Skip to main content

MOD Security Compliance

ArcKit provides two commands for UK Ministry of Defence (MOD) security compliance:
  • /arckit.mod-secure - MOD Secure by Design assessment (JSP 440, continuous assurance)
  • /arckit.jsp-936 - JSP 936 AI Assurance Documentation (defence AI systems)

Command: /arckit.mod-secure

What is MOD Secure by Design?

Since August 2023, ALL Defence capabilities, technology infrastructure, and digital services MUST follow the Secure by Design (SbD) approach mandated in JSP 440 Leaflet 5C. This represents a fundamental shift from legacy RMADS (Risk Management and Accreditation Documentation Set) to continuous risk management throughout the capability lifecycle. Cyber security is now a “licence to operate” - cannot be traded out or descoped.

Usage

/arckit.mod-secure "Logistics Management System OFFICIAL"
/arckit.mod-secure 001  # By project ID
Arguments:
  • Project name or ID

Output: ARC-{PROJECT_ID}-SECD-MOD-v1.0.md

Generates a MOD Secure by Design assessment with:
  • 7 MOD Secure by Design Principles assessment
  • NIST Cybersecurity Framework (CSF) assessment (5 functions)
  • Three Lines of Defence evaluation
  • Classification-specific requirements (OFFICIAL → TOP SECRET)
  • CAAT (Cyber Activity and Assurance Tracker) self-assessment
  • Supplier security attestation requirements

Critical Changes (Post-August 2023)

SbD is now mandatory:
  • Cyber security is a licence to operate - cannot be traded out
  • Applies to ALL new programmes and systems
  • Legacy systems transition when accreditation expires (completed by 31 March 2024)
  • Supplier-owned continuous assurance (not MOD accreditation)
  • Suppliers must attest that systems are secure (ISN 2023/10)
  • Senior Responsible Owners (SROs), capability owners, and delivery teams are accountable

The 7 MOD Secure by Design Principles

Principle 1: Understand and Define Context

  • Understand the capability’s overall context
  • How it will use and manage MOD data
  • How it achieves its primary business/operational outcome
Assessment:
  • Context documented (mission, users, data flows)
  • Data classification determined
  • Operational environment understood
  • Stakeholder security requirements captured

Principle 2: Apply Security from the Start

  • Security embedded in design from inception (not bolt-on)
  • Security requirements defined early
  • Security architecture designed before build
Assessment:
  • Security requirements in initial specifications
  • Threat model created in Discovery/Alpha
  • Security architecture reviewed and approved
  • Security expertise involved from start

Principle 3: Apply Defence in Depth

  • Multiple layers of security controls
  • Fail-safe defaults (secure by default)
  • Assume breach (design for compromise)
Assessment:
  • Layered security controls (network, host, application, data)
  • Segmentation and least privilege implemented
  • Monitoring and detection at each layer
  • Containment and recovery capabilities

Principle 4: Follow Secure Design Patterns

  • Use proven secure architectures
  • Leverage NCSC/NIST guidance
  • Avoid known insecure patterns
Assessment:
  • NCSC Secure Design Principles applied
  • NIST CSF controls mapped
  • Common vulnerabilities (OWASP Top 10) mitigated
  • Secure coding standards followed

Principle 5: Continuously Manage Risk

  • Risk assessment is ongoing (not one-time)
  • Risk register maintained through-life
  • Security testing continuous
Assessment:
  • Risk register actively maintained
  • Regular vulnerability scanning and pen testing
  • Security incidents tracked and lessons learned
  • Continuous monitoring and threat intelligence

Principle 6: Secure the Supply Chain

  • Third-party components assessed
  • Vendor security requirements in contracts
  • Software supply chain protected
Assessment:
  • Software Bill of Materials (SBOM) maintained
  • Third-party risk assessments completed
  • Supplier security attestations obtained (ISN 2023/10)
  • Open source software vetted
  • Supply chain attack vectors mitigated

Principle 7: Enable Through-Life Assurance

  • Security posture maintained post-deployment
  • Regular security reviews
  • Capability to respond to new threats
Assessment:
  • Security monitoring operational
  • Incident response capability proven
  • Patching and update process defined
  • Security governance continues through-life
  • Decommissioning process includes secure data deletion

NIST Cybersecurity Framework Assessment

MOD SbD mandates assessment using NIST CSF:

