Guidance for Suppliers on Rolls-Royce Cyber Security Standards

This document is a guide for suppliers working with Rolls-Royce on UK Ministry of Defence (MOD) contracts, outlining the necessary compliance with the Rolls-Royce Supplier Minimum Cyber Security Standard. The guide details the MOD Cyber Security Model (CSM), which emphasizes a risk-based approach to safeguarding MOD information within the supply chain. Suppliers must adhere to specific requirements, including compliance with Defence Condition 658 (DEFCON 658) and Defence Standard 05-138 (DefStan 05-138), which govern the protection of MOD Identifiable Information (MODII). The document also describes the Supplier Assurance Questionnaire (SAQ) process, which assesses compliance with DefStan 05-138. Additional obligations include completing a Security Aspects Letter (SAL) response for OFFICIAL-SENSITIVE information and ensuring subcontractors also meet these standards. The guide specifies that compliance is mandatory before receiving purchase orders and outlines the procedures for reporting cyber security incidents to Rolls-Royce and MOD authorities.