DCC Subcontractor Assurance: Flowing Security Requirements Down Your Supply Chain

One of the most misunderstood aspects of DCC is the supply chain assurance requirement. Many suppliers assume that holding a DCC certificate covers them - that their buyer's due diligence on them is the end of the chain. It is not. DCC requires certified suppliers to assure their own suppliers, and assessors will test this on every L0 and L1 engagement. This guide walks through what supply chain assurance actually means under DCC, what evidence is expected, and how to build a proportionate process.

The principle

The MOD's security concern is not only about the supplier holding the contract. It is about every organisation that touches MOD information, directly or indirectly. If a defence supplier shares MOD data with a subcontractor, the subcontractor becomes part of the attack surface. The CSM v4 framework recognises this and requires flow-down: certified suppliers must impose appropriate security requirements on their own suppliers who handle MOD-facing work.

This is captured in the DCC evidence pack as "supply chain risk management". Assessors expect:

• A documented register of your suppliers who support MOD-facing services.
• Evidence of due diligence performed on those suppliers before onboarding.
• Contractual flow-down of security requirements to relevant suppliers.
• A process for reviewing supplier security posture on an ongoing basis.

What counts as a "supplier" in this context

The scope of "supplier" in DCC supply chain assurance is broader than the word usually implies. It includes:

• Direct subcontractors - organisations you pass work to that handle MOD data.
• Critical SaaS providers - the platforms you use to handle MOD information (Microsoft 365, Salesforce, a secure file transfer service, the project management tool where MOD project data lives).
• Hosting and infrastructure providers - where the MOD data physically resides.
• Professional services providers - IT managed services, outsourced helpdesks, offshore development teams, auditors and consultants who may come into contact with MOD information.
• Agency and contract staff - where those individuals operate under a separate commercial entity rather than direct employment.

The assessor is not expecting you to document every office supplies vendor. The test is: does this supplier have meaningful access to MOD information or MOD-facing systems? If yes, they are in scope for supply chain assurance.

The supplier register

The foundation evidence is a supplier register. For a small defence supplier this may be a single spreadsheet with columns for:

• Supplier name.
• Nature of service provided.
• Type and sensitivity of MOD data accessed.
• Date of last due diligence review.
• Security certifications held (e.g. ISO 27001, SOC 2, CE, CE Plus, DCC).
• Contractual flow-down status (whether security clauses are in place).
• Risk rating (low / medium / high based on data sensitivity and supplier posture).
• Review cadence (annual / biannual / quarterly).

For larger suppliers the register is typically in a dedicated supplier risk management tool. The format does not matter to the assessor; the substance does.

Due diligence: what assessors expect

Before onboarding a supplier who handles MOD data, the certified supplier is expected to conduct appropriate due diligence. The depth scales with risk:

Low-risk suppliers (minimal MOD data access, well-established UK firms, held recognised certifications): a standard cybersecurity questionnaire, evidence of current CE or equivalent, a signed security clauses addendum to the commercial contract.

Medium-risk suppliers (regular MOD data access, mission-critical infrastructure, offshore components): a detailed security questionnaire, evidence of certification against recognised frameworks (CE Plus, ISO 27001, SOC 2), contractual flow-down of specific security requirements, right-to-audit clauses, incident notification requirements.

High-risk suppliers (handle classified or highly sensitive MOD information): formal security assessment or audit, ISO 27001 or higher certification, contractual requirement to hold DCC certification themselves at an appropriate level, regular on-site or remote security reviews, 24-hour incident notification commitments.

Contractual flow-down

The flow-down is typically achieved via a Security Schedule appended to the commercial contract. At minimum this should cover:

• Confidentiality requirements matching or exceeding those the supplier has to the MOD.
• Minimum security standards (usually benchmarked against CE or CE Plus).
• Incident notification obligations (typically within 24-72 hours of discovery).
• Right to audit or inspect supplier security posture.
• Data handling requirements, including geographic storage location and destruction obligations.
• Subcontracting restrictions - the supplier's supplier cannot further subcontract MOD work without consent.
• Personnel vetting requirements for staff with MOD data access.

For small suppliers, a two- or three-page Security Schedule is sufficient. The assessor is looking for evidence that the flow-down exists and is applied - not for a 40-page legal document.

Ongoing review

DCC expects supply chain assurance to be continuous, not one-off. Common patterns:

• Annual review for all suppliers in the register, covering certification renewal and any change to scope or risk rating.
• Biannual or quarterly review for medium and high-risk suppliers.
• Event-triggered review on any of: supplier acquisition/merger, reported security incident, loss of certification, change of data handling practice.

Evidence of these reviews is the artefact assessors check. A register that has not been reviewed in 18 months is a finding.

What assessors actually check

In an L0 assessment the supply chain evidence conversation is typically 20-30 minutes. Expect the assessor to:

• Ask to see the supplier register.
• Pick two or three suppliers at random and ask about due diligence performed.
• Ask to see the Security Schedule template and one or two completed examples.
• Ask how a supplier incident would be handled - what the notification route is, who at your organisation would be informed.
• Test your understanding of which of your suppliers are actually in scope.

At L1 the conversation is deeper and often includes evidence review of specific supplier contracts. At L2 and L3 it becomes substantially more detailed - multi-tier flow-down, supplier audits, on-site verification.

Common mistakes

No register at all. The most common finding at L0. "We use AWS for hosting" without a documented register of cloud providers, SaaS tools, and critical suppliers is insufficient.

Register is out of date. A register last updated 18 months ago, with several suppliers that no longer exist or several new suppliers missing, fails the ongoing review test.

Security Schedule in the contract but never actually applied. The clauses exist, but no evidence that supplier incidents have ever been reported under them, or that audit rights have ever been exercised, or that certification evidence has been collected.

Treating BYOD or freelance staff as "not suppliers". Freelancers working on MOD projects on their own laptops are effectively an extended workforce with significant security implications. They should be in the supply chain register.

Ignoring geographic data handling. Suppliers who outsource to offshore jurisdictions must be able to evidence where MOD data is stored and processed. "Our helpdesk is in India" without corresponding data handling controls is a finding.

A proportionate approach for small suppliers

A five-person supplier with three SaaS providers and one offshore development partner does not need an enterprise supply chain programme. What is expected is:

• A one-page supplier register covering the four suppliers.
• A two-page Security Schedule used for each supplier relationship.
• Evidence of certification held by each supplier (CE, ISO 27001, SOC 2 reports for the SaaS tools).
• A note confirming annual review date and the person responsible.

That evidence pack satisfies the L0 requirement for a small organisation. L1 adds more depth, particularly around the offshore development partner.

Connecting this to scope and scoping

Supply chain assurance cannot be disentangled from DCC scoping. The boundary of your DCC scope determines which suppliers matter. A supplier outside your DCC scope but still connected to MOD data in some way is a gap that will surface at assessment.

Scoping decisions like "we handle MOD email separately from our main business" or "our offshore developers only see anonymised data" need evidence, not assertion. The scope conversation and the supply chain conversation overlap substantially and benefit from being run together early in the engagement.

How Fig supports supply chain assurance

As part of an L1 engagement Fig works through the supplier register with the customer, reviews the Security Schedule template, and surfaces supplier-related gaps using the Fig technology platform. For L0 engagements we provide a supplier register template and Security Schedule template that satisfy the assessor's expectations without over-engineering the documentation for a small supplier.

Talk to a DCC assessor → | See DCC pricing →