IT Strategy for UK Defence Manufacturers: DEF STAN 05-138, List X and the MOD Supply Chain

An effective IT strategy defence manufacturers UK programme has to do something most generic IT strategies skip: align technology, data and OT directly to MOD DEF STAN 05-138 cyber profiles, List X facility security, Cyber Essentials Plus, ITAR and JOSCAR pre-qualification, while still running engineering, machining and assembly at scale. With UK MOD direct expenditure with industry hitting £31.7 billion in 2024/25 and the 2025 Strategic Defence Review pushing investment into UK defence advanced manufacturing, IT now sits at the heart of contract eligibility.

Last updated: 8 May 2026

What an IT strategy defence manufacturers UK roadmap must cover

The UK defence manufacturing base is structurally critical and growing. Total MOD direct expenditure with UK industry reached £31.7 billion in 2024/25, with £19.2 billion of that on Equipment and Equipment Support. The ADS Group Defence Research, Technology and Innovation Cluster mapping identifies more than 2,100 UK defence-related companies, of which 1,781 (84%) have at least one manufacturing capability and 27% also sit within the Advanced Manufacturing cluster. The Spring Statement 2026 reinforced that aerospace, defence, security and space remain core UK growth sectors.

An IT strategy defence manufacturers UK programme therefore has to cover seven domains:

ERP and MRP with engineering-change control, configuration management and serialised assembly histories.
Secure data handling for OFFICIAL, OFFICIAL-SENSITIVE and SECRET information, with separation between commercial and classified networks.
MOD DEF STAN 05-138 cyber controls mapped to the contract risk profile (Levels 0 to 3).
List X facility security where SECRET or above is held on site, including IT Installation Security Officer arrangements.
Cyber Essentials Plus, ISO 27001 and JOSCAR pre-qualification, plus ITAR and EAR controls for US-origin technical data.
OT cybersecurity for CNC, robotic, additive and assembly cells, aligned to NCSC OT guidance.
EDI and B2B integration with primes such as BAE Systems, Babcock, Leonardo, Thales, MBDA, Rolls-Royce and the MOD itself.

Treating these as separate projects is the most common failure mode. An IT strategy defence manufacturers UK plan brings them onto one roadmap, owned by a single technology leader who can sit comfortably in both a board meeting and a Security Aspects Letter review.

DEF STAN 05-138: the cyber spine of any UK defence IT strategy

The Ministry of Defence’s DEF STAN 05-138 Issue 4, in force since May 2024 and most recently updated in December 2025, is the cyber spine of every UK defence IT strategy. It applies to all MOD procurements, MOD suppliers and their subcontract suppliers, and sets out a Cyber Security Model (CSM) built on four risk profile levels:

Level 0 (Basic): low-risk contracts. Cyber Essentials baseline, plus core hygiene controls.
Level 1 (Foundational): moderate-risk contracts. Cyber Essentials Plus expected, with stronger governance and incident response.
Level 2 (Advanced): higher-risk contracts. Risk management aligned to ISO 27001-style ISMS thinking, mature monitoring and supply-chain controls.
Level 3 (Expert): highest-risk and classified contracts. Continuous monitoring, mature SOC, full incident response and threat-led testing.

The standard tests four objectives: managing security risk, protecting against cyber attack, detecting cyber security events and minimising the impact of incidents. Each contract is risk-assessed by the contracting authority and assigned a profile through the Defence Cyber Risk Assessment process. The IT strategy defence manufacturers UK plan therefore needs a current map of contracts, profile levels and the controls each one demands, refreshed at every renewal or new contract award.

List X, secure information handling and the IT installation

For UK defence manufacturers handling SECRET or higher classified information on their own premises, List X facility security clearance is the gateway. Under MOD List X requirements, contractors must appoint named security roles (Security Controller, IT Installation Security Officer, ATOMIC Liaison Officer where relevant), establish controlled physical zones, run accredited classified IT systems and report security incidents to the Defence Industry Warning, Advice and Reporting Point (WARP) at the Joint Security Co-ordination Centre.

