Defence Cyber Certification - DCC - is the UK Ministry of Defence's new framework for independently certifying the cybersecurity posture of its supply chain. It was developed in partnership with IASME (the body that also administers Cyber Essentials on behalf of the NCSC) and became operational across all four of its levels in April 2026.
If you are a supplier to the MOD, or you are bidding on MOD contracts, DCC matters to you directly. If you are outside the MOD supply chain, DCC still matters because it sets a precedent that other UK regulated buyers are likely to follow.
This guide explains what DCC is, how the four levels work, who needs each level, and how DCC replaces the older Defence Cyber Protection Partnership (DCPP) self-assessment approach.
DCC is a four-level cybersecurity certification framework for MOD suppliers, administered by IASME, with assessments conducted by a network of IASME-licensed Certification Bodies. Each level maps to a contract Cyber Risk Profile. Certificates are valid for three years with an annual attestation. All four levels are live as of April 2026.
The four levels:
DCC did not appear from nothing. It is the natural evolution of two parallel MOD workstreams that have been running for roughly a decade.
The first is the Defence Cyber Protection Partnership (DCPP), set up by the MOD in partnership with industry to develop a consistent approach to cybersecurity across the defence supply chain. DCPP produced the Cyber Risk Profile model used to categorise contracts, and the Supplier Assurance Questionnaire used to capture supplier self-declarations.
The second is DEFSTAN 05-138, the MOD standard that defines the cybersecurity controls suppliers are expected to implement at each Cyber Risk Profile level. DEFSTAN 05-138 has been iterated multiple times; the current version (i4) underlies the DCC assessment framework.
The gap between these two workstreams was verification. DCPP generated supplier self-declarations; DEFSTAN 05-138 defined the controls; but nobody independently verified that suppliers were actually implementing what they declared. DCC closes that gap by providing the formal certification process that verifies DEFSTAN 05-138 compliance.
The MOD's Cyber Security Model (CSM), currently at version 4 (December 2025), pulls these together. CSM v4 is the authoritative specification that DCC assesses against.
Applies to: Contracts with a Very Low Cyber Risk Profile. Support services, facilities work, non-sensitive logistics, and similar engagements where the supplier does not handle operationally important information.
Baseline: Cyber Essentials certificate.
What is assessed: Governance documentation (Information Security Policy, incident response plan, staff vetting process), supply chain risk management posture, data handling procedures, alignment with CSM v4 Level 0 requirements.
Assessment process: Documentation-led review via the IASME portal. Single assessor. Timeline: 2-3 weeks for prepared organisations.
Typical L0 supplier profile: 1-50 employees, UK-based, handling MOD contracts under a prime contractor arrangement where the prime holds higher-tier certification.
Applies to: Contracts with a Low Cyber Risk Profile. Suppliers handling operationally significant but non-classified information, or suppliers with systems connected to MOD infrastructure.
Baseline: Cyber Essentials certificate.
What is assessed: Everything in L0 plus extended governance (ISMS documentation, risk management framework, business continuity), deeper technical controls (access control, data lifecycle, endpoint security), subcontractor flow-down assurance, staff security vetting evidence, and structured evidence of CSM v4 Level 1 compliance.
Assessment process: Consultant-led engagement including evidence preparation, gap analysis, remediation support, and formal assessment. Timeline: 6-10 weeks for prepared organisations.
Typical L1 supplier profile: 10-250 employees, direct MOD supplier or tier-one subcontractor, handling operationally significant data.
Applies to: Contracts with a Moderate Cyber Risk Profile. Suppliers handling sensitive MOD data, critical operational systems, or with significant access to MOD networks.
Baseline: Cyber Essentials Plus certificate (not CE basic).
What is assessed: Extensive ISMS evidence, formal risk assessment against CSM v4 Level 2, in-depth technical controls (privileged access management, continuous monitoring, vulnerability management program), security operations capability, incident response tested regularly, supply chain assurance down multiple tiers, staff security vetting to higher standards.
Assessment process: Formal assessor engagement with document review, interviews, and technical verification. Timeline: typically 3-6 months.
Typical L2 supplier profile: Mid-sized to large defence suppliers, primes on medium-value contracts, specialist suppliers handling sensitive data.
Applies to: Contracts with a High Cyber Risk Profile. Suppliers handling classified information, providing critical operational capabilities, or with deep integration into MOD networks and systems.
Baseline: Cyber Essentials Plus certificate.
