Defence

Threat Landscape

Defence operations face persistent state-sponsored cyber threats targeting military programmes, supply chains, and critical defence industrial capabilities. Advanced threat actors target defence contractors to access sensitive programme information, technical data, and strategic military capabilities.

Defence supply chains are particularly attractive targets for cyber espionage and pre-positioning. The depth and complexity of defence supply chains — spanning multiple tiers, international partnerships, and dual-use technology — creates a broad attack surface that extends well beyond the prime contractor.

Regulatory & Framework Landscape

Defence suppliers must comply with DEF STAN 05-138 for UK MOD supply chain cybersecurity. NIST SP 800-171 and CMMC 2.0 apply to organisations handling CUI in US defence programmes. ISO 27001 provides the enterprise governance baseline. Programme-specific security requirements may impose additional obligations.

CCM Domain Alignment

Defence organisations use the full mandatory baseline (D01–D13) for enterprise governance. Organisations with platform-specific OT systems (weapons systems, mission systems, vehicle electronics) activate the D14 OT/ICS Security overlay. The specific configuration depends on the organisation's role in the defence supply chain.

Operating Context

How C-PAP Supports Defence

C-PAP provides a unified compliance architecture bridging DEF STAN 05-138 defence supply chain requirements with broader cybersecurity frameworks. A single assessment generates evidence applicable to UK MOD audits, CMMC certification, and customer-specific programme requirements simultaneously.

For organisations operating across both civil and defence markets, C-PAP eliminates the need for parallel compliance programmes by consolidating all framework obligations under the canonical control model. Continuous demonstration of cyber maturity supports defence contract positioning and retention.