A DCC certificate is valid for three years. Unlike Cyber Essentials, which is renewed annually as a full re-assessment, DCC has a lighter-touch annual attestation each year. The structure means suppliers are not facing a full audit every 12 months, but also means the attestation is often underestimated - it is a real assessment event, and failing it can result in the certificate being suspended.
This guide walks through what the annual attestation actually covers, what evidence to prepare, the common reasons suppliers get findings between the three-yearly assessments, and how to plan the year so attestation is a non-event.
When a DCC certificate is issued, the supplier enters a three-year cycle:
The annual attestation is a confirmation review, not a repeat of the original assessment. Its purpose is to check that nothing material has changed in the supplier's posture and that the certified controls remain in operation. For a well-run supplier the attestation is a brief, structured confirmation. For a supplier that has drifted, it is where the drift surfaces.
The attestation is narrower than the original assessment but not trivial. Typical coverage:
Confirmation of no material change in scope. The supplier confirms that the DCC-certified scope has not materially changed - same in-scope entities, same boundary, same types of MOD data handled. Any material change triggers a re-assessment obligation.
Confirmation of underlying certifications. The supplier evidences that the required Cyber Essentials (or Cyber Essentials Plus for L2/L3) certificate is current. A lapsed CE/CE Plus certificate is grounds for immediate attestation failure.
Technical control maintenance evidence. Evidence that the five technical controls remain operational: current firewall/cloud security group review, patch management dashboard showing ongoing compliance with the 14-day critical SLA, MFA enforcement still in place, AV/EDR still active and updated, access reviews conducted in the last 12 months.
Governance artefact review. The Information Security Policy, Incident Response Plan, and supply chain documentation have been reviewed in the last 12 months and remain appropriate to the business. A policy last reviewed three years ago at initial assessment will prompt a finding.
Incident disclosure. Any cybersecurity incident during the year that affected MOD-facing systems must be disclosed during attestation. This is not intended to catch suppliers out - it is the scheme operating its monitoring role.
Supply chain register currency. The supplier register has been reviewed and updated, new suppliers have been through due diligence, lost suppliers have been removed, and the Security Schedule remains in force.
Personnel changes. Significant changes in personnel with access to MOD information - particularly at senior or privileged levels - should be disclosed and the vetting evidence confirmed.
At L1 the attestation is more substantive than at L0 and typically includes an interview with the named incident response lead and confirmation of the consultant-led controls from the original engagement.
Certain changes mean the annual attestation is insufficient and a full re-assessment is required:
When any of these happens, the supplier is expected to notify their Certification Body, and a re-assessment is scheduled. The three-year clock effectively resets.
The attestation is conducted via the IASME portal by the original Certification Body. For a Fig-certified supplier, the attestation workflow is:
Clarification cycles during attestation are short - typically one or two rounds rather than the three rounds available during full assessment.
For L1 engagements the Fig dedicated consultant is the same person across the full three-year cycle, which makes attestation materially easier because the consultant already knows the supplier's environment.
Lapsed Cyber Essentials. By far the most common. The CE certificate is valid for 12 months; if it lapses during the DCC cycle, the DCC certificate is effectively suspended until CE is restored. Suppliers often let CE drift because the annual renewal fee and process is seen as administrative. Lost CE means lost DCC.
Stale governance documents. An Information Security Policy or Incident Response Plan that has not been reviewed in 12 months prompts a clarification. The policies must be reviewed annually, approved by a named director, and dated.
Drift in technical controls. The most common drift: MFA enforcement quietly relaxed for "a few exceptions", patch management dashboards no longer being reviewed, access reviews not happening. None of these trigger automatic failure but they accumulate into clarification cycles.
Subcontractor churn. Onboarding new suppliers without due diligence, or continuing to work with suppliers whose certification has lapsed, produces findings at the supply chain review section.
Incident non-disclosure. A cybersecurity incident during the year that is not disclosed at attestation and later surfaces through other means (press, breach notification, buyer enquiry) is a serious finding and can result in certificate suspension.
Personnel changes. A change of CISO or IT Director without corresponding update to the Incident Response Plan produces a finding.
Suppliers that find attestation simple share a few habits:
Calendar annual policy reviews for the ISP and IRP, scheduled for 9 months into the DCC cycle so they are fresh at attestation.
Schedule CE renewal 2-3 months before DCC anniversary so it is in hand by attestation time.
Review the supplier register quarterly rather than annually, so changes are captured incrementally.
Maintain a simple incident log even if nothing significant has happened. An empty log is fine; an incident that happened and was not written down is the problem.
Retain control evidence in a standard folder structure throughout the year. Dashboards, access review outputs, patch reports, AV coverage exports - all filed in a predictable location, not scrambled for at attestation.
At Fig our consultant reaches out 8 weeks before attestation and walks customers through an attestation readiness checklist. For most suppliers this turns the attestation itself into a 30-minute confirmation rather than a three-week scramble.
The DCC scheme does not separately price the annual attestation - it is part of the three-year certificate fee. However, suppliers that engage consultants or Certification Bodies for attestation support may pay an annual fee for that support. Fig includes attestation support for L1 customers as part of the original engagement. For L0 customers we offer a low-cost attestation support package on request.
A supplier that approaches attestation with good hygiene typically has zero incremental cost at attestation. A supplier starting from a disorganised evidence position typically incurs consultancy costs to get attestation-ready.
At the end of the three-year cycle the certificate must be renewed via a full re-assessment. This is a lighter engagement than the original because substantial evidence from the previous three years is usually retained, but it is a full assessment - not an attestation. Suppliers typically budget 50-70% of the original L0 or L1 engagement effort for the three-yearly renewal.
The MOD is transitioning from the Defence Cyber Protection Partnership self-assessment model to the Defence Cyber Certification independent assurance scheme. This guide explains the transition timeline, what DCPP-attested suppliers need to do, how annual attestation works under DCC, and what to tell your buyers while the transition is underway.
At L1 and above DCC assessments include interviews with named roles. This guide walks through the specific questions assessors typically ask the incident response lead, the IT/technical lead, and the senior governance attester - and what good answers look like.
DCC Level 1 is substantially more involved than Level 0 and is where most suppliers underestimate the effort. This guide walks through a practical six-phase preparation approach covering scoping, governance, technical controls, platform gap analysis, mock assessment, and submission.