Defence Cyber Certification (DCC): Steps to DCC Compliance
The Ministry of Defence (MoD) is raising expectations around suppliers’ cyber maturity, as the UK defence sector continues to face targeted attacks from nation states, advanced persistent threat (APT) groups and financially motivated cybercriminals.
Defence organisations are under increasing pressure to demonstrate that both they and their supply chain providers can manage cyber security risks in line with today’s threat landscape.
As a result, Defence Cyber Certification has been introduced to create a consistent and auditable level of cyber protection across the MoD supplier ecosystem. With the Cyber Security Model version 4, live as of December 2025, and individual contracts already mandating certification, the time to act is now, not when it appears in your next tender.
Defence Cyber Certification provides formal confidence that an organisation has implemented the organisational, technical and operational controls required to protect systems, networks, data and services that support UK defence capability. It also delivers a transparent and measurable approach to cyber assurance across suppliers of all sizes, from prime contractors to specialist SMEs.
In this article, we explain what Defence Cyber Certification is, why it matters, how each level works, how it compares to frameworks such as Cyber Essentials and ISO 27001, and the practical steps you can take now to prepare for and achieve DCC compliance.
Key Takeaways
- Defence Cyber Certification is the scheme used to evidence cyber security maturity across the UK defence supply chain
- The scheme aligns to the Cyber Security Model (CSM) version 4 and Defence Standard 05-138 — CSM v4 went live in December 2025
- All four certification levels (0 to 3) are now live and open for assessment
- Cyber Essentials is required at Levels 0 and 1 and Cyber Essentials Plus is required at Levels 2 and 3
- Individual MoD contracts are already mandating DCC certification ahead of any formal universal mandate
- Existing alignment with ISO 27001, NIST CSF or CAF can reduce preparation effort
- DCC focuses on organisation-wide evidence, not just technical controls — policy documents alone will not pass assessment
- Certification is valid for three years with an annual check-in; renewals typically take around three months for compliant organisations
- Gap analysis, remediation planning and evidence development are core readiness steps
- You can apply for DCC at any level without holding a current MoD contract
Why Defence Cyber Certification Matters Right Now
The defence sector is under increased scrutiny as digital dependency grows and threat activity becomes more targeted and persistent. With CSM version 4 now live and contracts actively specifying certification requirements, the urgency for defence suppliers has materially increased.
The changing cyber risk profile in the MoD supply chain
Threat actors are continuously seeking opportunities to disrupt defence capability, steal intellectual property (IP), access classified research, or compromise operational technologies.
Attackers increasingly target defence suppliers rather than primary defence organisations because often those supply chain organisations have weaker protections, despite holding sensitive data or access pathways.
Defence Cyber Certification raises the baseline of protection across the supply chain and creates accountability for maintaining cyber resilience.
Why DCC will appear in more MoD contract requirements
The MoD is embedding DCC into procurement and supplier assurance processes to ensure that only trusted and capable suppliers support defence delivery.
DCC requirements are already appearing in individual contracts now, ahead of a wider mandate. Prime contractors are also cascading DCC requirements to subcontractors. If you work within a prime contractor’s supply chain, you should expect certification to be requested of you regardless of your direct relationship with the MoD.
What happens if you do not meet DCC requirements
Failure to achieve the required DCC level may result in an inability to bid, delays to contract award, additional scrutiny or removal from the supply chain. For organisations reliant on defence work, this can create both commercial and reputational risk. As certifications become harder to obtain quickly due to assessor backlogs, leaving preparation late carries increasing cost and risk.
What Has Changed Under Defence Cyber Certification
DCC introduces a formal certification lifecycle, replacing one-off self-assessments with a three-year certification supported by annual assurance. As of December 2025, CSM version 4 is live and this change is now in effect.
Historically, defence suppliers demonstrated cyber compliance through self-assessed mechanisms such as Supplier Assurance Questionnaires (SAQ) and Cyber Implementation Plans. While useful, these approaches varied in quality and depth and relied heavily on declared intent.
Defence Cyber Certification replaces self-assessment with independent certification. Suppliers must now provide auditable evidence that controls are implemented and operating effectively, aligned to the cyber risk associated with each contract.