The IT strategy implications are direct. List X sites typically operate at least three logical IT environments:

Commercial network for ERP, finance, HR, email and general engineering work at OFFICIAL.
OFFICIAL-SENSITIVE network for export-controlled and contract-sensitive information, with stricter access and data loss prevention.
Accredited SECRET network physically separated from the others, with cross-domain solutions for any controlled data movement, and full alignment to MOD accreditation authorities.

The IT strategy must also include configuration management at part and assembly level, secure firmware handling for connected weapons and platforms, and lifecycle controls that survive UK MOD audits and US ITAR compliance reviews simultaneously.

JOSCAR, ITAR and the prime-contractor reality

Most UK defence SMEs do not contract directly with the MOD. They sell into primes such as BAE Systems, Babcock, Leonardo, Thales, MBDA, Rolls-Royce and Airbus Defence and Space, who then flow MOD requirements down through procurement. Two pre-qualifications dominate the supplier-onboarding stage:

JOSCAR — the Joint Supply Chain Accreditation Register used by most ADS member primes. Suppliers register once, complete a comprehensive questionnaire across financial, ethical, technical and cyber domains, and become discoverable and pre-qualified across the prime ecosystem.
ITAR and US EAR — where any US-origin technical data is involved, US International Traffic in Arms Regulations and Export Administration Regulations apply directly. The IT estate must support technology control plans, restrict data access by nationality where required, and evidence training and monitoring.

The IT strategy defence manufacturers UK plan should treat JOSCAR readiness, prime-specific supplier portals, ITAR controls and Security Aspects Letters as first-class workflows in the ERP, document management and identity stack rather than as one-off compliance projects.

OT cybersecurity in a UK defence production environment

Defence production environments combine high-precision CNC, robotics, additive manufacturing and assembly with growing digital connectivity. The cyber implication is significant. The 2026 NCSC Secure Connectivity Principles for OT, which UK defence manufacturers should now treat as the de facto reference, push:

OT segmentation away from corporate IT, with segregated, logged conduits.
Phishing-resistant MFA at the OT boundary and for all engineering remote access.
Push-only data flows out of OT to IT and the cloud, with break-glass procedures for the rare cases where data must flow back.
Time-boxed, MFA-protected vendor remote access for CNC, robotic, additive and inspection equipment vendors.
A documented OT isolation plan that allows safe disconnection from the internet and corporate IT during a major incident.
Continuous monitoring of OT and IT logs into a SOC capable of meeting Level 2 or Level 3 DEF STAN 05-138 expectations.

For UK defence suppliers operating to AS9100D, IATF 16949 or sector-specific MOD specifications, these OT cyber controls are no longer optional. They sit alongside configuration management, supplier flow-down and quality records as core IT-strategy outputs.

Sector-specific ERP and engineering-systems fit

UK defence manufacturers tend to be engineer-to-order, mixed-mode and configuration-controlled, with long programme lifecycles and serialised parts. The right ERP and engineering systems mix typically includes:

ERP: SAP S/4HANA, IFS Cloud, Microsoft Dynamics 365 SCM or Epicor Kinetic depending on size and project-manufacturing complexity.
PLM: 3DEXPERIENCE, Teamcenter or Aras Innovator for multi-level configuration control and engineering change.
MES and traceability: Siemens Opcenter, Aegis FactoryLogix, iBASEt Solumina or specialist defence MES, integrated with serialised inspection and acceptance records.
Document and records management: SharePoint or specialist platforms hardened for OFFICIAL-SENSITIVE work, with proper retention and disposal.
Identity, access and DLP: Entra ID, Privileged Access Management and DLP tooling configured to support nationality-based access where ITAR demands it.

Sector-specific fit and security accreditation matter more than vendor brand. Buying enterprise-class IT and bolting “security” on at the end is the most reliable way to fail a MOD or List X audit.

How to build a UK defence IT strategy without losing two years

A pragmatic 12-month plan for an IT strategy defence manufacturers UK programme:

Inventory current contracts and confirm DEF STAN 05-138 risk profile per contract.
Assess current state against Cyber Essentials Plus, ISO 27001, JOSCAR, ITAR, List X and AS9100D requirements.
Document the existing IT and OT estate, including networks, identity, ERP, PLM, MES, document management and SOC arrangements.
Build the future-state architecture for commercial, OFFICIAL-SENSITIVE and (where relevant) SECRET environments, with clear data flow controls.
Prioritise certifications and accreditations against contract pipeline, not abstract risk.
Sequence remediation in 90-day blocks, with named owners and quarterly board updates.
Run an integrated tabletop exercise covering cyber, OT, classified handling and incident reporting to the MOD WARP.
Embed the strategy into procurement, engineering and operations governance, not just into IT.

