The Five Technical Controls of DCC Level 0: A Practical Guide to Meeting Each One

Defence Cyber Certification Level 0 is not a new set of technical controls. L0 inherits the five Cyber Essentials technical controls as its baseline and layers defence-specific governance, supply chain, and incident-handling requirements on top. If you already hold a current Cyber Essentials certificate, you already meet the technical foundation of DCC L0 - what remains is the supplementary evidence.

This guide walks through each of the five controls in the order an assessor reviews them, with specific evidence expectations, the common mistakes that cause findings, and the CSM v4 mapping so you can see how each control plugs into the wider L0 requirement set. If you are new to the scheme, pair this with the DCC explained overview and the DCC L0 process walkthrough.

How the five controls fit within DCC L0

L0 requires three evidence packs:

1. A current Cyber Essentials certificate (the technical baseline - the five controls below).
2. Defence-specific governance evidence covering staff vetting, incident handling, and supply chain risk management.
3. CSM v4 Level 0 attestation through the IASME portal.

This article covers the first pack in depth. The technical controls must be demonstrably operational - not just documented - and the assessor expects evidence from the last 30 to 90 days, not a snapshot generated for the assessment.

1. Firewalls

What the control actually requires. Every device that is part of the in-scope boundary must have a correctly configured firewall. For office networks, this is usually the perimeter firewall at the site's internet gateway. For remote workers and cloud-native operations, it is the host-based firewall on each endpoint, plus cloud provider security groups or network ACLs on public resources.

Specific evidence assessors expect:

• Written firewall ruleset or cloud security group configuration for each in-scope boundary.
• Evidence that the firewall administrative interface is not accessible from the public internet, or - if it is - that the admin interface is protected by multi-factor authentication and a documented commercial need.
• Password change records showing the default administrator credentials were replaced.
• Justification for each inbound rule. "Allow all" or unexplained wide-open ports are the single most common L0 finding.

Common mistakes:

• Home workers on personal routers where the router admin password is still the default or a generic ISP password.
• Cloud security groups with `0.0.0.0/0` on SSH (port 22) or RDP (port 3389). These surface immediately in any competent gap analysis.
• Firewalls whose rulesets have not been reviewed in the last 12 months - the scheme expects a periodic review cadence.

CSM v4 mapping. This control maps to the "Network security" family within CSM v4 L0. The defence-specific overlay adds a requirement that internet-facing services processing MOD information must log all inbound traffic and retain those logs for at least 90 days.

2. Secure configuration

What the control actually requires. Devices and services must be configured to reduce their attack surface before being deployed. Default credentials changed, unused accounts removed, unnecessary software uninstalled, auto-run disabled on removable media, and only the services required for the business purpose left enabled.

Specific evidence assessors expect:

• A documented secure build standard for each device type in scope (Windows laptops, macOS devices, Linux servers, mobile devices). This can be as simple as a one-page checklist per device type.
• Evidence the build standard is applied - configuration screenshots, MDM policy exports, or scripted build output for a sample of devices.
• Evidence that default account passwords have been changed (Administrator, root, admin, setup) and that unused guest or demo accounts are disabled.

Common mistakes:

• Relying on "whatever the laptop supplier shipped it with" as the build standard. Assessors will ask for the documented standard.
• Leaving the local Administrator account enabled with a weak password because it is rarely used. The scheme treats rarely-used privileged accounts as higher risk, not lower.
• Allowing users to run as local administrators day-to-day. This is now a common enough finding at L0 that Microsoft Intune or equivalent standard-user enforcement is effectively expected for Windows fleets.

CSM v4 mapping. Secure configuration is assessed under "System hardening" in CSM v4 L0. Where the supplier operates cloud workloads, the same requirements apply to cloud configuration baselines - CIS benchmarks or equivalent are accepted as evidence of baseline intent.

3. Security update management

What the control actually requires. All software within the in-scope boundary must receive security updates - operating systems, applications, firmware, and cloud services. Critical updates must be applied within 14 days of release. Out-of-support software must be removed or isolated.

Specific evidence assessors expect:

• Patch management policy stating the 14-day critical SLA and the 30-day high SLA.
• Deployment evidence for the last 30 days - a patch management dashboard, Windows Update for Business reports, Jamf or Intune compliance reports, or equivalent.
• Inventory of software showing nothing in the environment is past end-of-life. A single Windows Server 2012 box still running is a mandatory finding.
• Firmware update evidence for network equipment, not just laptops and servers.