For many organisations, this represents a shift from planned compliance to continuous, evidence-led assurance. Policy documents without proof of implementation will not suffice — assessors interview staff, request demonstrations, and verify operational evidence.
How Defence Cyber Certification fits together
Defence Cyber Certification forms part of a wider MoD cyber assurance structure that links contract risk to required security controls and independent verification.
- Cyber Security Model (CSM): The MoD framework used to assess the cyber risk associated with each contract, considering data sensitivity, system access and potential operational impact
- Cyber Risk Profile (CRP): The outcome of the CSM assessment — the risk rating assigned to a specific contract that determines the depth of assurance required
- Defence Standard 05-138 (Def Stan 05-138): Sets out the organisational and technical controls required for each Cyber Risk Profile
- Defence Cyber Certification (DCC): The certification mechanism that independently verifies those controls are in place and operating effectively
In simple terms: the CSM assesses risk, the CRP defines the level, Def Stan 05-138 specifies the controls, and DCC confirms they are actually being applied. Note: Def Stan 05-138 Issue 4 no longer addresses data classification. Its focus is now on whole-organisation security and resilience.
Jargon Buster: Common Defence Cyber Certification Terms
Defence cyber assurance introduces terminology that can be confusing, particularly for suppliers new to MoD contracts. This quick reference explains the most commonly used terms in plain language.
- Cyber Security Model (CSM): The MoD framework used to assess the cyber risk associated with a specific contract
- Cyber Risk Profile (CRP): The risk rating assigned to a contract based on the Cyber Security Model. It determines the depth of cyber assurance required
- Defence Standard 05-138 (Def Stan 05-138): The MoD standard that defines the security controls suppliers must implement for each Cyber Risk Profile
- Defence Cyber Certification (DCC): The certification scheme that independently verifies that Def Stan 05-138 controls are implemented and operating effectively
- DCC Levels (0 to 3): The four levels of certification reflecting increasing depth of governance, technical controls, monitoring and resilience
- Cyber Essentials (CE): A UK government-backed scheme providing baseline assurance of essential cyber hygiene controls. Required at Levels 0 and 1
- Cyber Essentials Plus (CE Plus): An independently tested version of Cyber Essentials required at Levels 2 and 3
- Annual check-in: A yearly confirmation process to maintain DCC certification, ensuring controls remain effective — this is not a full reassessment
- Evidence-based assurance: The requirement to demonstrate that controls are operating in practice, supported by logs, records and operational outputs rather than policy statements alone
- Theoretical phase: The first stage of DCC assessment, where suppliers submit context and evidence. No score is generated but assessors use it to identify gaps before the Practical phase
- Practical phase: The scored stage of DCC assessment, where assessors verify that controls are operating effectively in practice
- Security Aspects Letter (SAL): An additional MoD requirement that may apply to DCC holders on specific contracts, beyond standard certification
What is Defence Cyber Certification
Defence Cyber Certification is the formal assurance scheme used by the MoD to verify that suppliers have the necessary controls in place to protect defence information, systems and services.
Certification validity and ongoing assurance
Once achieved, Defence Cyber Certification is valid for three years, provided ongoing assurance requirements are met.
During the certification period, organisations must complete an annual check-in with IASME to confirm that required controls remain in place and effective. This is not a full reassessment but ensures the business is maintaining the standard. You must also maintain valid Cyber Essentials or Cyber Essentials Plus certification, depending on your DCC level.
Certification is not a one-off exercise. You’re expected to retain and update evidence throughout the contract lifecycle and be able to demonstrate continued compliance if requested. At the end of the three-year period, full re-certification is required to maintain DCC status. For organisations that have maintained compliance throughout, renewals typically take around three months.
This aligns Defence Cyber Certification with a continuous assurance model rather than point-in-time compliance.
DCC certification requirements: who needs to comply and when
Any organisation handling, storing, processing or transmitting defence data, or providing systems or services that interact with defence environments, may be required to comply.
The required level is defined in contract documentation based on assessed cyber risk. Prime contractors should expect DCC obligations to flow down into their supplier and subcontractor networks. You can apply for certification at any level even without a current MoD contract, which can strengthen your position when bidding.
