Security Aspects Letters (SAL): a practical guide for Defence, Government and CNI suppliers

• by Anthony Orjally
• Advent IM Blog

Security Aspects Letters can look dry until you realise they govern classified work, site access, vetting, and the rules of engagement for handling OFFICIAL-SENSITIVE, SECRET and above. Get the SAL wrong and you risk delays, mis-scoped controls, or rework mid-contract. Get it right and you create a clear, auditable bridge between policy and practice.

What a SAL does

A SAL sets out the sensitive elements of a specific contract and the security conditions to protect them. In plain terms: it tells you what needs protecting, why, and the minimum measures required, often by pointing to standard MOD contract clauses and associated security conditions. Buyers across Defence and government use SALs to mark which requirements attract extra controls.

Where SALs sit in the policy stack

JSP 440 underpins protective security in Defence. Rather than giving suppliers the entire manual, the contracting authority distils what you need via the SAL and linked security conditions. Treat the SAL as the operational extract you actually deliver against. Defence digital and Secure-by-Design principles still apply, and programmes should appoint appropriate security leads to interpret the SAL in context with other JSPs and assurance processes.

Who needs to care (and why)

• MOD and Defence primes and their supply chains: SALs define the exact controls you must implement and evidence. They can also specify nationality restrictions and clearances for staff on classified projects.
• Policing and wider public sector suppliers: SALs or SAL-style letters appear for OFFICIAL-SENSITIVE work, especially where law-enforcement or critical services are involved.
• CNI operators and integrators: When Defence or law-enforcement interfaces touch critical systems, the SAL prevents control drift by pinning precise requirements to deliverables and environments.

What good looks like in a SAL

A well-crafted SAL should:

• Name the specific sensitive elements,
• Map each element to classification and handling caveats,
• Reference the exact contractual security conditions and any DEFCONs,
• Define personnel, physical and information security requirements proportionate to the elements,
• Clarify incident reporting, assurance artefacts and audit access,
• State any export controls or MOD Form 680 implications.

Common pitfalls that trip suppliers

• Vague or inherited SALs: Copy-paste from a previous project creates mismatches between controls and the real risk landscape.
• Element creep: New data flows appear mid-delivery without an updated SAL; assurance teams catch it late and gates close.
• People assumptions: Roles are named but clearances, need-to-know and subcontractor boundaries aren’t pinned down.
• Evidence gaps: Teams implement controls but can’t produce repeatable evidence against the SAL during audits.

GRC implications: turning a letter into lived control

• Governance: Assign ownership for each element and link it to risk registers, assurance plans and supplier onboarding.
• Risk: Use the SAL to drive threat-led scoping; classifications and caveats reflect risk appetite and attack surface.
• Compliance: Map SAL clauses to internal policies and ensure subcontractors cascade the same obligations.
• Assurance: Build an evidence pack from day one—configuration snapshots, vetting logs, visitor controls, incident drills—so audits are routine rather than chaotic.

In Defence and CNI, this discipline is the difference between passing a gate review and watching your delivery plan drift.

What you cover in SAL training

• How SALs are constructed, interpreted and updated through change control.
• How to translate elements into personnel, physical, information and cyber controls.
• How to evidence compliance proportionately and prepare for assurance.
• How to handle suppliers, exports and cross-border collaboration within SAL boundaries.
• How SALs interact with Secure-by-Design, List X expectations, vetting and DEFCON-driven conditions.

Why this matters now

Contracting authorities increasingly rely on SALs to make security requirements explicit without drowning suppliers in policy. If you’re bidding or delivering in Defence or adjacent public-safety domains, SAL fluency reduces bid risk, accelerates mobilisation and hardens supply-chain posture.

A SAL isn’t a bureaucratic speed bump; it’s the contract’s security blueprint. Put it on equal footing with technical architecture and commercial terms and you’ll save time, avoid grief and walk into assurance boards with confidence.

Written by Ellie Hurst, Commercial Director.