MOD JSP-440

The UK Ministry of Defence security policy framework covering protective security across personnel, physical, and cyber.

Regulator

UK Ministry of Defence

Jurisdiction

United Kingdom — MOD and defence supply chain

Status

Active.

In force since

Active

Regulator's source

Who it applies to

MOD entities and the defence supply chain.

Audit / certification status

Continuous evidence pipeline available; audit support included for all customers.

What it requires

What JSP-440 actually requires.

These are the obligations a regulated entity owes — the things an assessor or supervisor will ask about.

Government Security Classifications adherence.

Defence Cyber Protection Partnership (DCPP) maturity assessment.

Cyber Essentials Plus as a minimum for many MOD contracts.

How Safeguard maps to it

Pre-mapped controls. Continuous evidence.

Each requirement above is bound to live telemetry — not screenshots. The mapping below is what your auditor or regulator sees.

DCPP maturity self-assessment with evidence binding.

Cyber Essentials Plus continuous evidence pipeline.

Evidence we produce

Artifacts your auditor accepts.

Each evidence artifact is signed and timestamped. Auditors can verify integrity without trusting Safeguard.

DCPP maturity pack.

Cyber Essentials Plus evidence.

Related frameworks

One evidence base. Many regulators.

These frameworks share substantial control overlap with JSP-440. Customers running one assessment typically satisfy the others with the same evidence base.

CMMC Level 2 / Level 3

North America

Cyber maturity certification for any contractor handling CUI in the US Defense Industrial Base.

Open

NCSC Cyber Assessment Framework (CAF)

United Kingdom

The UK NCSC's national cyber baseline for operators of essential services and the public sector.

Open

Ready for JSP-440?

Bring the framework. We'll walk the controls with you — section by section, evidence packet by evidence packet, with the regulators you actually have to answer to.

Back to the framework map