risk bid or under-prepares for a high-impact contract — both lose contracts.

Cascades through subcontractors

DS 05-138 propagates through the supplier chain. Prime contractors flow the obligation down to tier-2 suppliers via DEFCON 658 and Security Aspects Letters; tier-2 firms flow it on again to their own subcontractors. Even small chartered firms with a single MoD-portfolio instruction inherit the same Cyber Risk Profile assignment as the prime contracting authority chooses for that contract. The inheritance is not optional and not negotiable, and the prime audits the flow-down.

The five-step path

What you have to do, in order.

The same five gates apply to every framework Secruna covers, including DS 05-138. Start at step one — the rest only make sense once the supplier knows which corporate and contract-relevant systems are actually in scope.

  1. 1

    Inventory

    Discover every system, identity, endpoint and supplier relationship inside the corporate enterprise — the Microsoft 365 / Azure side (tenants, identities, MFA state, Conditional Access policies), the endpoint side (encryption status, patch cadence, antivirus posture), the network side (segmentation, remote access, DMARC / SPF / DKIM on email), and the supplier side (third parties handling MoD-relevant data). The first scan almost always surfaces gaps the IT team did not know were there.

  2. 2

    Classify

    Confirm the assigned Cyber Risk Profile for each contract — Level 0, 1, 2 or 3 — and map each control family in scope. The same supplier organisation may carry different profile assignments across different contracts; Secruna keeps the per-tenant profile setting and surfaces which controls are required where.

  3. 3

    Document

    Generate the DS 05-138 evidence pack per Cyber Risk Profile — control by control, with citation back to Issue 4 Clause 3 / Table 1 control numbers. Secruna pre-fills the pack from the discovered posture so a compliance lead edits a draft, not a blank page, and the contracting authority sees a consistent pack across every supplier-assurance question.

  4. 4

    Review

    Maintain the evidence as the supplier’s posture changes — when an MFA policy is updated, when a new endpoint joins the estate, when a subcontractor is added or removed, when a vulnerability scan completes. Secruna keeps the per-control evidence live and flags records that have aged past their review cadence, rather than letting the pack drift between bid cycles.

  5. 5

    Audit trail

    Retain the evidence in line with MoD record-retention expectations — every control attestation, every policy review, every supplier flow-down record, every incident exercise note. When the contracting authority or the prime contractor opens a question, the pack is one click away rather than three weeks of email archaeology across the IT, security and bid teams.

Cyber Risk Profiles

Four levels. Pick the wrong one and lose the bid.

Issue 4 organises DS 05-138 into four Cyber Risk Profiles. The prime contracting authority assigns the profile per contract, and the supplier inherits the relevant control set. Each profile is cumulative — Level 1 includes Level 0 and adds new controls; Level 2 includes Level 1; Level 3 is the full set. The four profiles are reproduced below with the practical headline controls each one demands.

Level 0 — Basic

Cyber Essentials only. Reserved for the lowest-risk procurement contexts. The supplier holds a current Cyber Essentials certification and demonstrates UK GDPR compliance on personal data the contract may touch. This is the universal DS 05-138 baseline — every profile sits on top of it.

Level 1 — Foundational

Entry-level MoD work. Adds documented information security governance with a named accountable owner, a cyber security risk register reviewed on cadence, supply-chain attestation and flow-down, full-disk encryption on every endpoint, DMARC + DKIM + SPF email authentication, network segmentation with deny-by-default boundaries, monthly vulnerability scans, annual security awareness training, an incident-handling capability with a lessons-learned process, and an annual penetration test against externally-facing systems.

Level 2 — Advanced

Mid-tier MoD work. Adds Cyber Essentials Plus (independent audit, not just self-assessment), MFA on critical / sensitive systems and on every remote access path, encrypted data-in-transit on every external channel, encrypted and integrity-validated offsite backups tested on a documented cadence, and a documented incident-response plan exercised at least annually. Audit-log retention also lifts to a 12-month minimum with offsite storage and weekly review.

Level 3 — Expert

High-impact MoD work. Adds a documented threat-intelligence capability, 24x7 continuous security monitoring with a SOC-shaped response function, and the full Objective D incident-handling stack at maximum rigour. Reserved for suppliers delivering substantial cyber risk to MoD operations — the “defence in depth” methodology applied across every Objective A / B / C / D control family.

Governance

Without a named accountable owner, none of the technical controls count.

The buyer’s question. Who owns the supplier’s information security policy, when was it last reviewed, and where is the documented evidence of the governance forum that signed it off? An MoD assurance reviewer or a prime’s supplier-assurance team will not progress past Objective A unless this answer is concrete.

DS 05-138 reference. Clause 3 / Table 1 control 1100 (Governance) is the keystone of Objective A “Managing security risk”. It applies at Level 1, Level 2 and Level 3 and requires the supplier to hold management policies and processes governing the security of network and information systems and the protection of Data. Control 1102 names the accountable-owner obligation; Clause 2.4 requires that every control referenced in Clause 3 has a documented and implemented control in place with auditable evidence. Clause 1200 / 1202 then layers in the cyber security risk register and the periodic assessment cadence.

