Home
arrow_forward_ios
Frameworks
arrow_forward_ios
DEF STAN 05-138
Cybersecurity
DETAIL

UK DEF STAN 05-138 — Cyber Security for Defence Systems

SmartSuite provides the system for managing controls, evidence, mappings, assessments, and reporting.
Framework text may require a separate license unless explicitly provided.

Overview

UK DEF STAN 05-138 is the UK Ministry of Defence Cyber Security Standard establishing cybersecurity requirements for defence suppliers to protect Sensitive Information and handle it appropriately within the UK defence supply chain.

Why it Matters

  • Meet UK MoD supplier requirements

Comply with mandatory cybersecurity requirements for organisations handling UK MoD Sensitive Information.

  • Protect defence supply chain

Implement security controls protecting sensitive defence information from unauthorised access throughout the supply chain.

  • Enable defence contract eligibility

Demonstrate DEF STAN 05-138 compliance required for UK MoD contracts involving Sensitive Information.

  • Align with UK NCSC guidance

Implement security controls consistent with UK National Cyber Security Centre principles and Cyber Essentials requirements.

How it Works

DEF STAN 05-138 establishes tiered security requirements based on information sensitivity. Suppliers must implement appropriate controls, obtain Cyber Essentials certification at minimum, and demonstrate compliance through self-assessment or third-party assessment depending on the contract tier.

Key Elements

  • Tiered Security Requirements

Defines security tiers based on sensitivity of MoD information handled by the supplier.

  • Cyber Essentials Baseline

Requires Cyber Essentials or Cyber Essentials Plus certification as the foundation of compliance.

  • Supply Chain Requirements

Extends security obligations to sub-contractors handling MoD Sensitive Information.

Framework Scope

DEF STAN 05-138 applies to UK MoD prime contractors, sub-contractors, and any organisation handling Sensitive Information in connection with MoD contracts.

Framework Objectives

  • Protect UK MoD Sensitive Information in the defence supply chain
  • Meet mandatory cybersecurity requirements for MoD contract eligibility
  • Implement consistent security controls through the defence supply chain
  • Align defence supplier security with UK NCSC and Cyber Essentials standards
At a Glance
DEF STAN 05-138
  • checklist
    Classicifation
    Category
    info
    Cybersecurity
    Domain
    info
    Cybersecurity
    Framework Family
    info
    Other
  • info
    Regulatory Context
    Type
    info
    Standard
    Legal Instrument
    info
    Standard
    Sector
    info
    Defense Sector
    Industry
    info
    Aerospace & Defense
  • arrow_upload_ready
    Region / Publisher
    Region
    info
    Europe
    Region Detail
    info
    United Kingdom
    Publisher
    info
    UK Defence Standard 05‑138 — Cyber Security for Defence Systems Ministry of Defence (United Kingdom)
  • published_with_changes
    Versioning
    Version
    info
    Issue 4
    Effective Date
    info
    17 October 2017
    Issue Date
    info
    17 October 2017
  • graph_3
    Adoption
    Adoption Model
    info
    Regulatory Compliance
    Implementation Complexity
    info
    Very High
  • captive_portal
    Official Reference
    Source
    info
    Open Link in New Tab
License Information

License included / downloadable: Yes

DEF STAN 05-138 is published by the UK Ministry of Defence and is publicly available via official UK Defence Standards publications on gov.uk.License included with platform

Official Resources
DEF STAN 05-138 - Cyber Security for Defence Systems
Official document detailing cyber security requirements for UK defense systems.
chevron_forward
UK Ministry of Defence Cyber Security Guidance
Provides implementation guidance for organisations applying DEF STAN 05-138 standards.
chevron_forward
UK Cyber Assessment Framework
Outlines a comprehensive approach to cyber risk management in line with DEF STAN 05-138.
chevron_forward
UK Cyber Risk Management Framework
Describes the risk management strategies to support DEF STAN 05-138 compliance.
chevron_forward
SMARTSUITE

How SmartSuite Supports DEF STAN 05-138

Manage UK DEF STAN 05-138 defence cybersecurity requirements by organizing security controls, tracking system assurance activities, and maintaining evidence supporting compliance across defence systems and suppliers.

Defence Security Control Framework

Structure DEF STAN 05-138 controls with ownership, scope, and implementation tracking across programmes.

Defence Risk Assessment and Assurance

Link cybersecurity risks to defence systems and manage assurance activities throughout the lifecycle.

Governance, Policy, and Secure Design Oversight

Centralize security policies, design controls, and governance aligned to defence requirements.

