MOD: The project/programme/capability has documented how it supports the wider Defence purpose.

MOD: The mission and objectives of the project/programme/capability are defined, are unambiguous and have been formally approved.

MOD: The project/programme/capability key user requirements (KUR) have been agreed by the sponsor.

MOD: The unacceptable losses, which could cause the capability to impact the associated mission objectives, have been defined and agreed.

MOD: The project/programme/capability is aware of any dependencies (both ways) placed upon it, and these have been recorded and are regularly assessed/updated.

MOD: Project/Programme/Capability cyber risks are formally recorded and the Senior Responsible Owner (SRO)/Capability Owner has ensured appropriate ownership of the risks associated with their project/programme/capability.

MOD: The project/programme/capability has documented cyber security responsibilities in accordance with JSP 440 Leaflet 5C.

MOD: The list of stakeholders is comprehensive and includes commercial, In-Service ownership, political and regulatory stakeholders (e.g., HSE and ICO) and their influence/interest on cyber security is defined.

MOD: The project/programme/capability is actively engaging stakeholders, including the Senior Responsible Owner (SRO), to discuss cyber security needs and issues, including cost, capability and delivery timescales.

MOD: The cyber security responsibilities, identified in JSP 440 Leaflet 5C, have been budgeted for, through-life, within the team structure.