For a decade, defence supply chain cybersecurity assurance in the UK operated on a principle that was, at best, optimistic. Suppliers bidding on MOD contracts completed a Supplier Assurance Questionnaire or submitted a Cyber Implementation Plan describing the controls they had in place against the Defence Cyber Protection Partnership's expectations. The questionnaire was self-assessed. Nobody independently verified the claims. The MOD trusted its suppliers to answer honestly, and for the most part the suppliers did - but "honestly" is not the same as "accurately", and the gap between a Supplier Assurance Questionnaire response and the underlying reality was the single biggest weakness in the defence supplier assurance model.
That era is ending. Defence Cyber Certification - DCC - is the UK Ministry of Defence's new framework for independently certifying the cybersecurity posture of its supply chain. It was launched in partnership with IASME, the same body that administers Cyber Essentials on behalf of the NCSC. As of April 2026, all four DCC levels are live and open for assessment. The first major organisation to certify under the scheme was Morgan Sindall Group, in late 2025. The rest of the defence supplier base is moving through assessment now.
This is not a small change. DCC is the most significant shift in UK supply chain cybersecurity assurance in a decade, and the sectors that should be watching closely - critical national infrastructure, financial services, the NHS, and the wider public sector - are doing so because the direction of travel for all of them is the same.
Under the old model, the MOD's Defence Cyber Protection Partnership (DCPP) used a Cyber Risk Profile (CRP) to categorise contracts as Very Low, Low, Moderate, or High risk based on the sensitivity of the data and systems a supplier would handle. Suppliers were expected to implement controls from DEFSTAN 05-138 that matched their contract's CRP, and to declare their compliance via the Supplier Assurance Questionnaire. Post-award, the supplier's compliance claims were taken largely on trust.
The DCC changes three things simultaneously.
First, it replaces self-declaration with independent certification. A supplier cannot claim L1 compliance by filling in a form. They have to be assessed by an IASME-licensed Certification Body and pass a formal audit.
Second, it standardises the maturity model. DCC defines four levels - L0, L1, L2, L3 - mapped to the four CRP tiers (Very Low, Low, Moderate, High). A supplier's contract tier dictates the DCC level they need. No more interpretation by individual buyers.
Third, it institutionalises the certification cycle. Certificates are valid for three years, with annual attestation. This moves defence cybersecurity assurance from a point-in-time tick-box into a continuous compliance posture.
The combined effect is that every MOD supplier will, over the next two to three years, have to demonstrate independent third-party verification of their cybersecurity controls at a level matched to the sensitivity of their contracts. The self-assessment era is over.
The MOD is not the only UK buyer with a large, heterogeneous, cyber-exposed supply chain. The NHS runs DSPT across a similarly complex supplier base. The Financial Conduct Authority has been tightening operational resilience and third-party risk expectations under SYSC 15A and the new Consumer Duty. The Crown Commercial Service is formalising cybersecurity requirements across its framework portfolio under Procurement Policy Note 014/21. The NCSC's ACD 2.0 guidance is pushing critical national infrastructure in the same direction.
None of these is operating on the same model DCC embodies - yet. But the regulatory direction is unmistakable. Self-assessment is falling out of favour. Independent certification is becoming the expected baseline. And the specific pattern DCC uses - a layered maturity model with matched risk profiles, administered via a national certification authority with a network of licensed assessment bodies - is a design the other sectors can adopt without having to invent their own scheme.
The NHS could apply an equivalent "NHS Supplier Cyber Certification" scheme mapped to its own risk tiers. The FCA could formalise its operational resilience expectations as a certifiable standard for critical third-party suppliers. CCS could strengthen PPN 014/21 by requiring independent certification rather than self-attestation at higher contract values. Each of these is technically feasible and politically plausible within the next three years.
The organisations that will be best placed when that happens are the ones that have treated DCC as practice rather than as a one-off compliance event.
