Defence Cyber Certification has four levels: L0, L1, L2, and L3. Each level corresponds to a Cyber Risk Profile (CRP) tier that the MOD assigns to the contract the supplier is delivering. The level is not chosen by the supplier - it is set by the buyer based on the sensitivity of the work, and the supplier must certify at that level (or higher) to hold the contract.
This guide breaks down each level in detail, explains how the CRP-to-DCC mapping works in practice, walks through the effort and cost differences between the levels, and addresses the question suppliers most often ask: why start at L0 when higher levels exist?
For a broader overview, see the DCC explainer. For comparative pricing, see the DCC pricing guide.
Before DCC, the MOD's Defence Cyber Protection Partnership (DCPP) established the Cyber Risk Profile, which categorises contracts into four risk tiers based on the sensitivity of the data and systems the supplier will handle:
| CRP tier | Typical contract characteristics |
|---|---|
| Very Low | Non-sensitive support services, facilities, catering, low-data logistics |
| Low | Operationally significant but non-classified data, standard commercial systems |
| Moderate | Sensitive MOD data, systems with operational MOD network connectivity |
| High | Classified information, critical operational capabilities, deep MOD integration |
DCC maps these four CRP tiers directly to four assessment levels. The buyer specifies the required CRP in the procurement documentation; DCC then determines the certification level needed:
| CRP tier | Required DCC level |
|---|---|
| Very Low | L0 |
| Low | L1 |
| Moderate | L2 |
| High | L3 |
Who needs it: Suppliers on Very Low CRP contracts. Typically 1–50 employees, UK-based, delivering support services, facilities work, or non-sensitive logistics to the MOD or a prime contractor.
Technical baseline: Cyber Essentials.
What is assessed: The five Cyber Essentials technical controls (see DCC L0 five controls) plus supplementary defence-specific governance: Information Security Policy, Incident Response Plan, Staff Vetting, Supply Chain Risk Management, Data Handling, and CSM v4 L0 attestation.
How it is assessed: Single assessor reviewing a portal-based submission. No interviews. No on-site visits.
Timeline: 14–21 days for a prepared organisation.
Price (Fig tier-based, 2026):
When to aim higher: If your MOD pipeline includes contracts at mixed CRP levels, certifying at L1 instead of L0 lets you bid across a wider range without re-certifying per contract.
Who needs it: Suppliers on Low CRP contracts. Typical profile: 10–250 employees, handling operationally significant but unclassified MOD information, often direct primes on mid-value contracts or tier-one subcontractors.
Technical baseline: Cyber Essentials (not CE Plus yet - that kicks in at L2).
What is assessed: Everything in L0 plus:
How it is assessed: Consultant-led engagement with documentary review, interviews with key personnel (IT lead, security lead, operations lead, executive sponsor), and technical verification of specific controls. At Fig, the technology platform runs across in-scope systems to surface gaps before formal assessment.
Timeline: 6–10 weeks for a prepared organisation; 12–20 weeks from a low starting baseline.
Price (Fig tier-based, 2026):
What drives the range: Scope complexity, number of sites, subcontractor chain depth, and starting maturity.
Who needs it: Suppliers on Moderate CRP contracts. Typical profile: mid-sized to large defence suppliers, primes on medium-value contracts, specialist suppliers handling sensitive MOD data or providing critical operational systems.
Technical baseline: Cyber Essentials Plus (CE Plus), not CE basic. This is a material step up because CE Plus requires hands-on technical testing by an assessor, not just documentary review.
What is assessed: Everything in L1 plus:
How it is assessed: Formal assessor engagement with significant document review, structured interviews, and technical verification. Some controls may require on-site or remote verification.
Timeline: 3–6 months typical.
Who delivers it: L2 is not delivered by every DCC Certification Body. Accreditation is specifically at L2/L3 - suppliers typically engage NCC Group, Bridewell, or C3IA. See the DCC certification body comparison.
Who needs it: Suppliers on High CRP contracts. Typical profile: major defence primes, suppliers handling classified information, critical technology suppliers, systems integrators on high-value operational contracts.
Technical baseline: Cyber Essentials Plus.
What is assessed: Everything in L2 plus:
How it is assessed: In-depth assessor engagement including on-site verification, interviews across the organisation, and technical testing of specific controls.
Timeline: 4–9 months typical.
Who delivers it: L3 requires specific L3 accreditation. NCC Group, Bridewell, and C3IA are the main L3-accredited bodies in the UK market.
Three reasons:
That said, there is a valid case for certifying one tier higher than your current pipeline requires if your pipeline is trending toward that tier - it avoids having to re-engage at a more pressured deadline when the higher-CRP opportunity arrives.
L0 certification is commonly used as a stepping stone to L1. The practical progression:
This is a more sustainable path than attempting L1 cold. Fig's L1 engagements for clients who already hold L0 typically complete faster and with fewer findings than engagements that skip the L0 step.
Key questions from MOD suppliers researching this topic.
DCC levels map cybersecurity assurance depth to contract risk. L0 covers Very Low CRP contracts, L1 covers Low CRP, L2 covers Moderate CRP, and L3 covers High CRP. Each level has broader evidence requirements and longer assessment timelines than the one below it.
Level 0 is the practical entry point because it builds on Cyber Essentials (which many suppliers already hold) and aligns with the Very Low CRP contracts most new MOD suppliers take on. It also creates a foundation for L1 progression as pipeline evolves.
Yes. Many suppliers use L0 as the foundation and then expand governance, risk management, and technical assurance to transition to L1. L1 engagements for clients already holding L0 typically complete faster and with fewer findings.
Often yes, if commercially useful. Holding a higher level can simplify bidding across mixed pipelines where contract assurance requirements vary, avoiding the need to re-certify for each opportunity.
Upgrade timing should follow pipeline demand, contract risk profile trends, internal maturity, and readiness to sustain stronger evidence and governance requirements. Typical upgrade signal: three or more Low CRP opportunities in the bid pipeline within 12 months.
The honest answer to "how long does DCC take" depends more on the supplier's starting posture than on the Certification Body's turnaround. L0 can complete in under three weeks for a prepared organisation. L1 is a six to twelve week engagement. This guide walks through both, with the specific factors that lengthen or shorten each phase.
A consolidated, practical readiness checklist for DCC Level 0 and Level 1 against CSM v4 (December 2025). Use it to audit your starting posture before engaging a Certification Body. Organised by control family, with specific evidence artefacts and pass/fail criteria for each item.
DCC Level 2 and Level 3 apply to Moderate and High Cyber Risk Profile contracts. They are substantially larger engagements than L0 and L1, require Cyber Essentials Plus rather than CE, and are delivered by a smaller subset of UK Certification Bodies. This guide explains what each level involves, who delivers it, how long it takes, and when to certify at L2 or L3 rather than L1.