Defence CISO Mandates DCC Level 0 for All MOD Suppliers by 31 December 2026

On the Defence Cyber Certification scheme's first birthday, the UK Ministry of Defence has moved DCC from "scheme you should certify against when your contract requires it" to "scheme the Defence CISO expects every supplier to hold". In a LinkedIn post this week, Eleanor Fairford - Director for Cyber Defence and Risk and MOD's Defence CISO - has asked all MOD suppliers to achieve DCC Level 0 certification by 31 December 2026.

The request is positioned as an extension of the October 2025 letter from ministers and security chiefs that required Cyber Essentials throughout the government supply chain. DCC Level 0 is the defence-specific articulation of that same principle: a baseline of verified cybersecurity hygiene, held by every organisation selling to the MOD, by the end of this year.

For suppliers who have been waiting for a definitive signal on DCC timing, this is it.

What Eleanor Fairford actually said

The Defence CISO's post, published around CyberUK 2026, made three concrete statements:

1. The DCC scheme has now been live for a year. It was launched at CyberUK 2025. The first year has focused on scheme build-out, Certification Body accreditation, and early-adopter certifications. The scheme is now considered stable and ready for broad supplier adoption.
2. All suppliers are expected to achieve Level 0 by 31 December 2026. This is the first time the Defence CISO has publicly stated a universal deadline for DCC L0. It applies to the whole MOD supplier base, not just suppliers on contracts with a stated DCC requirement.
3. The mandate sits within the wider government supply chain Cyber Essentials programme. The October 2025 ministerial letter asked for Cyber Essentials across government supply chains. DCC L0 is the defence interpretation of that expectation - Cyber Essentials plus the additional governance, supply chain, and CSM v4 controls that the MOD considers necessary for defence work.

The CISO also flagged MOD presence at the CyberUK 2026 stand for suppliers who want to discuss the mandate directly.

Who Eleanor Fairford is, and why the announcement carries weight

Eleanor Fairford is the Director for Cyber Defence and Risk at the Ministry of Defence, which makes her the Defence CISO. This is the senior civil service role that sets cybersecurity policy across the MOD, owns the risk posture of the defence estate, and controls the supplier cyber assurance framework.

When the Defence CISO publicly asks suppliers to certify by a specific date, two things happen in practice:

• Procurement teams align to the deadline. MOD procurement and commercial teams will begin treating DCC L0 as a standard supplier qualification requirement during the course of 2026, accelerating toward the 31 December cutoff.
• Primes cascade the requirement down the supply chain. The largest defence primes pass MOD security requirements down to their subcontractors. When the Defence CISO states a baseline, primes adopt it as the minimum for their own supplier onboarding.

This pattern is not theoretical. Suppliers who went through the DCPP-to-DCC transition in late 2025 saw exactly this dynamic: a top-down buyer signal triggered a cascade across the supply chain within 60 to 90 days.

What "Level 0 by 31 December 2026" means operationally

There are roughly eight months between the announcement and the deadline. That is enough time for a prepared organisation, but not unlimited. The practical timeline works backwards from 31 December:

Months 1-2 (May-June 2026): Readiness review

Before committing to a Certification Body, run a readiness review. The three specific things to check:

• Cyber Essentials status. DCC L0 requires a valid Cyber Essentials certificate as a prerequisite. If yours is missing or close to expiry, plan to renew before starting DCC. Fig can turn around Cyber Essentials in six hours where needed.
• Scope boundary. DCC L0 scope is the people, systems, data flows, and operational processes supporting the MOD contract or core service delivery linked to it. Define this formally now - it governs everything downstream.
• Governance documentation. L0 requires an Information Security Policy, Incident Response Plan, Acceptable Use Policy, and supply chain assurance records. If any of these are thin or out of date, rebuild them before submission, not during assessment.

Months 3-4 (July-August 2026): Evidence preparation

Work through the CSM v4 Level 0 controls methodically. For each control, assemble documentary evidence that demonstrates the control is implemented and operating. This is the phase where most suppliers underestimate the effort - a declarative answer is not enough; the assessor needs operational evidence (policy + records of its operation, not just policy).