The role of IASME and the Ministry of Defence
Defence Cyber Certification has been developed in partnership with IASME. IASME manages certification delivery, assessment and the network of Certification Bodies, while the MoD defines assurance requirements and contractual application.
Alignment with the Cyber Security Model v4 and Def Stan 05-138
The Cyber Security Model version 4 (live December 2025) defines required security outcomes. Defence Standard 05-138 specifies the controls aligned to each level. DCC provides the certification mechanism that verifies those controls in practice.
Understanding DCC Levels (0 to 3)
DCC includes four levels of certification. The required level depends on contract sensitivity, system exposure and cyber risk. All four levels are now live and open for assessment.
Summary of levels, controls and question counts
The following table shows the controls and assessment questions at each level, giving a clear indication of the depth of assessment involved.
| Level | Controls, Questions and Requirements |
| Level 0 | 3 controls, 6 questions. Cyber Essentials required. Typically for lowest risk environments. |
| Level 1 | 101 controls, 236 questions. Cyber Essentials required. Comprehensive cyber security programme across the organisation. |
| Level 2 | 139 controls, 328 questions. Cyber Essentials Plus required. Advanced governance, monitoring and supply chain assurance. |
| Level 3 | 144 controls, 337 questions. Cyber Essentials Plus required. Expert-level security with advanced detection, resilience and defensive maturity. |
How Cyber Risk Profiles map to DCC levels
Each MoD contract is assigned a Cyber Risk Profile, which determines the Defence Cyber Certification level required from suppliers. The final determination is always set by the contracting authority and documented in contract requirements.
| Cyber Risk Profile (CRP) | Typical Risk Characteristics | Corresponding DCC Level |
| Low | Limited access, low sensitivity data, minimal operational impact | DCC Level 0 or Level 1 |
| Moderate | Access to sensitive data or systems, potential business or operational impact | DCC Level 1 or Level 2 |
| High | Access to mission-critical systems, sensitive defence information or high operational impact | DCC Level 2 or Level 3 |
Cyber Essentials and Cyber Essentials Plus prerequisites
Cyber Essentials certification is required for Level 0 and Level 1, while Cyber Essentials Plus is required for Level 2 and Level 3. Certification must be valid, current and scoped to defence systems. The scope must remain consistent across all DCC levels.
How Cyber Risk Profiles influence DCC level selection
Each MoD contract is assigned a Cyber Risk Profile reflecting data sensitivity, system access and potential impact. Organisations supporting similar programmes may require different levels depending on their specific role and access. A single DCC certificate covers all MoD contracts at or below your certified level, eliminating the need for repeated contract-by-contract assessments.
The DCC Assessment Process
Understanding how assessment actually works will help you prepare more effectively and avoid common failures.
Two-phase assessment: Theoretical and Practical
DCC assessment consists of two phases.
The Theoretical phase does not contribute to your final score. It gives you the opportunity to provide context about how your organisation operates and submit evidence to demonstrate how you meet each control. The assessor uses this phase to identify any areas needing clarification and may grant a Clarification Round, allowing you to update responses or address gaps before the Practical phase begins.
The Practical phase is the scored stage. Assessors verify that controls are operating effectively through interviews, demonstrations and review of operational evidence. This is where organisations that have strong policies but lack operational proof will face difficulty.
What assessors look for
DCC assessment is evidence-driven. It is not sufficient to have policies in place. You must be able to demonstrate that those controls are operating in practice. Typical evidence includes operational logs, access records, vulnerability management outputs, incident records, training evidence, supplier assurance documentation and procedure execution records.
Scoping your organisation correctly
Your DCC scope should include all essential functions and services necessary for your organisation to operate securely and resiliently. Non-essential parts do not need to be included, but you must provide a clear scoping statement explaining what is included, what is excluded, how this aligns with your Cyber Essentials scope, and the rationale for your decisions. The assessor will review and challenge your scope. Importantly, the scope must remain the same across all DCC levels.
Timeline and cost expectations
For organisations starting from a low base, achieving DCC certification is typically a six to twelve month programme. This allows time to implement controls, gather evidence, embed processes and prepare for assessment. Costs are not fixed and depend on your organisation’s size, the required DCC level and the support needed from your chosen Certification Body. Failed assessments are kept confidential and are not shared with the MoD or other organisations.
