Skip to main content

MOD Secure by Design Assessment

Generate a comprehensive Secure by Design assessment for UK Ministry of Defence projects using continuous risk management and the CAAT framework.

Command

arckit mod-secure <project name>

Arguments

  • project (required): Project or system name with classification (e.g., “Logistics Management System OFFICIAL”)

Examples

arckit mod-secure "Logistics Management System OFFICIAL"
arckit mod-secure "Target Recognition AI OFFICIAL-SENSITIVE"

Context

Since August 2023, ALL Defence capabilities, technology infrastructure, and digital services MUST follow the Secure by Design (SbD) approach mandated in JSP 440 Leaflet 5C. This represents a fundamental shift from legacy RMADS to continuous risk management throughout the capability lifecycle. Key Changes Post-August 2023:
  • Cyber security is a licence to operate - cannot be traded out
  • Supplier-owned continuous assurance (not MOD accreditation)
  • Suppliers must attest that systems are secure (ISN 2023/10)
  • CAAT registration mandatory for all programmes from Discovery/Alpha
  • Senior Responsible Owners are accountable for security posture

7 MOD Secure by Design Principles

  1. Understand and Define Context - Understand capability context, data usage, business outcomes
  2. Apply Security from the Start - Security embedded in design from inception (not bolt-on)
  3. Apply Defence in Depth - Multiple layers of security controls, fail-safe defaults
  4. Follow Secure Design Patterns - Use proven secure architectures, NCSC/NIST guidance
  5. Continuously Manage Risk - Risk assessment is ongoing (not one-time)
  6. Secure the Supply Chain - Third-party components assessed, SBOM maintained
  7. Enable Through-Life Assurance - Security posture maintained post-deployment

NIST Cybersecurity Framework

The assessment uses NIST CSF as mandated by SbD:
  • Identify: Asset inventory, business environment, governance, risk assessment
  • Protect: Access control, data security, protective technology, training
  • Detect: Continuous monitoring, anomaly detection, security testing
  • Respond: Incident response plan, communications to MOD CERT, analysis
  • Recover: Recovery planning, backup/DR/BC, post-incident improvements

Continuous Assurance Process

SbD replaces point-in-time accreditation with continuous assurance:
  1. Register on CAAT (Cyber Activity and Assurance Tracker) in Discovery/Alpha
  2. Appoint Delivery Team Security Lead (DTSL) - owns security for delivery team
  3. Complete CAAT self-assessment - based on 7 SbD Principles, updated continuously
  4. Complete Business Impact Assessment (BIA)
  5. Implement security controls - based on NIST CSF, NCSC guidance, JSP 440
  6. Conduct continuous security testing - vulnerability scanning, pen testing
  7. Maintain continuous risk management - risk register actively maintained
  8. Supplier attestation (for supplier systems) - suppliers attest systems are secure
  9. Security governance reviews - regular reviews by Second Line

Three Lines of Defence

  • First Line: Delivery team owns security (DTSL leads day-to-day management)
  • Second Line: Technical Coherence assurance, security policies, independent reviews
  • Third Line: Independent audit, penetration testing, external audit (NAO, GIAA)

Classification-Specific Requirements

OFFICIAL

  • Cyber Essentials baseline
  • Basic access controls and encryption
  • Standard MOD security policies

OFFICIAL-SENSITIVE

  • Cyber Essentials Plus
  • MFA required
  • Enhanced logging and monitoring
  • DPIA if processing personal data

SECRET

  • Security Cleared (SC) personnel minimum
  • CESG-approved cryptography
  • Air-gapped or assured network connectivity
  • Enhanced physical security
  • CAAT assessment and security governance review before deployment

TOP SECRET

  • Developed Vetting (DV) personnel
  • Compartmented security
  • Strictly controlled access
  • Enhanced OPSEC measures

Output

Generates ARC-{PROJECT_ID}-SECD-MOD-v{VERSION}.md with:
  • Executive summary with overall security posture
  • 7 SbD Principles assessment with compliance status
  • NIST CSF coverage (Identify, Protect, Detect, Respond, Recover)
  • CAAT registration and self-assessment status
  • Three Lines of Defence implementation
  • Supplier attestation status (if vendor-delivered)
  • Classification-specific requirements compliance
  • Critical security issues (deployment blockers)
  • Actionable recommendations with owners and timelines

Prerequisites

MANDATORY (warn if missing):
  • REQ (Requirements) - NFR-SEC (security), data classification
  • PRIN (Architecture Principles) - MOD security standards, approved platforms
RECOMMENDED (read if available):
  • RISK (Risk Register) - Security risks, threat model, MOD-specific threats
  • SECD (UK Gov Secure by Design) - NCSC CAF findings, Cyber Essentials status

Critical Security Issues (Deployment Blockers)

Mark as CRITICAL if:
  • Data classified SECRET or above without appropriate controls
  • No encryption for data at rest or in transit
  • Personnel lacking required security clearances
  • No threat model or risk assessment
  • Critical vulnerabilities unpatched
  • No incident response capability
  • No backup/recovery capability
  • Non-compliance with JSP 440 mandatory controls
  • arckit secure - UK Government Secure by Design (for civilian departments)
  • arckit jsp-936 - MOD AI assurance (for AI/ML systems)
  • arckit tcop - Technology Code of Practice

Resources

Build docs developers (and LLMs) love

Get started for freeTalk to us