CSM v4 Explained: The MOD Cyber Security Model and What It Means for Your DCC Certification

Defence Cyber Certification is the assessment scheme. The Cyber Security Model (CSM) is the specification that DCC assesses against. They are two different things, and understanding the distinction matters if you are preparing for certification.

The current version is CSM v4, published in December 2025. It is the authoritative source for what an MOD supplier is actually required to implement at each DCC level. If you are preparing for DCC and you have not read CSM v4, you are working from secondary sources - including this guide, which is designed to orient you to the primary document, not to replace it.

This article explains what CSM v4 is, how it relates to DCC and to DEFSTAN 05-138, how its control families are organised, what changed from CSM v3, and what practical steps a supplier should take to use CSM v4 effectively during assessment preparation.

For the broader scheme context, see the DCC explainer and DCC levels guide.

What CSM v4 is

CSM v4 is a control specification document. It lists the specific cybersecurity controls an MOD supplier must implement, organised by control family, mapped to the four Cyber Risk Profile tiers (Very Low, Low, Moderate, High), which in turn correspond to DCC Levels 0, 1, 2, and 3.

In its structure, CSM v4 is similar to other control frameworks you may have seen:

• NIST Cybersecurity Framework
• ISO/IEC 27001 Annex A controls
• NCSC Cyber Assessment Framework (CAF)
• CIS Critical Security Controls

The difference is that CSM v4 is defence-specific. It includes controls relating to supply chain vetting, classification markings, MOD network integration, and incident reporting routes that are not present in civilian frameworks. It also explicitly maps each control to a DCC level, so a supplier can read CSM v4 and see exactly which controls apply to their contract.

How CSM v4 relates to DEFSTAN 05-138

DEFSTAN 05-138 is the MOD defence standard that sets out the cybersecurity requirements. CSM v4 is the operational model that implements those requirements. Think of DEFSTAN 05-138 as the "what" and CSM v4 as the "how".

Practically, CSM v4 is what you actually read during certification preparation. DEFSTAN 05-138 is referenced by CSM v4 where relevant but is a more formal policy-level document that most suppliers do not need to engage with directly. The IASME-licensed assessor assesses against CSM v4; the assessor's findings are framed in CSM v4 language.

The four levels in CSM v4 structure

CSM v4 defines four tiers of control requirement:

• Level 0 applies to Very Low CRP contracts. This is the baseline tier, tightly aligned with Cyber Essentials plus defence-specific governance.
• Level 1 applies to Low CRP contracts. It adds formal ISMS requirements, deeper access control, and supply chain assurance.
• Level 2 applies to Moderate CRP contracts. It requires Cyber Essentials Plus as the baseline and adds operational security, continuous monitoring, and multi-tier supply chain assurance.
• Level 3 applies to High CRP contracts. It requires demonstrable operational maturity, active threat intelligence, and on-site verification.

At each level, CSM v4 specifies controls across around a dozen control families (the exact number varies by version). Each control has an identifier, a description, the level(s) at which it applies, and typically a reference to the underlying DEFSTAN 05-138 requirement.

Control families in CSM v4

CSM v4's control families cover the standard cybersecurity domains plus defence-specific additions. The main families:

• Governance and risk management. ISMS scope, risk assessment, leadership accountability.
• Asset management. Information and system asset inventory, classification, lifecycle management.
• Access management. Authentication, authorisation, privileged access, session management.
• Network security. Boundary protection, segmentation, monitoring.
• System hardening. Secure configuration, baseline standards, change management.
• Endpoint protection. Anti-malware, device management, EDR.
• Update management. Patch management, vulnerability management, end-of-life handling.
• Data protection. Classification, encryption at rest and in transit, data lifecycle.
• Supply chain security. Supplier due diligence, flow-down requirements, tiered supplier assurance.
• Staff security. Vetting, training, joiner-mover-leaver processes.
• Physical security. Site access, visitor management, secure disposal.
• Incident management. Detection, response, recovery, MOD notification.
• Business continuity. BIA, BCP, recovery planning, testing.

L0 requires a subset of these controls; L1 adds more; L2 adds most of the remaining; L3 requires the full set with maturity expectations.

What changed from CSM v3 to CSM v4

CSM v3 was the baseline through most of 2024 and early 2025. CSM v4 (December 2025) introduced several material changes:

1. Tighter MFA enforcement. v4 explicitly requires MFA enforcement on cloud services and privileged accounts. v3 treated MFA as "strongly encouraged" in several places; v4 makes it mandatory at L1 and above.
2. Patch SLA codification. v4 formalises the 14-day critical patch SLA across all in-scope systems. v3 referenced it via CE but was less explicit.
3. Supply chain tier requirements. v4 introduces explicit tier-one subcontractor assurance at L1 and multi-tier at L2/L3. v3's supply chain requirements were lighter.
4. Cloud configuration baselines. v4 requires cloud workloads to be assessed against a named configuration baseline (CIS or equivalent). v3 was silent on this.
5. Logging retention standards. v4 defines minimum log retention periods - 90 days for internet-facing services at L0, 12 months for privileged session logs at L1. v3 left this to supplier judgement.

If your organisation prepared against CSM v3 and has not re-reviewed under v4, the gap analysis should include these five areas specifically.

How to use CSM v4 during preparation

A practical workflow for using CSM v4 during DCC preparation:

1. Obtain the current CSM v4 document through the IASME portal or your Certification Body.
2. Identify your target level based on contract CRP (see DCC levels explained).
3. Read every control marked for your level. Write "In place / partial / not in place" against each, with the evidence location.
4. Work through partials and gaps in the weeks before formal submission.
5. Use CSM v4 language in your evidence. Where your Information Security Policy references a CSM v4 control, cite the control ID. Assessors appreciate the traceability.

For a consolidated readiness list derived from CSM v4, see the DCC requirements checklist.

CSM v4 and annual attestation

Annual attestation under DCC (see DCPP-to-DCC transition) is conducted against the current version of CSM at the attestation date. If CSM v5 is published during your three-year certificate period, your annual attestation may need to address v5-specific controls that were not in v4 at original certification. This is a known feature of the scheme, not a quirk, and is why suppliers should track MOD/IASME communications on CSM updates.

How Fig Group works with CSM v4

Fig's consultants work through CSM v4 with every client during scoping. The control-by-control walkthrough is the most efficient way to identify gaps, plan remediation, and structure evidence collection. The Fig technology platform automatically maps machine-generated evidence (configuration state, patch state, access control state) to the relevant CSM v4 control IDs, which reduces the manual evidence assembly burden on the client and gives the assessor a direct control-to-evidence trace.

For suppliers new to the scheme, this structural discipline is often the difference between a clean first-pass assessment and a cycle of clarification requests.

Talk to a DCC assessor → | View DCC pricing →