DCC Requirements Checklist 2026: The Full L0 and L1 Readiness List Against CSM v4

Most suppliers preparing for Defence Cyber Certification want a single consolidated list of what is required. The MOD publishes CSM v4 (December 2025) and IASME publishes the assessment questions, but neither publishes a single readiness checklist. This article closes that gap. It is the checklist I walk through with Fig's L0 and L1 clients on the first scoping call, grouped by control family, with specific evidence artefacts named for each item.

Use it to audit your starting posture before engaging a Certification Body. Gaps found now are cheap to fix. Gaps found during formal assessment are findings.

For context on the underlying process, see the DCC L0 process walkthrough and DCC timeline guide. For the broader scheme, see the DCC explainer.

How to use this checklist

Work through each item. For each, record:

• Status: In place / partial / not in place.
• Evidence location: The specific file, dashboard, or system where the evidence lives.
• Owner: The named person accountable for the control.

Every "partial" or "not in place" is pre-assessment remediation work. Fig's rule of thumb: if more than 20% of the checklist items are "partial" or "not in place", plan for four weeks of preparation before engaging formal assessment.

Section A: Cyber Essentials prerequisite

• [ ] Valid Cyber Essentials certificate (CE for L0/L1, CE Plus for L2/L3).
• [ ] CE scope documented and matches intended DCC scope.
• [ ] CE certificate does not expire within 90 days of planned DCC submission.

Section B: Five technical controls (both L0 and L1)

Firewalls

• [ ] Perimeter firewall rulesets documented with rule creation dates.
• [ ] Cloud security groups / network ACLs documented for every cloud environment.
• [ ] Firewall administrative access is MFA-protected.
• [ ] Default firewall admin credentials have been replaced.
• [ ] Quarterly firewall rule review log exists.
• [ ] No public-facing SSH (port 22) or RDP (port 3389) from `0.0.0.0/0`.

Secure configuration

• [ ] Documented secure build standard per device type (Windows, macOS, Linux, mobile).
• [ ] MDM or configuration management enforces the build standard.
• [ ] Default accounts (Administrator, root, admin) have strong passwords.
• [ ] Guest and unused accounts disabled.
• [ ] Users do not operate as local administrators day-to-day.
• [ ] Cloud configuration baselines (CIS or equivalent) documented and applied.

Security update management

• [ ] Patch management policy with 14-day critical SLA.
• [ ] Patch deployment evidence for last 30 days (dashboard or reports).
• [ ] No in-scope system past end-of-life.
• [ ] Firmware update evidence for network equipment.
• [ ] Exception log for any systems outside SLA.

User access control

• [ ] Joiner-mover-leaver process documented.
• [ ] Last five leaver account closures within SLA.
• [ ] Quarterly user access reviews with sign-off.
• [ ] MFA enforced (not just enabled) on Microsoft 365, Google Workspace, AWS, Azure, or equivalent.
• [ ] Administrators have separate standard and elevated accounts.
• [ ] No shared accounts on line-of-business systems.

Malware protection

• [ ] AV/EDR deployed on all in-scope endpoints.
• [ ] Management console shows current definitions within 24 hours.
• [ ] Recent alert handling evidence (ticket log).
• [ ] Email gateway attachment and link scanning configured.
• [ ] Servers included in AV scope.

Section C: Governance evidence (both L0 and L1)

• [ ] Information Security Policy covering scope, roles, acceptable use, data classification, incident reporting, remote working, supplier management, physical security.
• [ ] Policy signed by a director.
• [ ] Policy reviewed within last 12 months.
• [ ] Acceptable Use Policy signed by every in-scope user.
• [ ] Incident Response Plan with named roles, notification thresholds, and MOD contact route.
• [ ] At least one tabletop incident exercise completed in last 12 months.
• [ ] Documented risk register with last review date.
• [ ] Data classification scheme documented and applied.

Section D: Supply chain (both L0 and L1)

• [ ] Supplier Due Diligence procedure.
• [ ] Register of in-scope suppliers with their CE certificates (where applicable).
• [ ] Contracts with MSPs include security and data protection clauses.
• [ ] Flow-down assurance evidence for tier-one subcontractors with access to MOD information.

Section E: Staff security (both L0 and L1)

• [ ] BS 7858 vetting certificates for personnel in sensitive MOD-related roles.
• [ ] Annual security awareness training records for all in-scope users.
• [ ] Induction process includes information security briefing.
• [ ] Starter checklist covers account provisioning, MFA enrolment, and policy acknowledgement.

Section F: Physical security (both L0 and L1)

• [ ] Access control records for office locations.
• [ ] Visitor log for office locations.
• [ ] Clean desk / clear screen practice documented and observed.
• [ ] Secure disposal process for hard-copy MOD information.
• [ ] Device loss/theft reporting process.

Section G: L1-specific additions

ISMS documentation

• [ ] ISMS scope statement.
• [ ] ISMS policy.
• [ ] Asset inventory including information assets, systems, and personnel.
• [ ] Risk assessment methodology documented.
• [ ] Risk treatment plan with residual risk sign-off.

Access management (deeper than L0)

• [ ] Privileged Access Management (PAM) tooling or documented manual process.
• [ ] Session logging for privileged access, retained 12+ months.
• [ ] Privileged account inventory.
• [ ] Break-glass account process documented.

Data lifecycle

• [ ] Data retention schedule.
• [ ] Secure data destruction records.
• [ ] Encryption-at-rest evidence for MOD information.
• [ ] Encryption-in-transit evidence (TLS configuration exports).

Business continuity

• [ ] Business Impact Analysis.
• [ ] Business Continuity Plan.
• [ ] Last BCP test or rehearsal in last 12 months.
• [ ] Recovery Time Objective and Recovery Point Objective documented per critical service.

Vulnerability management (deeper than L0)

• [ ] Monthly vulnerability scan evidence (external).
• [ ] Monthly vulnerability scan evidence (internal).
• [ ] Remediation tracking for findings, with SLA by severity.

Section H: CSM v4 attestation specifics

• [ ] CSM v4 attestation statement prepared and signed.
• [ ] Scope statement matches IASME portal record.
• [ ] Senior officer sign-off (director-level or above).
• [ ] Supplier Assurance Declaration included (for buyers still requesting it alongside DCC).

Section I: Commercial and commercial-operational evidence

• [ ] Valid Employer's Liability and Public Liability insurance.
• [ ] Cyber insurance policy with incident response cover (recommended, not mandatory at L0).
• [ ] Data Protection Officer nominated (if required under UK GDPR).

Using the checklist with a Certification Body

Bring the completed checklist to your first scoping call with a Certification Body. A responsible body will walk through it with you, validate the "in place" items against the evidence you have, flag partials, and help you estimate the remediation effort. At Fig, this is a two-hour engagement at the start of the L1 process and an hour for L0.

If your starting position is strong (15% or less partial/missing), L0 is an 18-day proposition and L1 is an 8-week proposition. If your starting position is weaker, timelines extend in line with the remediation work required.

For tier-specific pricing and what a consultant-led engagement actually includes, see the DCC pricing guide.

Talk to a DCC assessor → | View DCC pricing →