Definitions

In this Condition the following words and expressions shall have the meanings given to them, except where the context requires a different meaning:

“Associated Company” means:

(a) any associated company of the Contractor from time to time within the meaning of Section 449 of the Corporate Tax Act 2010 or any subordinate legislation; and

(b) any parent undertaking or subsidiary undertaking of the Contractor from time to time within the meaning of section 1162 Companies Act 2006 and it is further agreed that where the ownership of shares in any such undertaking have been pledged or transferred to a third party by way of security, the original parent shall still be considered a member of the subsidiary undertaking;

“Contractor Deliverables” shall have the meaning set out in DEFCON 501;

“Cyber Risk Level” means the level of Cyber Risk relating to this Contract assessed in accordance with the Cyber Security Model;

“Cyber Security Implementation Plan” means the plan referred to in Clause 3 of this Condition including but not limited to any risk-balance case and mitigation measures required by the Authority;

“Cyber Security Incident” means an event, act or omission which gives rise or may give rise to:

(a) unauthorized access to an information system or electronic communications network;

(b) disruption or change of the operation (including but not limited to takeover of control) of an information system or electronic communications network;

(c) destruction, damage, deletion or the change of MOD Identifiable Information residing in an information system or electronic communications network;

(d) removal or limiting the possibility to use MOD Identifiable Information residing in an information system or electronic communications network; or

(e) the appropriation, publication, dissemination or any other use of nonpublic MOD Identifiable Information by persons unauthorised to do so.

“Cyber Security Instructions” means DEFSTAN 05-138, together with any relevant ISN and specific security instructions relating to this Contract issued by the Authority to the Contractor;

“Cyber Security Model” and “CSM” mean the process by which the Authority ensures that MOD Identifiable Information is adequately protected from Cyber Incident and includes the CSM Risk Assessment Process, DEFSTAN 05-138 and the CSM Supplier Assurance Questionnaire;

“CSM Risk Assessment Process” means the risk assessment process which forms part of the Cyber Security Model and is used to measure the Cyber Risk Level for this Contract and any Sub-contract;

“CSM Supplier Assurance Questionnaire” means the supplier assessment questionnaire which forms part of the Cyber Security Model and is to be used by the Contractor to demonstrate compliance with this Condition;

“Data” means any data, text, drawings, diagrams, images or sounds (together with any database made up of any of these) which are embodied in any electronic, magnetic, optical or tangible media.

“DEFSTAN 05-138” means the Defence Standard 05-138 as amended or replaced from time to time;

“Electronic Information” means all information generated, processed, transferred or otherwise dealt with under or in connection with the Contract, including but not limited to Data, recorded or preserved on any information system or electronic communications network;

“Good Industry Practice” means in relation to any undertaking and any circumstances, the exercise of skill, diligence, prudence, foresight and judgment and the making of any expenditure that would reasonably be expected from a skilled person in the same type of undertaking under the same or similar circumstances;

“ISN” means Industry Security Notices issued by the Authority to the Contractor whether directly or by issue on the gov.uk website at: https://www.gov.uk/government/publications/industry-security-notices-isns;

“JSyCC WARP” means the Joint Security Co-ordination Centre MOD Defence Industry Warning, Advice and Reporting Point or any successor body notified by way of ISN;

“MOD Identifiable Information” means all Electronic Information which is attributed to or could identify an existing or proposed MOD capability, defence activities or personnel and which the MOD requires to be protected against loss, misuse, corruption, alteration and unauthorised disclosure.

“NSA/DSA” means, as appropriate, the National or Designated Security Authority of the Contractor that is responsible for the oversight of the security requirements to be applied by the Contractor and for ensuring compliance with applicable national security regulations;

“Sites” means any premises from which Contractor Deliverables are provided in connection with this Contract or from which the Contractor or any relevant Sub-contractor manages, organises or otherwise directs the provision or the use of the Contractor Deliverables and/or any sites from which the Contractor or any relevant Sub-contractor generates, processes, stores or transmits MOD Identifiable Information in relation to this Contract;

“Sub-contractor” means a sub-contractor of the Contractor or any Associated Company whether a direct Sub-contractor or at any lower level of the supply chain who provides any Contractor Deliverables in connection with this Contract;

“Supplier Cyber Protection Service” means the CSM Risk Assessment Process and CSM Supplier Assurance Questionnaire.