Common mistakes:

• Confusing "patches installed" with "patches applied within 14 days". The SLA is the compliance boundary.
• Ignoring Linux servers or containerised workloads because "they do not run Windows Update". Linux patching discipline is assessed equally.
• Missing firmware. Routers, printers, network switches, and IoT devices running outdated firmware are common findings.

CSM v4 mapping. CSM v4 L0 explicitly references the 14-day critical patch SLA for all in-scope systems processing MOD data. This is stricter than the 14-day CE SLA only in that it applies to internet-facing and internal systems handling MOD information.

4. User access control

What the control actually requires. Every user account in the in-scope boundary must be individually identifiable, authorised, reviewed, and revoked when no longer needed. Administrative privilege must be separated from everyday user accounts. Multi-factor authentication must be enabled for cloud services and for administrative accounts on any system.

Specific evidence assessors expect:

• Joiner, mover, leaver process documented and applied. Evidence: the last five leavers' account closure dates.
• User access review evidence - quarterly or more frequent.
• MFA enforcement evidence for Microsoft 365, Google Workspace, AWS, Azure, or equivalent cloud services. A conditional access policy export is ideal.
• Separation of privilege evidence - administrators have a standard user account for day-to-day work and an elevated account for administration, not a single account with both roles.

Common mistakes:

• MFA enabled for "most" users but not enforced. The scheme now requires enforcement, not optional enablement.
• Shared accounts, particularly for finance systems or legacy line-of-business applications. Shared accounts are almost always a finding.
• Departed staff whose accounts were disabled but not deleted, remaining in AD with their mailbox active for forwarding. The scheme treats disabled-but-present accounts as acceptable with controls - active mailbox forwarding is not.

CSM v4 mapping. User access control maps to CSM v4 L0 under "Access management". The defence overlay adds a specific requirement for privileged access to MOD-facing systems: every privileged session must be logged, and logs retained for a minimum of 12 months.

5. Malware protection

What the control actually requires. All devices in the in-scope boundary must have malware protection active. The accepted forms are:

• Antivirus with automatic signature updates (end-user devices).
• Application allow-listing (controlled endpoints, servers).
• Sandboxing (browser-delivered executables, email attachments).

Specific evidence assessors expect:

• AV/EDR management console evidence showing all in-scope endpoints are enrolled, protected, and have definitions updated within the last 24 hours.
• Alert handling evidence - when the AV flagged something, what happened next?
• Email gateway evidence if email is a primary attack surface - attachment and link-scanning configuration.

Common mistakes:

• Relying on the free built-in AV without confirming it is configured to update automatically. Default Defender configuration on unmanaged devices can have update gaps.
• "Protected by MDM" without evidence. The MDM policy needs to show the AV is required and compliant.
• Servers excluded from AV on the assumption that "servers do not browse the web". Servers are still in scope.

CSM v4 mapping. Malware protection is part of the CSM v4 L0 "Endpoint protection" family. For suppliers that handle MOD data on personal devices under BYOD, the scheme requires equivalent protection on the personal device - which is often the cleanest argument against BYOD for defence work.

The supplementary L0 evidence beyond the five controls

Holding the five technical controls does not finish L0. You also need:

• Information Security Policy - a substantive document, not a one-page stub. Coverage: acceptable use, data classification, incident reporting, joiner-mover-leaver, physical security, remote working, supplier due diligence.
• Incident Response Plan with named roles, notification thresholds, and MOD contact routes.
• Supply chain risk management evidence - how you assess your own suppliers who support MOD-facing services.
• Staff vetting evidence - BS 7858 for personnel with access to MOD data in sensitive roles.

For a full L0 readiness walkthrough, see the DCC L0 process guide and the DCC L0 evidence guide.

How Fig Group assesses the five controls

At Fig, we run our technology platform across the supplier's in-scope systems in parallel with the documentation review. The platform surfaces gaps against each of the five controls automatically - unpatched systems, misconfigured firewalls, weak access configurations, and so on - which means the supplier has the opportunity to fix issues before they become assessor findings.

The consultant reviews the output, proposes remediation, and only submits for formal assessment once the evidence is clean. This is the single biggest reason Fig's first-pass rate on L0 is materially higher than audit-only engagements: the assessor does not see the gaps because they are remediated before the submission.

Pricing for L0 starts at £999.99 + VAT for micro organisations. See DCC pricing for the full tier breakdown and a comparison against the wider UK market.

Talk to a DCC assessor → | View L0 pricing →