Key Components of DCC Compliance
DCC requires evidence of both organisational maturity and technical control operation.
Organisational governance and security leadership
You must demonstrate clear accountability, defined roles, risk ownership, senior oversight and an active security strategy. Policies, awareness programmes and oversight structures must be active and measurable.
Technical and operational security controls
Network security, access control, multi factor authentication (MFA), secure configuration, encryption and vulnerability management are core expectations. Controls must be consistently applied across in-scope systems and environments.
Supply chain and third-party assurance
Supplier due diligence and contractual requirements must be applied proportionately to risk. You must assess, record and manage cyber security risks associated with your suppliers, partners and contractors, including keeping records of supplier security status.
Monitoring, resilience and incident response
You should operate logging, alerting, incident response processes and business continuity arrangements at a level appropriate to your DCC level. Level 2 and 3 introduce more advanced monitoring capability requirements.
Evidence and audit expectations
Evidence must demonstrate real operation of controls. Typical evidence includes logs, reports, registers, testing outputs and operational records. Policy documents without corresponding operational proof will not satisfy DCC assessment.
Active Cyber Defence and Secure by Design
The MoD expects two additional foundational approaches to be embedded across supplier organisations as part of broader cyber maturity.
Active Cyber Defence encompasses the NCSC’s framework for protective DNS, mail checking, web checking and early warning systems — defences that work continuously rather than reactively.
Secure by Design means building security into products and services from the ground up rather than adding it later. This reduces vulnerabilities and creates more resilient systems. Both approaches signal to the MoD that cyber security is fundamental to how you operate, not an add-on.
How DCC Relates to Other Cyber Security Frameworks
Many organisations already align with recognised frameworks. DCC builds on this foundation rather than replacing it, and the MoD has published official mapping documentation to help organisations understand where overlap exists.
Why DCC is not just another standard
DCC draws on Defence Standard 05-138, which is mapped against established frameworks such as ISO 27001, NIST CSF and the NCSC Cyber Assessment Framework. It represents a defence-specific assurance model rather than a new control set. If you already operate within these frameworks, a significant portion of your evidence base can be reused.
Overview of the official MoD mapping documentation
The Ministry of Defence has published mapping documentation that aligns Def Stan 05-138 requirements with other recognised standards, to support evidence reuse and reduce duplication where controls already exist.
Framework Comparison: DCC vs Cyber Essentials vs ISO 27001 vs NIST CSF vs CAF
This comparison shows why DCC cannot be replaced by Cyber Essentials or ISO 27001 alone for defence contracts, while also illustrating where evidence reuse is possible.
| Control Area | DCC Level 0 | DCC Level 1 | DCC Level 2 | DCC Level 3 | Cyber Essentials | ISO 27001 | NIST CSF | CAF (NCSC) |
| Governance & Leadership | Limited basic coverage | Formal policy and accountability | Defined governance structure | Mature governance integrated with defence risk | Not required beyond basic policy minimum | Full organisational governance and leadership requirements | Governance included across Identify domain | Strong governance and oversight expected |
| Risk Management | Minimal risk consideration | Foundational risk assessment | Formal risk methodology and treatment | Continuous and proactive risk management | Basic risk only implied | Full risk assessment, treatment and review required | Core Identify function | Formal risk identification and management |
| Access Control & Identity | Requirements via Cyber Essentials | Formal access control and MFA expectation | Strong access control and identity management | Advanced identity, privileged access and monitoring | Basic access control only | Detailed access control controls and evidence required | Part of Protect function | Required and tested |
| Operational Security Controls | Limited baseline | Broader technical and procedural controls | Full operational controls applied and evidenced | Mature operational security lifecycle | Technical perimeter controls only | Comprehensive operational controls across Annex A | Protect and Detect implementation | Operational controls must demonstrate effectiveness |
| Monitoring & Detection | Minimal or basic logs | Defined monitoring expectations | Multi source monitoring and event analysis | Advanced detection and continuous security monitoring | Not required | Required but organisation defined depth | Dedicated Detect function | Monitoring and situational awareness required |
| Business Continuity & Resilience | Basic continuity awareness | Formal documented continuity | Full continuity planning, exercises and evidence | Advanced resilience and continual improvement | Not included | Full ISO 22301 aligned continuity expectations | Recover function and resilience concepts | Outcome focussed continuity and recovery |
| Supply Chain Security | Supplier awareness | Basic third party assurance | Defined supplier risk management and controls | Comprehensive supplier assurance and oversight | Not included | Required via Annex A supplier security | Required in Identify and Protect elements | Formal assurance required for critical dependencies |
| Evidence Requirements | Minimal evidence | Structured documented evidence for controls | Full audit ready evidence with validation | Continuous and defensible evidence set | Limited evidence | Detailed evidence for every scoped control | Evidence must show capability maturity | Evidence required at outcome level |
DCC vs Cyber Essentials vs ISO 27001: Quick Comparison
This section provides clarity on what each scheme provides and why DCC is distinct.