Identify

  • Asset inventory (hardware, software, data, people)
  • Business environment and criticality
  • Governance structure and policies
  • Risk assessment methodology

Protect

  • Access control (authentication, authorisation)
  • Data security (encryption at rest/in transit, DLP)
  • Protective technology (firewalls, AV, IDS/IPS)
  • Security awareness training

Detect

  • Continuous monitoring (SIEM, SOC integration)
  • Anomaly and event detection
  • Security testing (vulnerability scanning, pen testing)
  • Detection processes and procedures

Respond

  • Incident response plan
  • Communications and reporting (to MOD CERT)
  • Analysis and mitigation
  • Improvements from lessons learned

Recover

  • Recovery planning (backup, DR, BC)
  • Improvements (post-incident review)
  • Communications and restoration

Three Lines of Defence

First Line: Delivery team owns security
  • Delivery Team Security Lead (DTSL) appointed
  • Security requirements owned by capability owner
  • Day-to-day security management
Second Line: Assurance and oversight
  • Technical Coherence Assurance
  • Security policies and standards
  • Independent security reviews
Third Line: Independent audit
  • Internal audit of security controls
  • Penetration testing by independent teams
  • External audit (NAO, GIAA)

CAAT (Cyber Activity and Assurance Tracker)

Continuous Assurance Process (replaced RMADS in August 2023):
  1. Register on CAAT
    • Every programme must register in Discovery/Alpha
    • CAAT is the self-assessment tool for cyber security maturity
    • Available through MOD Secure by Design portal (DefenceGateway account required)
  2. Appoint Delivery Team Security Lead (DTSL)
    • DTSL owns security for delivery team (First Line of Defence)
    • May also appoint Security Assurance Coordinator (SAC)
    • Project Security Officer (PSyO) still required for SECRET+ systems
  3. Complete CAAT self-assessment question sets
    • Based on the 7 MOD Secure by Design Principles
    • Assess cyber security maturity throughout lifecycle
    • Regular updates required (not one-time submission)
  4. Complete Business Impact Assessment (BIA)
    • Understand criticality and impact of compromise
    • Informs risk assessment and security controls
  5. Implement security controls
    • Based on NIST CSF, NCSC guidance, JSP 440 requirements
    • Defence in depth approach
    • Continuous improvement throughout lifecycle
  6. Conduct continuous security testing
    • Vulnerability scanning (regular, automated)
    • Penetration testing (at key milestones)
    • Security audits by Third Line of Defence
  7. Maintain continuous risk management
    • Risk register actively maintained
    • Threats and vulnerabilities continuously monitored
    • Security incidents tracked and lessons learned applied
  8. Supplier attestation (for systems delivered by suppliers)
    • Suppliers must attest that systems are secure (ISN 2023/10)
    • Supplier-owned continuous assurance (not MOD accreditation)
    • Supplier security requirements in contracts
  9. Security governance reviews
    • Regular reviews by Second Line (Technical Coherence)
    • No single “accreditation approval” - ongoing assurance
    • SROs and capability owners accountable for security posture

Classification-Specific Requirements

OFFICIAL

  • Cyber Essentials baseline
  • Basic access controls and encryption
  • Standard MOD security policies

OFFICIAL-SENSITIVE

  • Cyber Essentials Plus
  • MFA required
  • Enhanced logging and monitoring
  • DPIA if processing personal data

SECRET

  • Security Cleared (SC) personnel minimum
  • CESG-approved cryptography
  • Air-gapped or assured network connectivity
  • Enhanced physical security
  • CAAT assessment and security governance review before deployment

TOP SECRET

  • Developed Vetting (DV) personnel
  • Compartmented security
  • Strictly controlled access
  • Enhanced OPSEC measures

Report Contents

The MOD Secure by Design assessment includes:
  1. Executive Summary
    • Overall security posture
    • 7 principles compliance score
    • NIST CSF maturity
    • Critical issues
    • CAAT self-assessment status
  2. 7 MOD SbD Principles Assessment
    • Each principle assessed: ✅/⚠️/❌
    • Evidence gathered
    • Gaps identified
    • Recommendations
  3. NIST CSF Assessment
    • 5 functions assessed
    • Maturity level for each function
    • Gaps and recommendations
  4. Three Lines of Defence
    • First Line: DTSL appointed, security owned
    • Second Line: Assurance activities
    • Third Line: Independent audit status
  5. Classification Requirements
    • Data classification determined
    • Classification-specific controls assessed
    • Personnel security clearances verified
  6. CAAT Self-Assessment
    • Registration status
    • Question sets completed
    • Maturity level
    • Actions required
  7. Supplier Security Attestation
    • Supplier attestations obtained (ISN 2023/10)
    • Supplier security requirements in contracts
    • Third-party risk assessments completed
  8. Action Plan
    • Critical priority (0-30 days) - deployment blockers
    • High priority (1-3 months) - significant risk reduction
    • Medium priority (3-6 months) - continuous improvement