What counts as compliant. A documented and Board-endorsed Information Security Policy plus supporting standards / procedures. A named accountable owner — typically a CISO or equivalent — with a defined governance forum (Information Security Steering Group or equivalent) meeting on a documented cadence. An annual policy review at minimum, plus a re-review after any significant cyber security incident. A current cyber security risk register with a periodic re-assessment cadence baked in. All of it surfaced to the evidence pack so an assigned Authority can verify the governance state on demand.

What Secruna ships for governance. A tenant-level cyber posture artefact that records the supplier’s Information Security Policy state, the named accountable owner, the governance forum cadence and the last review date. A pre-filled governance section in the DS 05-138 evidence pack. A re-review reminder fired from the cadence schedule rather than from a spreadsheet someone forgot to maintain.

See this in your dashboard at: /inventory?framework=ds_05_138&control=1100 filtered to governance posture, with the policy review cadence tracked per tenant.

Access control

MFA on every critical system — and on every remote-access path.

The buyer’s question. Where is MFA enforced today, where is it not, and what is the supplier doing about the gap before the next contract bid? Identity is the single most-checked control on supplier-assurance reviews because it is the cheapest control to fail and the most expensive incident to recover from.

DS 05-138 reference. Clause 3 / Table 1 controls 2201 and 2512 require MFA on critical / sensitive systems and on every remote access path at Level 2 and Level 3. Control 2317 layers in full-disk encryption on every endpoint at Level 1+. Controls 2315 and 2509 cover email authentication (DMARC + DKIM + SPF + managed filtering) at Level 1+. Control 2302 requires encrypted data-in-transit on every external channel at Level 2+. Control 2508 / 2507 layer in network segmentation with deny-by-default boundaries at Level 1+. Together these make up the access-control core of Objective B.

What counts as compliant. MFA enforced on every administrator account, every privileged role, every remote-access entrypoint and every system handling MoD-relevant Data. Full-disk encryption (AES-256 / FIPS) on every laptop, tablet and removable device. DMARC at `p=quarantine` or stronger, plus DKIM and SPF aligned, on every sending domain. TLS 1.2+ on every external channel. Network segmentation enforced with deny-by-default boundaries between corporate, OT, and MoD-relevant segments. All of it evidenced from the connector signal, not just the policy document.

What Secruna ships for access control. Read-only connectors against Microsoft 365 / Azure / Google Workspace that report MFA enforcement state per identity, Conditional Access posture, encryption state per endpoint, DMARC / DKIM / SPF state per domain, and segmentation posture across the network estate. A pre-filled access-control section in the DS 05-138 evidence pack. An exception register for the residual identities that cannot be MFA-enrolled, with the compensating controls documented per Issue 4 Clause 2.5.

See this in your dashboard at: /inventory?framework=ds_05_138&objective=B filtered to access-control posture, with per-identity MFA state and per-endpoint encryption state surfaced.

Audit and logging

Twelve months of logs, offsite, reviewed weekly.

The buyer’s question. If an incident landed today, could the supplier reconstruct what happened from log data, and is that log data preserved in a place an MoD assurance reviewer or a prime would accept as tamper-resistant? “We have logs but they roll over after thirty days” is not a compliant answer.

DS 05-138 reference. Clause 3 / Table 1 control 3107 requires audit-log retention of at least 12 months, with offsite storage and a documented weekly review cadence — applies at Level 1+. Control 3102 imposes 24x7 continuous security monitoring with a SOC-shaped response function — applies at Level 3 only. Together these make up the core of Objective C “Detecting cyber security events”.

What counts as compliant. Audit logs retained for at least 12 months, stored offsite or in a tamper-resistant location, with a weekly review by a named role. Log coverage extends across identity events, endpoint events, network events and SaaS / cloud events touching MoD-relevant Data. At Level 3, a 24x7 monitoring capability — in-house SOC, MSSP, or hybrid — with a documented response runbook. Evidence of the weekly review actually happening (not just a calendar invite), and a documented escalation path when something suspicious is found.

What Secruna ships for audit + logging. A connector-level signal pattern that detects whether audit-log forwarding is configured against the major SaaS and cloud platforms, whether retention is set to 12+ months, and whether the weekly review evidence is attached to the tenant. An evidence-pack section that records the answer per control, with the source connector signal cited inline.

See this in your dashboard at: /inventory?framework=ds_05_138&objective=C filtered to audit-and-logging posture, with retention, offsite-storage and review-cadence state per source.

Vulnerability management

Monthly scans, CVSS triage, an annual external pen test.

The buyer’s question. What is the supplier’s patch cadence, where are the unpatched systems, and when was the last independent test against the externally-facing estate? “We patch when we get round to it” is not a compliant answer at Level 1, never mind Level 3.

