Managing Director of Fig Group and IASME-licensed Defence Cyber Certification assessor. Works with UK defence suppliers preparing for DCC Level 0 and Level 1 assessment.
Jay writes independently on the DCC scheme: how it works, what it costs, how long it takes, how the Certification Bodies differ, and where suppliers most often trip themselves up. Jay has led Fig Group's full licensing and approval process, is a qualified DCC assessor and auditor, and now runs the DCC practice.
Independent guidance on the Defence Cyber Certification scheme, written for suppliers currently navigating it.
On the Defence Cyber Certification scheme's first birthday, the UK Defence CISO Eleanor Fairford has asked all MOD suppliers to achieve DCC Level 0 certification by 31 December 2026. This guide explains what the mandate covers, where it sits in the wider government supply chain Cyber Essentials programme, and the practical timeline suppliers now need to work to.
21 Apr 2026 · 9 min read
The MOD's move from the self-assessed Supplier Assurance Questionnaire to independently-certified Defence Cyber Certification is the most significant shift in UK supply chain cybersecurity assurance in a decade. The sectors watching closely include critical national infrastructure, financial services, and the NHS - because the direction of travel for all of them is the same.
20 Apr 2026 · 11 min read
At L1 and above DCC assessments include interviews with named roles. This guide walks through the specific questions assessors typically ask the incident response lead, the IT/technical lead, and the senior governance attester - and what good answers look like.
18 Apr 2026 · 10 min read
DCC Level 1 is substantially more involved than Level 0 and is where most suppliers underestimate the effort. This guide walks through a practical six-phase preparation approach covering scoping, governance, technical controls, platform gap analysis, mock assessment, and submission.
16 Apr 2026 · 12 min read
DCC certificates are valid for three years with an annual attestation each year. This guide explains what the annual attestation covers, how it differs from the full three-yearly assessment, the evidence to prepare, and what typically triggers findings between cycles.
14 Apr 2026 · 8 min read
The CRP and required DCC level is specified on each contract by the MOD or the prime contractor. Primes, tier-2 subcontractors, and tier-3 subcontractors often face different requirements. This guide walks through how the scheme applies across contract tiers.
11 Apr 2026 · 9 min read
DCC requires suppliers to assure their own suppliers. This means flow-down of security requirements, a documented supplier register, and evidence of supplier due diligence. This guide explains what assessors look for, the common mistakes, and how to build a proportionate supply chain assurance process.
9 Apr 2026 · 10 min read
Cloud-native and SaaS suppliers face specific DCC considerations: in-scope cloud infrastructure, shared responsibility model clarity, IAM evidence, and secure configuration baselines. This guide walks through how to scope and evidence DCC for a SaaS or cloud-native organisation.
7 Apr 2026 · 10 min read
Small MOD suppliers - one to nine employees - face the same DCC requirements as larger organisations. This guide walks through what DCC Level 0 looks like for a genuinely small business, the specific areas where smaller teams trip up, and how Fig prices and delivers L0 for micro organisations.
4 Apr 2026 · 9 min read
Cyber Essentials Plus is a prerequisite for DCC Level 2 and Level 3. At Level 0 and Level 1, standard Cyber Essentials is enough. This guide explains how the two schemes relate, which one you need, and how they stack together for suppliers working with the UK MOD.
2 Apr 2026 · 8 min read
DCC Level 2 and Level 3 apply to Moderate and High Cyber Risk Profile contracts. They are substantially larger engagements than L0 and L1, require Cyber Essentials Plus rather than CE, and are delivered by a smaller subset of UK Certification Bodies. This guide explains what each level involves, who delivers it, how long it takes, and when to certify at L2 or L3 rather than L1.
31 Mar 2026 · 11 min read
Several IASME-licensed bodies are accredited to deliver Defence Cyber Certification in the UK. NCC Group, Bridewell, Fortis DPC, Shift Key Cyber, Evolve North, CyberSmart, and Fig Group each approach DCC differently. This article gives an honest comparison - including where Fig is not the right choice.
24 Mar 2026 · 12 min read
L0 DCC pricing is reasonably standardised across the UK market. L1 pricing varies by a factor of two to three depending on Certification Body, scope complexity, and whether L1 consultancy and technology platform access are included. This guide walks through what both levels actually cost, what is included at each price point, and what to look for when comparing quotes.
17 Mar 2026 · 10 min read
The honest answer to "how long does DCC take" depends more on the supplier's starting posture than on the Certification Body's turnaround. L0 can complete in under three weeks for a prepared organisation. L1 is a six to twelve week engagement. This guide walks through both, with the specific factors that lengthen or shorten each phase.
10 Mar 2026 · 10 min read
DCC Level 0 is passed or failed on the quality of the evidence you submit. This guide is a control-by-control breakdown of the specific evidence types an IASME-licensed assessor looks for, how to assemble an evidence pack that avoids clarification cycles, the reality of evidence retention, and the difference between operational evidence and evidence fabricated for audit.
3 Mar 2026 · 11 min read
Scope is the decision that most often determines whether a DCC Level 0 engagement runs clean or drags on for weeks. This guide walks through how scope is actually constructed, the decisions an assessor will challenge, the five common scoping errors, and how to align DCC scope with your Cyber Essentials scope.
24 Feb 2026 · 10 min read
DCC Level 0 certification moves through a defined sequence: enquiry, scoping, IASME portal provisioning, self-assessment, evidence submission, assessor review, clarification, marking, and certificate issuance. This guide walks through each step, what you are expected to produce, what the assessor is checking, and realistic timings at each phase.
17 Feb 2026 · 11 min read
A consolidated, practical readiness checklist for DCC Level 0 and Level 1 against CSM v4 (December 2025). Use it to audit your starting posture before engaging a Certification Body. Organised by control family, with specific evidence artefacts and pass/fail criteria for each item.
10 Feb 2026 · 14 min read
DCC Level 0 inherits the five Cyber Essentials technical controls and layers defence-specific governance on top. This guide breaks down each control, the specific evidence an IASME-licensed assessor expects, common configuration mistakes, and how the controls map to the CSM v4 requirements behind L0.
5 Feb 2026 · 10 min read
DCC has four levels: L0, L1, L2, and L3. Each maps to a Cyber Risk Profile tier set by the MOD for a given contract. This guide explains the differences between the levels in detail, how to determine which one your contract requires, the practical differences in assessment effort, and why most suppliers new to the scheme start at L0 or L1.
29 Jan 2026 · 11 min read
Defence Cyber Certification is the UK MOD's new independent cybersecurity certification framework for its supply chain. It replaces the self-assessed Supplier Assurance Questionnaire approach under the old DCPP. This guide explains how DCC works, who needs which level, and what the transition from DCPP means for existing suppliers.
22 Jan 2026 · 11 min read
The MOD is transitioning from the Defence Cyber Protection Partnership self-assessment model to the Defence Cyber Certification independent assurance scheme. This guide explains the transition timeline, what DCPP-attested suppliers need to do, how annual attestation works under DCC, and what to tell your buyers while the transition is underway.
15 Jan 2026 · 10 min read
The Cyber Security Model version 4 (CSM v4, December 2025) is the MOD specification that underpins Defence Cyber Certification. This guide explains what CSM v4 is, how it relates to DEFSTAN 05-138, how it structures controls across the four DCC levels, what changed from CSM v3, and how to read CSM v4 when preparing for an assessment.
8 Jan 2026 · 12 min read