For defence suppliers currently preparing for DCC, there is a more immediate lesson. The shift from self-assessment to independent verification means the gap between what a supplier claims and what they can actually demonstrate is now the critical risk area. A supplier who has answered a Supplier Assurance Questionnaire with generous self-assessment for years may find the independent audit exposes gaps that did not previously matter.
This is not because the controls themselves have changed. The DEFSTAN 05-138 requirements underlying DCC have been stable for some time. What has changed is the scrutiny. An assessor asks specific questions, requests specific evidence, and verifies specific configurations. "We have patch management" is no longer a valid answer. "We have patch management via Microsoft Intune with a 7-day critical patch SLA, evidenced by the last three months of deployment reports" is.
Suppliers approaching DCC for the first time should plan for two phases. The first is a preparation phase where the organisation closes the gaps between declared posture and actual practice - typically a four to twelve week exercise depending on starting maturity. The second is the assessment itself, which at L0 is fast and at L1 is a more substantive engagement involving the Certification Body's assessors working with the supplier across a multi-week window.
Organisations that treat DCC as a compliance formality will struggle. Organisations that treat it as an opportunity to properly baseline and harden their controls will come out stronger, and with a certification that will become increasingly commercially valuable not just in defence but across the wider UK regulated supplier ecosystem.
The MOD's move from DCPP self-assessment to DCC independent certification is the clearest single signal of where UK regulated supply chain security is heading. It will not stop with defence. Over the next three to five years, expect equivalent schemes - or close operational equivalents - to emerge across healthcare, financial services, and critical national infrastructure. The organisations that certified early under DCC will find their certification increasingly valuable because the language and maturity framework will become the common currency.
For defence suppliers reading this, the immediate task is straightforward: identify your required DCC level based on your contract Cyber Risk Profile, prepare properly, and engage a Certification Body that understands your sector. For non-defence organisations reading this, the task is different but related: start preparing now for the day your own sector's regulator announces its version of the same scheme. Because that day is coming.
Talk to a DCC assessor → | View our DCC assessment pricing →
Key questions from MOD suppliers researching this topic.
Defence Cyber Certification (DCC) is the MOD's independent cybersecurity certification framework for defence suppliers. It matters now because buyers are moving from self-attestation to verified assurance, and the same pattern is likely to appear in other UK regulated sectors within the next three to five years.
The old model depended on supplier self-declaration via the Supplier Assurance Questionnaire. DCC requires an IASME-licensed Certification Body to independently review evidence and confirm controls are actually in place before issuing the certificate.
The same assurance pattern is likely in regulated supply chains such as healthcare (via DSPT evolution), financial services (under FCA operational resilience), and critical national infrastructure (under NCSC ACD 2.0 guidance), where third-party cyber risk is already under stronger scrutiny.
Usually yes. Early certification reduces procurement friction, improves buyer confidence, and helps suppliers respond faster when security assurance is a selection criterion. Organisations that certified during the scheme's first 12 months are already seeing this benefit.
Confirm the required contract Cyber Risk Profile, identify the DCC level that profile maps to, and start evidence and gap remediation before formal assessment windows become critical. A practical first step is a 2-hour readiness review with a DCC-accredited Certification Body.
On the Defence Cyber Certification scheme's first birthday, the UK Defence CISO Eleanor Fairford has asked all MOD suppliers to achieve DCC Level 0 certification by 31 December 2026. This guide explains what the mandate covers, where it sits in the wider government supply chain Cyber Essentials programme, and the practical timeline suppliers now need to work to.
The CRP and required DCC level is specified on each contract by the MOD or the prime contractor. Primes, tier-2 subcontractors, and tier-3 subcontractors often face different requirements. This guide walks through how the scheme applies across contract tiers.
DCC requires suppliers to assure their own suppliers. This means flow-down of security requirements, a documented supplier register, and evidence of supplier due diligence. This guide explains what assessors look for, the common mistakes, and how to build a proportionate supply chain assurance process.