Technical Guides

The DCC Level 0 Certification Process, Step by Step: From Enquiry to Certificate

By Jay Hopkins · Published 17 February 2026 · Updated 21 April 2026 · 11 min read

Fig platform policy builder walking the user through each step of the DCC Level 0 submission process

DCC Level 0 is the entry-level tier of Defence Cyber Certification, aimed at MOD suppliers whose contracts are classified at the "Very Low" Cyber Risk Profile. The process is structured, portal-based, and - for a prepared organisation - completes in 14 to 21 days. This guide walks through the process end-to-end, with realistic timings and the specific decisions that most affect the outcome. For the full timeline picture including L1, see the DCC timeline guide.

Step 1: Enquiry and pre-qualification (day 0 to 1)

The process begins when a supplier contacts an IASME-licensed DCC Certification Body or IASME directly. Two things are established on this first call:

  • Required DCC level. This is driven by your contract's Cyber Risk Profile as set by the MOD (or by the prime contractor in a subcontract scenario). You do not choose the level - the buyer specifies it.
  • Cyber Essentials prerequisite. L0 requires a valid Cyber Essentials certificate. If you do not hold one, the CE assessment is added to the engagement plan. Fig's standard CE turnaround is six hours from submission, so this rarely lengthens the critical path.

A competent Certification Body will also flag obvious scoping issues on this call - remote workers, BYOD, cloud infrastructure, subcontractor relationships - so the supplier has a realistic picture of what is in scope before signing.

Step 2: Scoping (day 1 to 3)

Scoping is the single most important activity at the start of an L0 engagement. Poorly-scoped assessments generate avoidable findings, trigger clarification cycles, and sometimes require a full re-submission.

You need to decide, explicitly:

  • Which legal entities are in scope (often just one company, sometimes a defined group).
  • Which sites and home-worker locations are in scope.
  • Whether BYOD is in scope.
  • Which cloud services are in scope.
  • Whether subcontractors who access your systems are in scope.

The assessor will challenge the scope, especially if it appears to exclude material in-scope assets. Under-scoping is a common rejection reason. See the DCC L0 scoping guide for the specific pitfalls and how to avoid them.

Step 3: IASME portal access and account setup (day 3 to 5)

Your Certification Body provisions an account on the IASME portal. You receive login credentials, a scope record matching what was agreed in Step 2, and access to the L0 self-assessment form.

At Fig we also open a shared evidence space at this point - a simple secure folder structure aligned to the CSM v4 L0 requirements - so the client has a single place to drop evidence as it is gathered, rather than attempting to reconstruct it at submission time.

Step 4: Complete the self-assessment (day 3 to 10)

The L0 self-assessment is completed by the supplier. The Certification Body can explain questions, point you at the expected type of evidence, and flag weak answers - but the assessor cannot complete the form for you or tell you what answer will pass. This separation is a regulatory requirement of the scheme.

The self-assessment covers:

  • The five technical controls (see the DCC L0 five controls guide for the detailed requirements).
  • Governance controls including Information Security Policy, Incident Response Plan, and Acceptable Use Policy.
  • Supply chain risk management - how you evaluate and monitor your own suppliers who support MOD-facing services.
  • Staff security - vetting (BS 7858 or equivalent where applicable), training, joiner/mover/leaver processes.
  • Data handling - classification, storage, transmission, and destruction of MOD information.

Most of the supplier's preparation time is spent on this step. For a well-prepared organisation this is three to seven working days. For a supplier starting cold, two to three weeks is more realistic.

Step 5: Evidence submission (day 7 to 12)

Evidence is uploaded against each question in the self-assessment. The scheme expects operational evidence - documents, configurations, and records that already exist as part of running the business - rather than documents fabricated for the assessment. See the DCC L0 evidence guide for what assessors are specifically looking for.

At Fig, the consultant reviews the evidence before submission and flags anything that is thin, missing, or misaligned with the control being evidenced. This pre-review is where first-pass failure is prevented.

Step 6: Assessor review (day 10 to 16)

The assessor reviews your submission. They are checking three things:

  1. Coverage. Does the evidence cover every requirement at the stated scope?
  2. Quality. Is the evidence current, authentic, and operational rather than performative?
  3. Consistency. Do the answers and evidence tell a coherent story across the five controls and the governance overlay?

If everything aligns, the assessor moves straight to marking. If there are gaps, they are raised as clarification requests.

