The Defence Cyber Certification (DCC) is a newly introduced cybersecurity certification framework developed by the UK Ministry of Defence (MOD) in collaboration with IASME. It is designed to enhance the cyber resilience of the UK’s defence supply chain by providing a structured, organisation-wide assurance of cybersecurity practices.
Purpose and Structure
The DCC framework aims to standardise and elevate cybersecurity measures among defence suppliers. It builds upon existing standards, particularly Defence Standard 05-138, by introducing a formal certification process that assesses compliance through independent evaluation rather than self-assessment . This approach ensures that suppliers not only implement necessary controls but also maintain them effectively over time.
Certification Levels
The DCC offers four levels of certification, each corresponding to a set of cybersecurity controls:
- Level Zero: 3 controls
- Level One: 101 controls
- Level Two: 139 controls
- Level Three: 144 controls
DCC Certification Levels and Controls
Level Zero – 3 Controls
- Risk Profile: Very low cyber risk.
- Purpose: Serves as the foundational level, requiring suppliers to demonstrate basic cybersecurity practices.
- Applicability: Typically assigned when the assessed cyber risk is minimal.
Level One – 101 Controls
- Risk Profile: Low to moderate cyber risk.
- Requirements: Suppliers must implement a comprehensive cybersecurity program with good practices.
- Applicability: Assigned when there is a low to moderate level of assessed cyber risk to a supplier delivering an output.
Level Two – 139 Controls
- Risk Profile: High cyber risk.
- Requirements: Suppliers are expected to demonstrate advanced cybersecurity oversight and planning, driving robust organizational and cyber practices.
- Applicability: Assigned when there is a high level of assessed cyber risk to a supplier delivering a contracted output.
Level Three – 144 Controls
- Risk Profile: Substantial cyber risk.
- Requirements: Suppliers must exhibit expert cybersecurity capabilities, fully embracing a ‘defence in depth’ approach to protect against evolving threats.
- Applicability: Assigned when there is a substantial level of assessed cyber risk from a supplier delivering a contracted output.
All levels require Cyber Essentials certification, with Levels Two and Three necessitating Cyber Essentials Plus. The certification process involves a point-in-time assessment against UK Defence standards, with annual check-ins and re-certification every three years .
Integration with MOD Procurement
The DCC is integrated into the MOD’s Cyber Security Model (CSM) version 4, serving as a key component in assessing and managing cyber risks within defence contracts. Suppliers are expected to demonstrate compliance with DCC requirements as part of the procurement process, aligning with the MOD’s broader cyber resilience strategy .
Getting Certified
Organisations interested in obtaining DCC certification can register their interest through IASME, the official delivery partner for the scheme. IASME provides guidance and connects applicants with certified bodies that conduct the necessary assessments .
For more detailed information and to begin the certification process, you can visit the IASME Defence Cyber Certification page.