Defence contractors and MoD suppliers must hold Cyber Essentials as a contract condition and demonstrate identity governance under JSP 604. IdentityFirst surfaces the account risks that put your DEFCON 658 compliance and contract eligibility at risk.
Defence contractors face contract-condition certification requirements, complex multi-tier supply chain identity estates, and a threat landscape that specifically targets the defence sector.
DEFCON 658 embeds Cyber Essentials certification as a mandatory contractual obligation for all MoD contracts. Suppliers who fail CE renewal — often because of access control (Requirement 4) failures — risk losing contract eligibility immediately. Access control gaps that accumulate between assessments are the most common cause of renewal failure.
Prime contractors routinely onboard tier-2 and tier-3 subcontractors across the contract lifecycle. Each engagement creates contractor accounts, guest identities, and supplier service accounts — many of which persist long after the subcontract ends. Manually tracking this across multiple Active Directory domains and Entra ID tenants is not operationally scalable.
NCSC advisories consistently highlight the defence supply chain as a primary target for nation-state actors seeking access to sensitive project information and technology. Contractor and supplier accounts — particularly those left active post-engagement — are the identity attack surface that adversaries exploit to establish initial access and move laterally.
Each assessment maps findings to the specific defence standards and contract conditions that procurement and security teams reference.
All MoD contracts require Cyber Essentials certification as a minimum. DEFCON 658 embeds this as a contractual condition. Access control (Requirement 4) failures — shared accounts, privileged accounts without MFA, stale credentials — are common reasons suppliers fail CE renewal and lose contract eligibility.
Provides the cyber security framework for the defence enterprise. Identity and access management controls are a core pillar: privileged accounts must be individually named, time-limited where possible, and subject to regular review. Third-party and contractor accounts require specific governance.
Governs personnel security and physical/logical access. Requires that access rights are commensurate with security clearance level, contractor accounts are removed promptly on engagement end, and access to systems handling OFFICIAL-SENSITIVE data is individually auditable.
UK contractors working on US DoD programmes must meet NIST SP 800-171 and increasingly CMMC 2.0. Access control (AC) and identification/authentication (IA) families directly map to the identity governance findings IdentityFirst surfaces.
Representative findings from a defence contractor assessment — the kind of identity risk that puts DEFCON 658 compliance and supply chain assurance at risk, and is invisible to manual review.
p.ashworth.contractor
Project ended 112 days ago. SC/DV clearance reference still in AD attributes. Account active, member of Prog_Docs_ReadWrite. JSP 440 breach — access must be removed within 24 hours of engagement end for cleared personnel.
Compliance Gap: JSP 440 — contractor account removal obligation; JSP 604 — third-party account governance.
svc_prog_support
SPN: MSSQLSvc/prog-db01.corp.local. RC4-HMAC encryption. Password set 2017. Member of local admins on 4 servers. CMMC AC.2 and JSP 604 privileged account governance gap.
Blast Radius: Critical — TGS ticket extractable from any domain-joined host; local admin on 4 servers.
admin.j.whitfield
Permanent Domain Admin. No Just-In-Time (JIT) elevation in scope. JSP 604 recommends time-bound privileged access for all Tier-0 accounts. NIST SP 800-171 AC-6 — least privilege — violated.
Compliance Gap: JSP 604 privileged access governance; NIST SP 800-171 AC-6.
ext.techsupport@tier2-supplier.co.uk
Guest account for tier-2 subcontractor. Subcontract ended 6 months ago. Still has access to SharePoint document libraries containing OFFICIAL-SENSITIVE project artefacts.
Compliance Gap: JSP 440 contractor account removal; JSP 604 third-party account governance.
PROG-WS-047
Computer account with unconstrained Kerberos delegation enabled. Allows any domain service to impersonate any user on this machine. JSP 604 and NCSC AD hardening guidance both flag unconstrained delegation as high-risk.
