- The DCC is a new, formal cyber security certification scheme for suppliers in the the UK defence sector, developed by the Ministry of Defence (MOD) in partnership with IASME.
- Its purpose is to replace or supplement the prior “self-assessment / questionnaire” approach (e.g. the Supplier Assurance Questionnaire) with a single, organisation-level, evidence-based certification that demonstrates that the required cyber controls are in place and working.
- Once certified, the assurance is valid for three years, subject to annual check-ins (attestations) to confirm continued compliance.
- The certification is aligned with Def Stan 05-138 (Issue 4) the MOD standard for cyber security of defence suppliers and with the MOD’s Cyber Security Model (CSM) / Cyber Risk Profiling (CRP) framework.
- The DCC scheme is part of the transition to CSM version 4 (CSMv4), which shifts focus from simply protecting “MOD Identifiable Information” toward organisational security / resilience of suppliers more broadly.
- The MOD will assign each contract a Cyber Risk Profile (CRP), which in turn dictates the minimum DCC level that a supplier must hold (or bid at).
So, DCC is not just a one-off audit per contract; it’s a forward-looking assurance mechanism to streamline supplier cyber assurance across multiple contracts, reduce duplication, and raise baseline cyber maturity in the defence supply chain.
The Four Levels of DCC
There are four levels (0 to 3) under DCC. Each successive level requires more controls, greater maturity, oversight, and defense-in-depth.
Here is a breakdown:
| DCC Level | Number of Controls | Cyber Essentials Requirement | Typical Risk / Use Case | Description / Expectations |
|---|---|---|---|---|
| Level 0 | 3 controls | Cyber Essentials | Very low risk | Basic “cyber hygiene” controls. This is the minimum assurance level, intended for suppliers whose work poses little risk to MOD. |
| Level 1 | 101 controls | Cyber Essentials | Low to moderate risk | Requires a fuller, more structured cybersecurity programme across the organisation. |
| Level 2 | 139 controls | Cyber Essentials Plus | High risk | More advanced security controls, deeper technical assurance, and oversight of third parties/sub-contractors. |
| Level 3 | 144 controls | Cyber Essentials Plus | Substantial risk | The top level of maturity. Expect “defence in depth,” advanced monitoring, proactive detection, resilience, threat hunting, etc. |
Some additional points around the levels:
- All levels require maintaining Cyber Essentials (for Levels 0 & 1) or Cyber Essentials Plus (for Levels 2 & 3) as a foundation.
- You do not necessarily have to progress sequentially (i.e. you can aim for Level 2 directly if that’s what your contract demands).
- The MOD designates which CRP / DCC level is required for each contract; the supplier must ensure their certification meets or exceeds that level.
- Once certified, organisations must do annual “check-ins” (attestations) and maintain the baseline controls and Cyber Essentials status.
- The DCC doesn’t replace the need for other contract-specific security obligations (e.g. handling classified information will also require compliance with relevant DEFCONs, secure enclave requirements, etc.).
Key Control Domains / Examples (What “Controls” Mean in DCC)
The DCC doesn’t invent entirely new controls; it builds on the controls defined in Def Stan 05-138 (Issue 4) and maps them to commonly used frameworks.
Def Stan 05-138 organizes controls broadly around four objectives (A through D):
- A. Managing Security Risk
- B. Protecting Against Cyber Attack
- C. Detecting Cyber Security Events
- D. Minimising Impact (Incident Response & Recovery)
Here are example types/domains of controls you’d expect (not exhaustive, but illustrative):
| Control Domain | Examples / Typical Measures |
|---|---|
| Governance & Risk Management | Policies, risk registers, governance structures, internal audit, third-party risk management, security roles |
| Identity & Access Management | Strong authentication (MFA), least privilege, identity lifecycle, privileged access control |
| Configuration & Hardening | Secure baseline configurations, patching, change management |
| Network Security | Firewalls, network segmentation, boundary protection, secure remote access |
| Endpoint / Host Protection | Anti-malware, EDR (endpoint detection & response), host hardening |
| Logging & Monitoring | Centralised logging, SIEM, anomaly detection, event log analysis |
| Incident Response & Recovery | Incident management plans, playbooks, backup & restore, continuity, forensics readiness |
| Threat Intelligence & Hunting | Proactive detection, threat feed ingestion, threat hunts, red teaming / pen testing |
| Encryption & Data Protection | Data at rest/in transit encryption, key management, data loss prevention |
| Supplier / Subcontractor Oversight | Flow down contracts, verifying supplier controls, integration with third-party compliance |
| Audit, Testing & Assurance | Penetration testing, vulnerability scanning, audits, control self-assessments |
| Resilience & Redundancy | Business continuity, disaster recovery, failover, resilience planning |
Because the higher levels (Level 2, Level 3) demand greater maturity, you’ll see additional expectations like continuous monitoring, real-time telemetry, proactive threat hunting, adversary simulation, and evidence of control effectiveness.
You can refer to the official mapping document between Def Stan 05-138 Issue 4 and other standards (e.g. CAF, ISO, NIST) to see exactly which controls map where.
References
- IASME Consortium — Defence Cyber Certification (DCC) https://iasme.co.uk/defence-cyber-certification/
- IASME Consortium — Defence Cyber Certification: Frequently Asked Questions https://iasme.co.uk/defence-cyber-certification/frequently-asked-questions/
- NCC Group — Understanding the Defence Cyber Certification (DCC) Scheme: What Suppliers Need to Know https://www.nccgroup.com/understanding-the-defence-cyber-certification-dcc-scheme-what-suppliers-need-to-know/
- UK Government — Cyber Security Model (CSM) https://www.gov.uk/guidance/cyber-security-model
- UK Government — Mapping Document: Cyber Security for Defence Suppliers (Def Stan 05-138 Issue 4) https://www.gov.uk/government/publications/mapping-document-cyber-security-for-defence-suppliers-def-stan-05-138-issue-4
- Bridewell Consulting — Defence Cyber Certification (DCC) Explained: A Practical Guide for Defence Suppliers https://www.bridewell.com/insights/blogs/detail/defence-cyber-certification-%28dcc%29-explained–a-practical-guide-for-defence-suppliers
- Arcanum Cyber Security — Defence Cyber Certification (DCC) https://arcanum-cyber.com/defence-cyber-certification-dcc/
- C3IA Solutions — Preparing for Defence Cyber Certification (DCC) https://c3ia.co.uk/preparing-for-defence-cyber-certification/
- Pera Prometheus — Defence Cyber Certification (DCC) https://pera-prometheus.com/defence-cyber-certification-dcc/
- e2e-assure — Cyber Fundamentals: Def Stan 05-138 Compliance https://e2e-assure.com/cyber-fundamentals/def-stan-compliance