DOT, the procurement agency of the MoD, is reinforcing cybersecurity across the AFU supply system

The State Operator for Non-Lethal Acquisition (DOT), the procurement agency of the Ministry of Defence, has initiated the certification process for the DOT-Chain IT system for the Armed Forces of Ukraine’s food supply and the system’s modules to ensure compliance with the NIST RMF standard.

NIST RMF is a U.S. cybersecurity framework developed by the National Institute of Standards and Technology (NIST). It aims to strengthen cybersecurity in key public sectors, including strategic enterprises, government institutions, and organizations.

The NIST standard not only enables effective countermeasures against cyberattacks but also facilitates rapid adaptation to new threats. According to the requirements of the State Service of Special Communications and Information Protection (SSSCIP), implementation of this standard will become mandatory for state information and communication systems (ICS). Currently, only two state ICSs in Ukraine hold certification under this standard: the Delta integration platform and the Cybersecurity Operations Center (CSOC), which handles vulnerability detection and response to cyber incidents and attacks.

“In modern warfare, safeguarding digital infrastructure is just as crucial as protecting physical warehouses or supply routes. In 2025, the DOT has allocated over UAH 44.8 billion for procuring food for the Armed Forces of Ukraine, and the implementation of the NIST RMF enhances the system’s resilience against enemy interference,” said Glib Kanievskyi, Director of the Procurement Policy Department at the Ministry of Defence of Ukraine.

Additionally, the DOT reinforces information security policy requirements for food suppliers engaged with the DOT-Chain IT system.

This will not only enhance overall data protection across the entire supply process but also improve suppliers’ resilience to all types of cyberattacks, including commercially motivated ones.

The new requirements will be mandatory and will be incorporated into contract terms, including the following:

• Use of licensed software shall be mandatory;
• Use of software of russian origin, including 1C, is strictly prohibited;
• Software must be updated regularly;
• A documented cybersecurity policy clearly defining responsible persons, their roles, and procedures for information protection, to be submitted to DOT;
• Transmission of supply-related information via designated messaging services is forbidden;
• Expanded collaboration in the event of cyberattacks: companies are required to promptly inform SSSCIP and CERT-UA, and notify the DOT within 12 hours upon detection of a virus or attack.
• Clearly articulated access policies specifying designated responsible parties and their authorized access levels to various information classes;
• Conducting penetration testing (pentesting) internally or with external specialists to identify vulnerabilities in security systems;
• Established procedures for creating and restoring data backups;
• Mandatory ISO 27001 certification by the end of 2026.

“Given the DOT’s key role in the non-lethal supply to the Armed Forces of Ukraine, data protection has always been one of our top priorities. Cyber threats are constantly evolving, with new challenges emerging every day. While the adoption of international standards aids in countering cyber threats, it does not guarantee complete risk elimination. Therefore, we are enhancing security by improving incident response processes and Disaster Recovery to protect all sensitive information in case of a potential enemy attack,” said Aliona Zhuzha, IT Advisor at DOT.

The complete list of new requirements is available on the DOT website at: Information Security Policy for Interaction with Suppliers Engaged with the DOT-Chain.