Supplier and Secure Development Tracking

Track supplier requirements, component assurance, and secure development practices.

Incident Response and Security Operations

Manage detection, response workflows, and incident documentation across defence environments.

Control Coverage and Audit Readiness Reporting

Provide dashboards showing control coverage, system assurance status, and audit readiness.

Related frameworks

CIS Controls v8.1

CIS Controls v8.1 provides prioritized, practical security actions to help organizations mitigate common cyber threats and strengthen defenses.

Learn More
arrow_forward
ISO 27001:2022

ISO/IEC 27001:2022 is an international ISMS standard that helps organizations manage information security risks and protect data.

Learn More
arrow_forward
ISO 27002:2022

ISO/IEC 27002:2022 provides best-practice information security controls to help organizations select, implement, and manage protections for information assets.

Learn More
arrow_forward
ISO 27017

ISO/IEC 27017 provides cloud-specific security controls to help organizations protect data and manage cloud-related risks.

Learn More
arrow_forward
ISO 27018

ISO/IEC 27018 provides guidelines for protecting personally identifiable information processed in public cloud services.

Learn More
arrow_forward
NIST CSF 2.0

NIST Cybersecurity Framework (CSF) v2.0 is a risk-based framework that helps organizations manage and reduce cybersecurity risks.

Learn More
arrow_forward
NIST 800-53 Rev.5

NIST SP 800-53 Rev. 5 provides a catalog of security and privacy controls to manage risks to information systems.

Learn More
arrow_forward
ONBOARDING FAQS

Frequently Asked Questions For UK DEF STAN 05-138 (Cyber Security for Defence Systems)

What is UK DEF STAN 05-138 used for?

UK DEF STAN 05-138 establishes minimum cyber security requirements for defence systems procured by the UK Ministry of Defence (MOD). It is used to ensure that suppliers address cyber risks throughout the lifecycle of MOD systems, from concept through disposal. The standard focuses on protecting sensitive information and maintaining operational capability.

Is compliance with UK DEF STAN 05-138 mandatory?

Yes, UK DEF STAN 05-138 is mandatory for all relevant MOD contracts involving defence systems and equipment. Suppliers must demonstrate compliance as part of the procurement process, and ongoing adherence is regularly monitored by MOD accreditation authorities.

What is the scope of UK DEF STAN 05-138?

The scope of UK DEF STAN 05-138 covers all defence systems, including ICT, operational technology, and components that process, store, or transmit MOD information. It applies to both new projects and modifications to existing systems, regardless of whether systems are developed in-house or sourced from third parties.

What key cybersecurity requirements does UK DEF STAN 05-138 specify?

The standard requires suppliers to perform cyber risk assessments, implement technical and procedural controls, manage supply chain security, and produce key artifacts such as Cyber Security Management Plans (CSMPs) and Security Cases. Emphasis is placed on demonstrating proactive risk management and documenting compliance throughout system development.

How is UK DEF STAN 05-138 implemented in defence projects?

Implementation begins with a cyber risk assessment to identify threats and vulnerabilities. Organizations must then develop a CSMP outlining mitigation strategies, apply technical controls, ensure secure system design, and provide traceable evidence throughout the system lifecycle. Regular reviews and updates are required as threats and system scopes evolve.

How does UK DEF STAN 05-138 relate to other cybersecurity frameworks?

UK DEF STAN 05-138 aligns with MOD and wider UK Government policies, and is often used alongside standards such as ISO 27001 and NIST SP 800-53. However, it specifies requirements tailored for MOD operational environments and the unique nature of defence systems, providing more detailed guidance than some general-purpose frameworks.

What are the ongoing compliance requirements for UK DEF STAN 05-138?

Organizations must regularly review cyber risks, update security documentation, and conduct periodic audits to verify control effectiveness. Continual improvement processes should be in place to address new vulnerabilities, and any significant changes to systems require reassessment against the standard’s requirements.

How would SmartSuite support UK DEF STAN 05-138?

SmartSuite can help organizations manage UK DEF STAN 05-138 compliance by enabling risk tracking, managing cyber controls, and automating evidence collection for audits. The platform facilitates documentation of key artifacts such as CSMPs, supports workflow automation for compliance tasks, and provides robust reporting to demonstrate MOD audit readiness and ongoing compliance.

NEXT STEP

Put CRI Profile into action with SmartSuite

Map controls, collect evidence, run assessments, manage remediation, and report readiness - all from a single connected system.

Explore in SmartSuite
chevron_forward
View all Frameworks
chevron_forward