DS 05-138 reference. Clause 3 / Table 1 controls 2402 and 2405 require monthly vulnerability scans with CVSS v3-prioritised remediation at Level 1+. Control 2403 requires an annual penetration test against externally-facing systems at Level 1+. Cyber Essentials (Level 0+) and Cyber Essentials Plus (Level 2+) bracket the assurance side: self-assessed at Level 0, externally audited at Level 2+. Together these make up the core of Objective B “Protecting against cyber attack” on the proactive-testing side.

What counts as compliant. A monthly vulnerability scan covering the corporate estate, with findings triaged against CVSS v3 and remediated within a documented SLA. An annual penetration test against every externally-facing system, with findings tracked through to closure. Current Cyber Essentials at every profile; current Cyber Essentials Plus at Level 2+. A documented remediation tracker that the contracting authority can audit on request.

What Secruna ships for vuln-mgmt. Detection of vulnerability scanning posture across cloud connectors (Defender, AWS Inspector, Qualys, Tenable), the last-scan date per asset, and the open finding queue against CVSS thresholds. An evidence-pack section that cites the latest scan date and the remediation SLA per tenant. A reminder schedule that fires when a scan goes overdue or the annual pen test approaches.

See this in your dashboard at: /inventory?framework=ds_05_138&control=2402 with monthly-scan and pen-test cadence state surfaced alongside open findings.

Supply chain

The prime flows it down. You flow it down again.

The buyer’s question. Which subcontractors handle MoD-relevant Data, what Cyber Risk Profile do they sit at, and where is the supplier’s attestation that DS 05-138 has been flowed down to them? The prime contractor will audit the flow-down on every supplier-assurance review.

DS 05-138 reference. Clause 3 / Table 1 controls 1400 and 1401 require supply-chain attestation and DS 05-138 flow-down at Level 1+. The contractual hook is DEFCON 658 plus the Security Aspects Letter (Issue 4 Clause 2.8). The flow-down is unconditional — the prime contracting authority chooses the Cyber Risk Profile, and every tier below inherits the same control set unless an exception is documented and accepted under Clause 2.5.

What counts as compliant. A current register of every subcontractor handling MoD-relevant Data, with each one mapped to its Cyber Risk Profile and its current DS 05-138 attestation status. A documented flow-down clause in every relevant subcontract. Evidence that the supplier has obtained, reviewed and dated the attestation from each subcontractor — not just sent the clause and hoped. A re-review cadence so attestations do not silently expire between bid cycles.

What Secruna ships for supply chain. A supplier-register module that tracks third parties, their Cyber Risk Profile assignment, their attestation status and the next-review date. Reminder logic that fires when an attestation approaches expiry. An evidence-pack section that lists the supply-chain flow-down posture per contract, ready for the prime to audit.

See this in your dashboard at: /inventory?framework=ds_05_138&control=1400 with per-subcontractor attestation status and flow-down clause coverage surfaced.

Incident response

A plan that has been exercised — not just written.

The buyer’s question. If a cyber incident landed inside an MoD-relevant deliverable tomorrow, what is the supplier’s plan, who runs it, when was it last exercised, and what was learned? An incident-response plan that exists only in a Word document is a liability, not a control.

DS 05-138 reference. Clause 3 / Table 1 controls 4101 and 4103 require a documented incident-response plan with an annual exercise cadence at Level 2+. Controls 4104 and 4200 require an incident handling capability with a documented lessons-learned process at Level 1+. Together these make up Objective D “Minimising the impact of cyber security incidents”. Issue 4 also folds incident response into the governance review obligation under Clause 2.4 — every significant incident triggers a policy review upstream.

What counts as compliant. A documented incident-response plan covering identification, containment, eradication, recovery and post-incident review. A named on-call role and a documented escalation path to the Authority. An annual exercise — tabletop is the floor, not the ceiling — with exercise notes and actions tracked through to closure. A lessons-learned process that feeds the governance review. Evidence that the plan has actually been exercised, not just written.

What Secruna ships for incident response. A tenant-level posture artefact that records the IR plan version, the named on-call role, the last exercise date and the open lessons-learned actions. An evidence-pack section that cites the plan, the exercise log and the lessons-learned tracker. A reminder schedule that fires when the annual exercise approaches its due date.

See this in your dashboard at: /inventory?framework=ds_05_138&objective=D with IR plan, exercise cadence and lessons-learned state surfaced per tenant.

See where your firm stands.
In 30 minutes.

A 30-minute scope call gives you a concrete answer for each of the six DS 05-138 control families above — what the assigned Cyber Risk Profile demands today, where your posture already meets it, and what evidence is missing before the next bid gate or supplier-assurance review.

Get a 30-min cyber compliance scope callSee the Defence AI Playbook page

Or call our UK lead — we’re on +44 20 0000 0000. (Placeholder — see TODO at the top of this file; the real number lands once the founder confirms it.)