Blast Radius: High — unconstrained delegation provides a credible path to Domain Admin via TGT abuse.
A four-stage pipeline that requires no agents, no production changes, and no access to MoD networks or classified systems.
Read-only connectors attach to your Active Directory, Entra ID, and PAM tools using a read-only service account. No agents installed. No production changes. No access to MoD networks required at any stage.
IdentityMRI™ enumerates every identity — including contractor accounts, guest identities, and supplier service accounts — across your estate. 14+ connectors. 40+ risk checks applied. Nothing sampled.
Each finding is scored by blast radius and mapped to DEFCON 658, JSP 604, JSP 440, and NIST SP 800-171 obligations. Post-engagement contractor accounts and Kerberoastable service accounts are surfaced as priority risks.
Board-ready PDF delivered within 48 hours. Named findings, timestamps, remediation guidance, and compliance mapping structured to support DEFCON 658 CE renewal evidence and JSP 604 identity governance review.
IdentityFirst does not access classified systems, programme data, technical documents, MoD networks, or any OFFICIAL-SENSITIVE or SECRET material. All connectors operate read-only against the contractor's own Active Directory, Entra ID, and PAM identity stores only.
Straight answers to the questions procurement, security, and compliance teams at MoD suppliers ask most often.
IdentityFirst is itself Cyber Essentials certified and surfaces the access control gaps that cause supplier CE certification failures. DEFCON 658 embeds Cyber Essentials as a contractual condition for all MoD contracts. Access control (Requirement 4) failures — shared accounts, privileged accounts without MFA, and stale credentials — are among the most common reasons suppliers fail CE renewal and lose contract eligibility. IdentityFirst maps every such gap across your identity estate and produces remediation evidence before your next CE assessment.
JSP 604 requires that privileged accounts are individually named, time-limited where possible, and subject to regular review, and that contractor and third-party accounts receive specific governance. IdentityFirst surfaces every named privileged account, identifies standing access without time-bound controls, maps contractor and third-party account lifecycle status, and produces remediation evidence structured to support JSP 604 obligations.
The resulting evidence pack identifies accounts that are not yet compliant with JSP 604 requirements and provides the named-finding, timestamped documentation needed to evidence a remediation programme.
Yes. UK contractors working on US DoD programmes are subject to NIST SP 800-171 and increasingly CMMC 2.0. The Access Control (AC) and Identification and Authentication (IA) control families map directly to the identity governance findings IdentityFirst surfaces: least privilege (AC-6), account management (AC-2), multi-factor authentication (IA-3), and authenticator management (IA-5).
IdentityFirst is designed to support evidence generation for these control families. The report cross-references AC and IA findings to specific NIST SP 800-171 controls.
No. IdentityFirst operates exclusively against the contractor's own identity infrastructure — Active Directory, Entra ID, and PAM tools. No MoD network access is required or requested at any stage. IdentityFirst does not access classified systems, programme data, technical documentation, MoD networks, or any OFFICIAL-SENSITIVE or SECRET material. All connectors are read-only.
The assessment scope is strictly limited to identity stores held within the contractor's own infrastructure. The platform makes no outbound connections to MoD systems and requires no access beyond a read-only service account on the contractor's own directory.
Third-party and contractor accounts are identified across Active Directory and Entra ID tenants, their access entitlements are enumerated, and accounts that remain active after engagement end are flagged as priority findings. Tier-2 subcontractor guest accounts, supplier service accounts, and contractor identities with access to document libraries are surfaced in the assessment report with JSP 440 and JSP 604 compliance mapping.
This supply chain identity visibility is the part of the assessment most commonly unavailable from manual review processes — particularly in organisations managing multiple concurrent subcontracts with different engagement end dates.
Book a live demo to see how IdentityFirst maps your own identity estate against DEFCON 658, JSP 604, and JSP 440 obligations — or explore a sample report now.
Read-only • No agents • Findings in 24 hours • UK-hosted & ICO registered