| Control Area | DCC | Cyber Essentials | ISO 27001 |
| Purpose | Defence contract assurance | Baseline cyber hygiene | Organisation-wide ISMS |
| Assessment | Independent certification (Theoretical + Practical phases) | Self-assessed or technical audit | Accredited audit |
| Risk driven | Yes, contract CRP based | No | Organisation defined |
| Governance | Required at all levels | Limited | Core requirement |
| Monitoring | Required, advanced at L2/L3 | Not required | Organisation defined |
| Supply chain | Mandatory assurance | Not included | Required |
| Evidence depth | Operational and ongoing | Minimal | Comprehensive |
| MoD relevance | Directly required | Entry requirement | Supporting framework |
| Validity | 3 years + annual attestation | Annual renewal | Annual surveillance + 3-yr recertification |
Control depth
DCC has broader and deeper controls than Cyber Essentials and is more prescriptive in some areas compared with ISO 27001.
Scope of assessment
DCC assessment scope is linked to specific defence contract risk categories. ISO 27001 scope is defined by the organisation. Cyber Essentials covers technical perimeter controls.
Recognition and usage
Cyber Essentials is a UK government recognised baseline scheme. ISO 27001 is internationally recognised. DCC is specific to the UK defence supply chain.
Contract relevance
Only DCC directly aligns with MoD procurement requirements. Neither Cyber Essentials nor ISO 27001 satisfies DCC obligations on their own, though both reduce preparation effort.
If You Already Have Cyber Essentials or Cyber Essentials Plus
Cyber Essentials is mandatory for Level 0 and Level 1 certification, and Cyber Essentials Plus is mandatory for Level 2 and Level 3 certification.
Which requirements have you already met?
You will typically have controls in place regarding secure configuration, malware protection, access control, patching and boundary security.
Where the gaps still exist
Cyber Essentials doesn’t include evidence based organisational governance, supply chain security, monitoring maturity or resilience planning. You will need to build these capabilities to achieve DCC.
Why CE and CE Plus helps but isn’t sufficient
Cyber Essentials provides a baseline defence capability and independent assurance of key technical controls. However, it doesn’t demonstrate defence-specific maturity or organisation-level assurance, and it doesn’t satisfy the evidence requirements of the DCC Practical phase.
If You Are ISO 27001 Certified or Aligned
ISO 27001 alignment provides a strong foundation for DCC, since both require evidence led implementation of controls.
Common ISO aligned controls that map directly to DCC
Policies, risk assessment, asset management, incident management, supplier security, operational controls and access management typically map directly. Your existing ISMS documentation is a strong starting point.
Where ISO scope limitations may create gaps
If your ISO 27001 scope is limited to a department or technology area rather than organisation-wide, you may not meet DCC’s whole-organisation scope requirements.
How to re-use existing evidence and ISMS artefacts
Existing ISO documentation, internal audit reports, risk registers and control evidence can be repurposed for DCC assessment once reviewed for relevance and coverage. DCC controls map closely to ISO 27001 Annex A controls, making this a practical and efficient route.
If You Are Using NIST CSF, CAF or Similar Frameworks
NIST and CAF alignment can significantly reduce preparation effort for DCC.
Controls that align with DCC via Def Stan 05-138
Controls relating to governance, risk, identity, protection, detection and response map closely to DCC principles across all levels.