Month 5 (September 2026): Engage a Certification Body

Book the L0 engagement with your Certification Body. At this point you will have the materials ready and can compress the assessor interaction into a tight window. Supplier demand on Certification Bodies in Q3 and Q4 2026 will be materially higher than it has been to date - book early.

Months 6-7 (October-November 2026): Assessment and feedback

DCC L0 typically completes in 14 to 21 days for a prepared organisation, with up to three free rounds of assessor feedback included in Fig's pricing. Budget six to eight weeks end-to-end to allow for remediation between feedback rounds.

Month 8 (December 2026): Certificate issuance and MOD register listing

Once the assessor is satisfied, the certificate is issued and the organisation is listed on the IASME DCC register. This is the artefact that evidences compliance to the mandate.

Suppliers who start later than July 2026 will find the timeline uncomfortably tight. Suppliers who start in October 2026 may miss the 31 December deadline.

Why this is probably L0-only - for now

The Defence CISO's mandate specifies Level 0 specifically. That does not mean higher levels are not expected; it means L0 is the universal baseline, and higher levels are still driven by contract Cyber Risk Profile:

• L0 is the universal supplier baseline, now mandated by 31 December 2026.
• L1 is required for contracts with a Low Cyber Risk Profile - still the buyer's call based on contract content.
• L2 and L3 apply to Moderate and High CRP contracts, where the data and systems involved justify more substantive assurance.

Read this as: "everyone gets L0 this year; L1+ remains contract-driven". Suppliers bidding on contracts that will require L1 should plan their L1 engagement to complete within a few months of L0 - the evidence and documentation overlap is substantial, and running them consecutively is more efficient than running them as separate projects months apart.

For context on how the levels relate to CRPs, see the DCC levels explainer.

The government-wide context

The MOD mandate does not exist in isolation. It is the most concrete manifestation so far of the October 2025 letter from ministers and security chiefs asking for Cyber Essentials across the government supply chain. Other government buyers are expected to follow with their own deadline-driven supplier cyber assurance expectations over the next 12 months:

• Cabinet Office / Crown Commercial Service is tightening supplier security requirements under PPN 014/21 for framework agreements.
• NHS England is extending the Data Security and Protection Toolkit expectations to the wider clinical supply chain.
• FCA-regulated firms face parallel operational resilience and third-party risk expectations under SYSC 15A and Consumer Duty.

Defence suppliers who certify under DCC in 2026 will find the certification has value beyond defence as adjacent sectors formalise their own equivalents. This is the point made in more detail in the future of supply chain assurance.

The practical next step

If you supply the MOD in any capacity - directly or through a prime - the practical next step is straightforward:

1. Confirm your Cyber Essentials status. Valid certificate required before starting DCC L0. Renew or obtain if needed.
2. Define your L0 scope. Identify the people, systems, and operational processes in scope of the MOD work you do.
3. Engage a Certification Body. Book the L0 engagement before Q3 2026 demand peaks. Fig's L0 pricing starts at £999.99 + VAT for micro organisations, with micro to large tiers flat-priced by organisation size.
4. Prepare governance and CSM v4 evidence. Close any gaps before submission rather than during assessment.

Fig Group is an IASME-licensed Defence Cyber Certification Body. L0 engagements include up to three free rounds of assessor feedback, IASME DCC register listing, and a three-year certificate with annual attestation. See DCC L0 pricing or the L0 process step-by-step for a more detailed walkthrough.

The Defence CISO has set the deadline. The path to meeting it is well-trodden. The suppliers who start in April or May 2026 will be on the register with time to spare. The ones who wait until Q4 will not.

Primary sources

• GOV.UK — Cyber security for defence suppliers — the MOD's official position on supplier cybersecurity and the Cyber Risk Profile framework.
• IASME Consortium — Defence Cyber Certification — the scheme administrator, with licensed Certification Body lookup.
• NCSC — Cyber Essentials — the foundational scheme DCC L0 sits on top of.
• GOV.UK — Cyber Essentials letter to UK businesses (October 2025) — the ministerial letter requiring Cyber Essentials across the government supply chain that the DCC L0 mandate extends for defence.

Start your DCC L0 engagement → | Talk to a Fig Group DCC assessor →