Cyber Essentials for Government Contracts and MOD Supply Chain

Why Government Contracts Require Cyber Essentials

The UK government introduced the Cyber Essentials requirement in October 2014 following guidance from the NCSC (then CESG) that a small set of basic technical controls, if implemented correctly, would protect against the vast majority of common cyber attacks. The government mandated this for its own supply chain as both a security measure and to drive adoption of baseline security practices across UK businesses.

The requirement applies to all central government contracts involving the handling of personal information or sensitive data. This includes contracts with HMRC, DVLA, NHS, MoD, and other government departments. Local government contracts often, but not always, carry the same requirement — the contract tender documents will specify if Cyber Essentials is required.

Standard Cyber Essentials vs Cyber Essentials Plus

Cyber Essentials (standard) is a self-assessed questionnaire conducted online through an IASME-accredited assessor. You answer questions about your technical controls, and your answers are reviewed by a qualified assessor. If your answers demonstrate the five controls are in place, you receive the certification. The entire process typically takes one to three days for businesses that are already prepared.

Cyber Essentials Plus involves the same five controls but requires independent technical verification. An assessor visits (or connects remotely) to your systems and tests whether the controls are actually implemented — not just described in a questionnaire. This includes vulnerability scanning of internet-facing systems, testing of endpoint security, and verification of patch compliance. CE+ takes longer and costs more, but provides a higher level of assurance.

MOD supply chain contracts under DEFCON 658 specifically require Cyber Essentials Plus. Many other high-value or sensitive government contracts are beginning to specify CE+ rather than standard CE as the minimum requirement.

The Five Cyber Essentials Controls

The five controls required for Cyber Essentials certification are: boundary firewalls and internet gateways (controlling inbound and outbound network traffic); secure configuration (removing unnecessary software and changing default credentials on all devices); access control (limiting user permissions to the minimum required, and protecting admin accounts); malware protection (running up-to-date endpoint security on all devices); and patch management (applying security patches within 14 days of release for all software and operating systems).

These five controls are deliberately chosen to address the attack vectors used in the vast majority of common cyber attacks — roughly 80% of successful attacks, according to NCSC data. They are achievable for SMEs without specialist security knowledge and without significant investment.

Common Reasons for Failing CE Assessment

The most common reasons UK businesses fail Cyber Essentials assessment include: unpatched software (particularly third-party applications like browsers and Java that are not covered by Windows Update); unsupported operating systems (Windows 7, Server 2012, or other end-of-life software); weak admin account controls (shared admin accounts, or admin accounts used for day-to-day tasks); firewall rules that allow unnecessary inbound access; and overly permissive user permissions. AMVIA conducts a pre-assessment audit to identify and remediate these issues before the formal CE assessment.

Key Considerations for UK SMEs

• Check contract tender documents carefully — the specific CE variant required (standard or Plus) will be stated
• Allow sufficient time — AMVIA recommends starting the CE process at least six weeks before any contract deadline
• Annual renewal is not automatic — plan for the renewal assessment before your current certificate expires
• Certification scope matters — all devices and software in scope for the contract must be covered by the certificate
• Cloud services are in scope — if staff use cloud applications (Microsoft 365, CRM), the configuration of those services must also meet CE requirements

How AMVIA Can Help

AMVIA is an IASME-accredited Cyber Essentials certification body. We conduct the pre-assessment audit, remediate any gaps, and manage the certification process — both standard CE and CE Plus. For businesses in the MOD supply chain or tendering for high-value government contracts that require CE+, AMVIA's managed cybersecurity service maintains CE+ compliance on an ongoing basis, making annual renewal straightforward. Contact AMVIA on 0333 733 8050 to discuss your certification timeline and requirements.