Evidence that can be reused
Metrics, logs, incident response documentation, performance measurement and control testing outputs can all be reused, subject to review for DCC-specific scope requirements.
MoD specific requirements you still need
MoD cyber security certification for suppliers may include the need to update contractual processes, apply CE or CE Plus, update scoping definitions and demonstrate evidence tailored to MoD expectations. Frameworks like NIST or CAF do not satisfy the independent certification requirement of DCC.
Preparing for DCC: Step-by-Step Readiness Plan
This plan will help you move through preparation stages in a structured and efficient way. For organisations starting from a low base, allow six to twelve months for first-time certification.
1. Determine your contract Cyber Risk Profile and required DCC level
Confirm the risk classification with your contracting authority and verify whether Level 0, 1, 2 or 3 applies. If you don’t yet have a contract, consider which level aligns with the type of work you intend to bid for.
2. Create a DCC compliance checklist
Build a checklist aligned to the relevant Def Stan 05-138 level and record your current evidence coverage against each control.
3. Perform a gap analysis using Def Stan 05-138 mapping
Identify where controls are partially met, not met or not evidenced. If you hold ISO 27001 or are aligned to NIST CSF or CAF, use the official MoD mapping documentation to identify overlap and reduce duplication.
4. Build your evidence pack and plan remediation
Allocate ownership, create missing evidence and plan technical or procedural remediation. Remember that DCC requires operational proof, not just policies.
5. Choose a DCC Certification Body and submit your Theoretical phase
Select an IASME-accredited Certification Body, sign an agreement and submit your Assessment Record Submission (Theoretical phase). Use any Clarification Round provided to address identified gaps before the Practical phase.
6. Validate controls and prepare for the Practical phase
Conduct internal readiness testing or engage a third-party readiness review. Prepare staff for interviews and control demonstrations that assessors will request. Our penetration testing and vulnerability scanning services can provide evidence of operational security controls.
7. Maintain and improve
Embed monitoring, incident learning, supplier oversight and continuous improvement. Complete your annual check-in with IASME and maintain CE or CE Plus certification throughout the three-year period.
Common Challenges and Practical Solutions
Typical barriers can slow progress if not addressed early.
Limited internal compliance expertise
Solution: Use an external readiness partner with defence sector expertise. This reduces the time and cost of interpreting controls and building an evidence pack from scratch.
Scoping and asset discovery issues
Solution: Develop and maintain a complete and current asset inventory. Scoping errors are one of the most common causes of assessment delays, so invest time in getting this right at the start.
Supplier and subcontractor control gaps
Solution: Apply proportionate supplier due diligence and contractual requirements, contractual clauses and security assurance processes. The MoD expects this to cascade through the supply chain.
Documentation and evidence creation
Solution: Focus on operational proof rather than policy documents alone. Many organisations already follow good security practices but lack documentation — capture what you do, not just what you intend to do.
Time and cost management
Solution: Prioritise remediation based on risk and required DCC level. Investigate outsourcing the creation and management of DCC documentation and ongoing evidence to an expert provider. The cost is often more economical than redirecting internal resources away from other critical projects.
Assessor availability
Solution: Start early. As DCC becomes more widely mandated, demand for Certification Bodies is increasing. Booking an assessor well in advance avoids delays when contract deadlines are tight.
How DigitalXRAID Helps You Achieve DCC Readiness and Compliance
DigitalXRAID works with defence suppliers and regulated organisations to translate DCC requirements into practical, defensible controls. We support real-world assessments, evidence creation and technical uplift rather than theoretical compliance.
Our DCC service includes gap analysis, readiness consultancy, documentation and evidence support.
NCSC accredited and IASME assured security expertise
DigitalXRAID is an IASME assured supplier and holds NCSC accreditation for multiple services, providing defence aligned cyber assurance support.
DCC gap analysis and readiness consultancy
Our consultants assess your current maturity, identify gaps in your controls against the DCC framework and create a remediation and maturity roadmap for you to start your journey to compliance.
Begin your certification journey
DigitalXRAID can support you in your certification journey. Once we’ve conducted your gap analysis and understood your contractual requirements, we can guide you on certification levels. If you’d like to get ahead, you can start with Level 0 certification and build a roadmap to achieve further levels where necessary.