Step 7: Clarification (day 12 to 18)

The assessor typically asks between zero and five clarification questions on a well-prepared L0 submission. The questions fall into three types:

  • Evidence requests. "Can you upload the joiner-mover-leaver log for the last quarter?" - usually because the original submission did not include it.
  • Scope clarifications. "You mention cloud services; which platforms specifically, and what data flows there?"
  • Technical challenges. "The firewall rule set shows an `any/any` rule on port 443 - can you explain the business need?"

A responsive supplier closes clarifications within one to three days. A slow responder stretches this phase out materially - it is the single most common cause of timeline overrun at L0.

Step 8: Marking and certification (day 14 to 21)

Once all clarifications are resolved, the assessor completes marking on the IASME portal. A passing submission is automatically issued a DCC L0 certificate, your organisation is added to the IASME DCC register, and the certificate becomes commercially usable.

The certificate is valid for three years. Annual attestation is required at months 12 and 24; see the DCPP-to-DCC transition guide for how annual attestation actually works in practice.

What happens if the assessor finds a material gap

A genuine failure at L0 is uncommon but not impossible. If the submission cannot be remediated within a defined window, the supplier is given the option to close the engagement, remediate, and re-submit. Fig includes up to three free clarification rounds; a fourth attempt or a full re-submission after a failed assessment is chargeable, but the scenario is rare if pre-submission review is done properly.

Realistic timing by preparation level

Preparation levelL0 duration
CE certified, governance documented, scope clear14 – 21 days
CE certified, governance partly there21 – 35 days
No CE, ad-hoc governance28 – 56 days

For a practical view of where the time actually goes, see the DCC timeline guide.

How Fig Group structures the L0 engagement

Fig's L0 engagement is run by a named consultant alongside the assessor. The consultant:

  • Runs the scoping call and documents the agreed boundary.
  • Pre-reviews evidence before submission.
  • Runs the Fig technology platform across your in-scope estate to surface technical gaps (misconfigurations, unpatched systems, exposed services) before they become assessor findings.
  • Handles clarification responses alongside you.

L0 pricing is tier-based: £999.99 + VAT for micro organisations, up to £4,999.99 + VAT for 250+ employees. See the DCC pricing guide for the full breakdown and market comparison.

Talk to a DCC assessor → | View L0 pricing →

Article FAQ

Frequently asked questions

Key questions from MOD suppliers researching this topic.

What are the key steps in the DCC Level 0 process?

The journey covers eight steps: enquiry and pre-qualification, scoping, IASME portal access, self-assessment completion, evidence submission, assessor review, clarification, and marking with certificate issuance.

Can a Certification Body complete the answers for us?

No. The supplier owns assessment responses and evidence. The body can guide interpretation and flag weak answers, but cannot complete the declaration on your behalf - this separation is a regulatory requirement of the scheme.

Is an assessor discussion call part of the process?

At L0, assessor interaction is usually via written clarification requests rather than a formal interview call. L1 includes structured interviews with IT lead, security lead, operations lead, and an executive sponsor.

How long after submission do we usually get an outcome?

For clean, well-prepared submissions, a final outcome typically lands within 7 to 10 working days of submission. Delays usually follow incomplete evidence packs or slow responses to clarification requests.

What happens if the assessor finds gaps?

You receive structured clarification requests in the IASME portal. You remediate and resubmit relevant evidence. Fig includes three free clarification rounds; most suppliers pass after structured remediation when scope and controls are handled correctly.

Related DCC articles

Keep reading.

Technical Guides

How Long Does Defence Cyber Certification Take? A Realistic Timeline for L0 and L1 Assessment

The honest answer to "how long does DCC take" depends more on the supplier's starting posture than on the Certification Body's turnaround. L0 can complete in under three weeks for a prepared organisation. L1 is a six to twelve week engagement. This guide walks through both, with the specific factors that lengthen or shorten each phase.

Read the article
Technical Guides

Preparing Evidence for DCC Level 0: What Assessors Actually Look For

DCC Level 0 is passed or failed on the quality of the evidence you submit. This guide is a control-by-control breakdown of the specific evidence types an IASME-licensed assessor looks for, how to assemble an evidence pack that avoids clarification cycles, the reality of evidence retention, and the difference between operational evidence and evidence fabricated for audit.

Read the article
Technical Guides

Scoping Your Organisation for DCC Level 0: The Decisions That Make or Break Your Assessment

Scope is the decision that most often determines whether a DCC Level 0 engagement runs clean or drags on for weeks. This guide walks through how scope is actually constructed, the decisions an assessor will challenge, the five common scoping errors, and how to align DCC scope with your Cyber Essentials scope.

Read the article
More DCC guidance

Next steps.

All DCC articlesDCC pricingTalk to a DCC assessor