What is assessed: Comprehensive ISMS with demonstrable operational maturity, active threat intelligence capability, tested incident response including defence-specific scenarios, advanced security operations including 24/7 monitoring where relevant, stringent staff vetting and clearance processes, on-site verification of specific controls, multi-tier supply chain assurance with active verification rather than attestation.
Assessment process: In-depth assessor engagement including on-site verification, interviews across the organisation, and technical testing of specific controls. Timeline: typically 4-9 months.
Typical L3 supplier profile: Major defence primes, critical technology suppliers, suppliers handling classified material, systems integrators on high-value operational contracts.
The MOD (or the prime contractor, in a sub-contract scenario) specifies the required DCC level based on the contract's Cyber Risk Profile. Suppliers do not choose their level arbitrarily; it is determined by the sensitivity of the work. A supplier bidding on a Very Low CRP contract cannot strategically opt for L2 to appear more credible - the contract specifies L0 as the required level.
That said, some suppliers hold a higher DCC level than any individual contract strictly requires, because their overall supplier positioning benefits from it. A supplier that holds L1 across their business can bid on any L0 or L1 opportunity without needing separate certification for each.
The practical implication: if your organisation bids on multiple MOD contracts with varying CRPs, certify at the highest level your pipeline requires. If your pipeline is exclusively L0, there is no commercial benefit to over-certifying at L1.
Suppliers who previously completed a Supplier Assurance Questionnaire under the old DCPP process do not automatically hold DCC certification. The SAQ was a self-declaration; DCC requires independent certification. Existing suppliers need to move through formal DCC assessment to continue bidding on MOD contracts.
The MOD is running a transition period during which suppliers can continue to operate under prior DCPP attestations while they work toward DCC. The exact transition timeline depends on the specific contract and the buyer; some primes have already moved fully to DCC-required procurement, while others are still accepting DCPP self-attestation pending their suppliers' DCC certification.
The safest posture for any defence supplier is to move to DCC certification now, at the level matched to the highest CRP in their current pipeline. Waiting for the transition to close risks being excluded from procurement rounds when the buyer tightens its requirements.
DCC does not replace these. It sits on top of them.
A supplier can pursue multiple certifications in parallel. A common path is: Cyber Essentials first, then DCC L1 (or CE Plus + DCC L2), then ISO 27001 as a broader governance standard.
If you are a defence supplier and you have not yet engaged with DCC:
The scheme is well-designed, well-administered, and fit for purpose. The organisations that struggle are the ones that approach it as a paperwork exercise. The organisations that succeed are the ones that treat it as a genuine maturity baseline.
Key questions from MOD suppliers researching this topic.
DCC is the MOD framework that verifies supplier cybersecurity through independent assessment by an IASME-licensed Certification Body, rather than supplier-only declarations. It covers four levels (L0 to L3) mapped to contract risk.
Suppliers handling MOD contracts generally need the DCC level specified by their contract Cyber Risk Profile. The required level is driven by contract risk, not supplier preference - you cannot strategically opt into a higher level if the contract specifies a lower one.
No. DCC sits on top of them. L0 and L1 require a valid Cyber Essentials certificate; L2 and L3 require Cyber Essentials Plus. The DCC certificate is issued in addition to, not instead of, the CE baseline.
No. Historic Supplier Assurance Questionnaire completion was self-declaration. DCC requires formal independent certification to be considered compliant under the new model. Existing DCPP-attested suppliers must move to formal DCC assessment.
DCC certificates are valid for three years with annual attestation requirements at months 12 and 24 to maintain confidence that controls continue to operate.
The MOD is transitioning from the Defence Cyber Protection Partnership self-assessment model to the Defence Cyber Certification independent assurance scheme. This guide explains the transition timeline, what DCPP-attested suppliers need to do, how annual attestation works under DCC, and what to tell your buyers while the transition is underway.
The Cyber Security Model version 4 (CSM v4, December 2025) is the MOD specification that underpins Defence Cyber Certification. This guide explains what CSM v4 is, how it relates to DEFSTAN 05-138, how it structures controls across the four DCC levels, what changed from CSM v3, and how to read CSM v4 when preparing for an assessment.
The MOD's move from the self-assessed Supplier Assurance Questionnaire to independently-certified Defence Cyber Certification is the most significant shift in UK supply chain cybersecurity assurance in a decade. The sectors watching closely include critical national infrastructure, financial services, and the NHS - because the direction of travel for all of them is the same.