Documentation and evidence development support
We can take the headache away of creating audit ready documentation that reflects real operational controls.
Technical uplift including testing, monitoring and SOC capability
Our services include penetration testing, vulnerability scanning, managed SOC services and 24/7 incident response, all of which contribute to the operational evidence base DCC assessors look for.
Managed improvement and continuous assurance options
DigitalXRAID works as an extension of your team. We provide consultancy and ongoing support to maintain certification and ensure continuous cyber security maturity improvement, including support through annual check-ins and recertification.
Next Steps for IT Directors and CISOs in the Defence Supply Chain
Preparing early with a Defence Cyber Certification partner gives you a competitive advantage when bidding for MoD contracts. Plan your required level, complete a readiness assessment and build an evidence-based approach that aligns to the security risk associated with your defence work.
Staying ahead of certification requirements not only protects your organisation but also positions you as a trusted and resilient supplier in a high assurance sector. With assessor slots becoming scarce and contracts already specifying DCC, the time to start is now.
Book a DCC readiness consultation
Get in touch with DigitalXRAID to start your DCC preparation and strengthen your defence contract readiness.
FAQs: Defence Cyber Certification
What is DCC certification and why does it matter for MoD suppliers?
DCC is the MoD scheme used to independently verify cyber maturity across the defence supply chain. With CSM v4 now live and individual contracts already mandating certification, it is rapidly becoming a standard requirement for bidding for and holding defence contracts.
Which DCC level do I need?
The contracting authority defines the level based on the contract Cyber Risk Profile and data sensitivity. A single DCC certificate at a given level covers all MoD contracts assessed at that level or below.
Are all DCC levels now available?
Yes. All four levels (0 to 3) are now live and open for assessment. Level 0 launched in July 2025 and Levels 1, 2 and 3 followed in August 2025.
How long does DCC certification take?
For organisations starting from a low base, allow six to twelve months for first-time certification. Renewals for compliant organisations typically take around three months.
How does DCC relate to Cyber Essentials and ISO 27001?
Cyber Essentials is a prerequisite for all DCC levels. ISO 27001 provides strong alignment with DCC controls and evidence reuse is possible, but neither replaces the requirement for independent DCC certification.
What is the two-phase assessment process?
DCC assessment consists of a Theoretical phase (evidence submission and context — not scored) and a Practical phase (independently assessed and scored). The Theoretical phase allows assessors to identify gaps before the scored stage begins. A Clarification Round may be granted between phases.
What controls are required at DCC Level 2 or Level 3?
Levels 2 and 3 require Cyber Essentials Plus plus advanced governance, monitoring, resilience and evidence of operational effectiveness across 139 and 144 controls respectively.
What happens if a supplier does not hold DCC certification?
You may be unable to bid for or deliver defence contracts. As adoption increases, prime contractors are also requesting certification from subcontractors ahead of formal mandates.
Can I apply for DCC without a current MoD contract?
Yes. You can apply at any level without holding a current MoD contract. Proactive certification demonstrates preparedness and strengthens your position when bidding.
What evidence is required for DCC certification?
Logs, access records, vulnerability data, incident records, training evidence, supplier assurance documentation and proof of procedure execution. Policy documents alone are not sufficient.
How often must DCC certification be maintained?
DCC certification is valid for three years, subject to an annual check-in with IASME. Organisations must maintain valid Cyber Essentials or Cyber Essentials Plus certification and retain evidence showing controls remain effective. Full re-certification is required at the end of the three-year period.
How will DCC impact MoD procurement and supply chain selection?
DCC is becoming a core requirement for supplier selection and contract award. With CSM v4 live and contracts already mandating certification, organisations that delay risk being unable to bid as adoption accelerates.
What are Active Cyber Defence and Secure by Design?
These are two foundational approaches the MoD expects to see embedded in supplier organisations. Active Cyber Defence uses NCSC protective tools and early warning systems. Secure by Design means building security into products and services from the outset rather than retrofitting it.
This article was updated in April 2026 to reflect the launch of CSM version 4 (December 2025), the availability of all DCC levels, and the latest IASME scheme guidance.