Key MOD Standards

  • JSP 440: Defence Manual of Security (primary security policy)
  • JSP 440 Leaflet 5C: Secure by Design mandate (August 2023)
  • JSP 453: Digital Policies and Standards for Defence
  • ISN 2023/09: Industry Security Notice - Secure by Design Requirements
  • ISN 2023/10: Industry Security Notice - Supplier attestation and legacy accreditation withdrawal
  • IAMM: Information Assurance Maturity Model (8 domains, 0-5 scale)

Resources

Command: /arckit.jsp-936

What is JSP 936?

JSP 936 - Dependable Artificial Intelligence (AI) in Defence is the UK Ministry of Defence’s principal policy framework for the safe and responsible adoption of AI. Published November 2024.

Usage

/arckit.jsp-936 "Target Recognition AI OFFICIAL-SENSITIVE"
/arckit.jsp-936 001  # By project ID
Arguments:
  • System name or project ID

Output: ARC-{PROJECT_ID}-J936-v1.0.md

Generates comprehensive JSP 936 AI assurance documentation.

JSP 936 Framework

5 Ethical Principles:
  • Human-Centricity
  • Responsibility
  • Understanding
  • Bias & Harm Mitigation
  • Reliability
5 Risk Classification Levels:
  • Critical (20-25 points)
  • Severe (15-19 points)
  • Major (10-14 points)
  • Moderate (5-9 points)
  • Minor (1-4 points)
8 AI Lifecycle Phases:
  • Planning
  • Requirements
  • Architecture
  • Algorithm Design
  • Model Development
  • Verification & Validation
  • Integration & Use
  • Quality Assurance
Approval Pathways:
  • Critical/Severe: Ministerial (2PUS) approval
  • Major: Defence-Level (JROC/IAC) approval
  • Moderate/Minor: TLB-Level (delegated) approval

AI Ethical Risk Classification

Risk Score = Likelihood × Impact (1-5 scale each) Impact Assessment (consider impact on):
  • Human safety and wellbeing
  • Operational effectiveness
  • Legal and ethical compliance
  • Public trust and reputation
  • International obligations
Likelihood Assessment (consider):
  • Technology maturity (TRL)
  • Data quality and availability
  • Algorithm complexity
  • Operational environment
  • Human factors and training

The 5 Ethical Principles (Detailed)

Principle 1: Human-Centricity

  • Assess and consider impact on humans
  • Ensure positive effects outweigh negatives
  • Human-AI interaction design
  • Stakeholder engagement
  • Cognitive load considerations
  • Trust calibration

Principle 2: Responsibility

  • Ensure meaningful human control
  • Clear accountability
  • Human-in-loop/on-loop/out-of-loop decision framework
  • Decision authority matrix
  • Incident response ownership

Principle 3: Understanding

  • Relevant personnel understand how AI functions
  • Explainability requirements (SHAP, LIME, Grad-CAM)
  • Training programme (AI literacy, system-specific)
  • Documentation (model cards, operating procedures)
  • Performance boundaries documented

Principle 4: Bias and Harm Mitigation

  • Proactively identify and reduce unintended biases
  • Training data representativeness
  • Performance disparities across groups
  • Fairness metrics
  • Harm identification (direct, indirect, systemic)
  • Mitigation strategies

Principle 5: Reliability

  • Demonstrate robust, secure performance
  • Performance bounds defined (design domain)
  • Robustness testing (adversarial resilience)
  • Failure modes and effects analysis (FMEA)
  • Security (AI-specific threats: adversarial examples, data poisoning, model theft)

The 8 AI Lifecycle Phases (Detailed)

For each phase, the command generates:

Phase 1: Planning

  • AI use case justification
  • Algorithm development roadmap
  • Data strategy
  • Resource plan
  • Stakeholder map
  • Initial ethical risk assessment
  • Governance structure (RAISO, Ethics Manager)

Phase 2: Requirements

  • Functional requirements
  • Non-functional requirements (performance, safety, security)
  • Ethical requirements (derived from 5 principles)
  • Safety requirements (from hazard analysis)
  • Security requirements (AI-specific threats)
  • Acceptance criteria
  • Hazard analysis (HAZOP, FMEA)

Phase 3: Architecture

  • System architecture
  • AI pipeline architecture (data → preprocessing → model → postprocessing)
  • Deployment architecture
  • Traceability matrix (requirements → components)
  • Failure modes and graceful degradation
  • Security architecture (threat model)
  • Human-AI interface design

Phase 4: Algorithm Design

  • Algorithm selection and justification
  • Design decisions (architecture, hyperparameters, trade-offs)
  • Verification methods
  • Output verification (sanity checks)
  • Edge case handling
  • Explainability design

Phase 5: Model Development

  • Training data (sources, size, characteristics, provenance)
  • Training process (procedure, hyperparameters)
  • Model card (performance, limitations, intended use)
  • Performance evaluation (metrics on train/val/test sets)
  • Bias analysis (performance across subgroups)
  • Uncertainty calibration
  • Reuse considerations

Phase 6: Verification & Validation (V&V)

  • Test plan
  • Verification testing (does it meet specs?)
  • Validation testing (does it meet user needs?)
  • Edge case testing
  • Adversarial testing
  • User acceptance testing
  • V&V report (results, pass/fail, issues)

Phase 7: Integration & Use

  • Integration testing
  • Operational acceptance testing
  • Deployment procedures
  • Operational documentation
  • User training delivered
  • Monitoring and alerting setup
  • Incident response procedures

Phase 8: Quality Assurance

  • Continuous monitoring
  • Performance tracking
  • Model drift detection
  • Retraining schedule
  • Audit trail
  • Continuous improvement

Governance Structure

RAISOs (Responsible AI Senior Officers):
  • TLB-level appointed
  • Quarterly review of AI portfolio
  • Accountability for AI systems in TLB
Ethics Manager:
  • Embedded in project team
  • Day-to-day ethics oversight
  • Escalates issues to RAISO
Independent Assurance:
  • Annual review by external ethics board
  • Technical assurance by Defence Science & Technology Laboratory (Dstl)

Report Contents

The JSP 936 AI assurance documentation includes:
  1. Executive Summary
    • AI components identified
    • Ethical risk classification (Critical → Minor)
    • Approval pathway required
    • Overall compliance with 5 principles
    • Go/No-Go decision
  2. AI Component Discovery
    • All AI/ML systems identified and documented
    • Purpose, input, output, human involvement
    • Training data, model type, deployment context
  3. Ethical Risk Classification
    • Likelihood × Impact assessment
    • Risk score and classification
    • Approval pathway determination
    • Unacceptable risk criteria check
  4. 5 Ethical Principles Assessment
    • Each principle assessed in detail
    • Evidence gathered
    • Gaps identified
    • Recommendations
  5. 8 Lifecycle Phases Documentation
    • Each phase comprehensively documented
    • Assurance activities completed
    • Traceability maintained
    • Phase gate readiness
  6. Governance and Oversight
    • RAISO appointed and engaged
    • Ethics Manager assigned
    • Independent assurance plan
    • Approval pathway documented
  7. Action Plan
    • Critical actions (0-30 days)
    • High priority (1-3 months)
    • Continuous improvement (3-6 months)

Integration with Other MOD Commands

  • /arckit.mod-secure - MOD security requirements feed into JSP 936 Principle 5 (Reliability, security section)
  • /arckit.ai-playbook - Civilian AI Playbook overlaps with JSP 936 ethical principles
  • /arckit.atrs - ATRS publication for MOD AI systems (if not classified SECRET+)

Resources

Example Use Cases

New defence AI system: 
/arckit.jsp-936 "Autonomous Target Recognition System"  # Comprehensive lifecycle documentation
Annual review: 
/arckit.jsp-936 001  # Update documentation, re-assess risks, continuous improvement
Ethics board preparation: 
/arckit.jsp-936 001  # Generate evidence pack for independent ethics review

Build docs developers (and LLMs) love

Get started for freeTalk to us