An independent fractional IT director or virtual CISO can run this end-to-end alongside operations, quality and security, and brief the board against the DEF STAN 05-138 framework rather than vendor product roadmaps. Vendor independence is essential: the plan must not be authored by an MSP or product vendor with a commercial interest in your ITAR or List X spend.

Frequently Asked Questions

What does an IT strategy for a UK defence manufacturer have to cover?

It must cover ERP and MRP, secure data handling for OFFICIAL and SECRET information, MOD DEF STAN 05-138 cyber controls, Cyber Essentials Plus, JOSCAR registration, ITAR controls where US-origin technical data is involved, List X facility security where SECRET or above is held on site, OT cybersecurity for production lines, configuration management to AS9100D and IATF 16949 where applicable, and EDI and B2B integration with prime contractors and the MOD. It is broader than a generic manufacturing IT strategy because of the layered security and data sovereignty obligations.

What is DEF STAN 05-138 and which UK defence suppliers does it apply to?

DEF STAN 05-138 Issue 4 is the Ministry of Defence cybersecurity standard for defence suppliers, in force since May 2024 and most recently updated in December 2025. It applies to all MOD procurements, MOD suppliers and their subcontract suppliers, and sets out a Cyber Security Model with four risk profiles (Level 0 Basic, Level 1 Foundational, Level 2 Advanced, Level 3 Expert). Each contract is risk-assessed and assigned a profile, and suppliers must meet the corresponding controls across four objectives: managing security risk, protecting against attack, detecting events and minimising impact.

What is List X and when does a UK defence manufacturer need it?

List X is a Ministry of Defence facility security clearance that allows a UK contractor to securely store, process and manufacture material classified SECRET or above on its own premises rather than at a government site. It is needed when a contract is at SECRET or higher and either the work or the protectively marked information has to be held at the contractor’s own facility. List X is sponsored by a contracting authority such as the MOD or a prime contractor; it is not available on request and is not a pre-requisite for bidding for most MOD contracts.

What other cyber and quality standards apply to UK defence manufacturers?

In addition to DEF STAN 05-138 and List X, UK defence manufacturers typically have to evidence Cyber Essentials Plus, JOSCAR pre-qualification (the joint supply chain accreditation register used by ADS member primes), ITAR and US Export Administration Regulations where US-origin technical data is involved, ISO 27001 information security management, and quality standards such as AS9100D for aerospace and IATF 16949 for armoured-vehicle and military-automotive supply. The 2026 NCSC Secure Connectivity Principles for OT also apply directly to defence production environments.

Take the Next Step

If you are a UK defence manufacturer wrestling with DEF STAN 05-138, List X, JOSCAR or ITAR compliance, Bailey & Associates can build the IT strategy defence manufacturers UK roadmap with you. We work exclusively with UK manufacturers, on a fixed monthly retainer from £2,000 per month with no tie-in and cancel-anytime terms. Fifteen-plus years of UK manufacturing IT experience including aerospace and defence supply, vendor-neutral, board-ready. Learn more about our manufacturing IT services or book a free discovery call today.

David Bailey

David Bailey is the founder and principal consultant at Bailey & Associates, an independent IT consultancy built exclusively for UK manufacturers. With over 15 years of experience at the intersection of IT strategy and manufacturing operations, David provides fractional CIO/IT Director services, ERP advisory, IT/OT integration strategy, and vendor management to manufacturing businesses across the UK. He currently serves as IT Director at the UK Sailing Association (UKSA) alongside his consultancy work, bringing a live, operational perspective to every engagement. His career began in the military at 18, and he brings a structured, disciplined approach to IT leadership, project governance, and technology decision-making. David is vendor-independent, manufacturing-specialist, and committed to transparent pricing.

Ready to Add a Fractional Data Director to Your Team?

Take the first step — get your free readiness score or book a discovery call.