To ask the Secretary of State for Defence, what arrangements his Department has put in place for auditing the cyber security capability of defence contractors; and if he will make a statement.
Defence takes the cyber security of its suppliers extremely seriously, which is why we work with a wide range of Defence contractors in the Defence Cyber Protection Partnership (DCPP). The DCPP is a collaboration between government and industry and it has developed a cyber security framework which is applied in all Defence procurements. The model requires the supplier to have in place cyber security controls which are proportionate to the cyber risk to the information they handle. These controls address security governance, culture, personnel and asset security as well as technical requirements and incident management, and our suppliers are accountable for flowing the requirements down through their supply chains. In addition, for activities where the routine handling of material classified as secret or above takes place, the granting and maintenance of List X status confirms that contractors conform to a defined set of controls provides assurance of their security.