How Long Does Defence Cyber Certification Take? A Realistic Timeline for L0 and L1 Assessment

The most common question I get from defence suppliers in the first conversation about DCC is how long the certification takes. The honest answer is that it depends less on the Certification Body's turnaround than on the supplier's own starting posture - and the gap between "we have our act together" and "we have a lot of work to do" is the single biggest driver of timeline.

This guide walks through realistic timelines for L0 and L1 DCC certification. It covers what happens at each phase, where the time actually goes, and what a supplier can do to compress the overall engagement without cutting corners.

Level 0: the fastest DCC path

DCC Level 0 sits at the bottom of the maturity model. It applies to contracts with a Very Low Cyber Risk Profile - typically support services, non-sensitive logistics, or facilities work that does not handle operationally important data. L0 requires a valid Cyber Essentials certificate as the underlying technical baseline, plus a set of additional defence-specific attestations on supplier governance, staff vetting, and incident response.

Timeline for a prepared organisation: 2 to 3 weeks end-to-end.

The phases:

1. Readiness verification (days 1 to 5). Confirm the organisation holds a current Cyber Essentials certificate. If it does not, the CE assessment is usually same-day (Fig's standard service is a 6-hour turnaround from submission). Confirm the supplier's scope matches the contract requirements - remote workers, cloud services, BYOD, subcontractors all in or out.

1. Documentation submission (days 3 to 7). The supplier submits evidence against the L0 requirements via the IASME portal. This covers governance documentation (cybersecurity policy, incident response plan, staff vetting process), technical controls beyond CE (supply chain risk management, data handling procedures), and confirmation of CSM compliance.

1. Assessor review (days 7 to 14). The Certification Body's assessor reviews the submission, flags any gaps, and requests clarification where needed. A well-prepared submission typically needs one round of clarification; a rushed one often needs two or three.

1. Certificate issue (days 14 to 21). Once all clarifications are resolved, the certificate is issued and the supplier is added to the IASME DCC register.

What lengthens the L0 timeline:

• No current Cyber Essentials certificate. Add 1 to 7 days depending on CE body speed and readiness.
• Incomplete governance documentation. If the cybersecurity policy is a two-page stub written for Cyber Essentials, it will need expansion for DCC.
• Poorly-defined scope. If the supplier cannot clearly delineate which parts of their business fall under DCC and which do not, the assessor will keep asking.
• Subcontractor questions. L0 asks about supply chain risk management. If the supplier has not thought about how they manage their own suppliers, that conversation takes longer.

What compresses the L0 timeline:

• Hold current Cyber Essentials before starting DCC. This removes the CE dependency from the critical path.
• Have governance documentation ready. The MOD expects a proper Information Security Policy, Incident Response Plan, and Data Protection procedures as evidence. These should exist independent of DCC.
• Engage a Certification Body with same-week assessor availability. The assessor queue is where L0 timelines most often slip. A body with dedicated DCC assessor capacity turns submissions around in days rather than weeks.

For a supplier who already holds Cyber Essentials, has documented their governance properly, and has a clear scope, L0 DCC in 14 days is realistic. For a supplier starting from a low baseline, three to six weeks is the honest expectation.

Level 1: a substantively larger engagement

DCC Level 1 is where the assessment becomes materially more involved. It applies to contracts with a Low Cyber Risk Profile - typically suppliers handling operationally significant but non-classified information, or suppliers with systems connected to MOD infrastructure. L1 still requires Cyber Essentials as a baseline (not CE Plus yet; that kicks in at L2), but the supplementary requirements are considerably deeper than L0.

Timeline for a prepared organisation: 6 to 12 weeks end-to-end.

The phases:

1. Pre-engagement scoping (week 1). A consultant works with the supplier to confirm contract Cyber Risk Profile, define scope, identify high-level gaps against L1 requirements, and agree an assessment plan. This is not busywork; it is where the supplier often learns what they actually need to do.

1. Evidence preparation (weeks 1 to 4). The supplier produces the documentary and technical evidence required for L1. This typically covers: Information Security Management System documentation, risk assessment processes, access control frameworks, data lifecycle management, incident response and business continuity plans, supply chain assurance evidence, staff security vetting records, physical security controls. The specific list depends on the supplier's scope.

1. Technology platform assessment (weeks 2 to 4). Where Fig is the Certification Body, we run our technology platform over the supplier's in-scope systems to identify gaps in cyber defences automatically. This surfaces issues that documentary evidence would not - for example, a public-facing server with an unpatched CVE, a cloud service with permissive IAM policies, an unused privileged account still active. The supplier has the opportunity to remediate before formal assessment, which materially reduces the risk of failure.

1. Consultant engagement (ongoing). L1 clients work with a dedicated consultant throughout the engagement. The consultant reviews evidence as it is produced, flags gaps, proposes remediation, and ensures the supplier's submission is assessment-ready before formal review. This is the single biggest difference between L0 and L1 in engagement model terms.

1. Formal assessment (weeks 4 to 8). The Certification Body's assessor conducts the formal review. This typically involves document review, interviews with key personnel (IT lead, security lead, operations lead, CEO or equivalent for governance attestation), and sometimes remote or on-site verification of specific controls.

1. Remediation window (weeks 6 to 10). Where the assessor identifies gaps, the supplier has a defined window to remediate. The consultant supports the remediation. A well-prepared supplier may have no significant remediation; a supplier starting from a low baseline may have several weeks of work.

1. Certification (weeks 8 to 12). Once all requirements are met, the certificate is issued. The supplier is added to the IASME DCC register at L1.

What lengthens the L1 timeline:

• Poor evidence baseline. If the supplier does not have an ISMS, no existing incident response plan, no risk register, these have to be built from scratch.
• Technology platform findings. If our platform surfaces significant gaps in cyber defences, those require remediation before the certificate can issue. This is good - the alternative is a certificate that would not survive an actual incident - but it adds time.
• Subcontractor complexity. Suppliers with a complex subcontractor chain (common in construction, professional services, and systems integration) need evidence of flow-down controls to their own suppliers. This takes time to produce.
• Staff availability. L1 requires engagement from senior leaders (governance attestation), IT leads (technical evidence), and operations leads (process evidence). Scheduling these interviews can extend the assessor phase.

What compresses the L1 timeline:

• Hold DCC L0 already. If L0 is already in place, the governance and documentation baseline is partially there.
• Engage consultancy support early. The organisations that fly through L1 are the ones that engaged a consultant from day one rather than attempting self-directed preparation.
• Use a technology platform to identify gaps pre-assessment. Surfacing issues before the assessor arrives means those issues can be fixed quietly rather than forming formal findings.
• Have a dedicated internal lead. L1 is not a part-time side project for the operations manager. It needs a dedicated internal lead with executive backing.

The honest answer to the overall question

For a well-prepared organisation:

• L0 DCC: 14 to 21 days.
• L1 DCC: 6 to 10 weeks.

For an organisation starting from a low baseline:

• L0 DCC: 4 to 8 weeks.
• L1 DCC: 12 to 20 weeks.

The variance is almost entirely driven by preparation, not by the Certification Body. A supplier who comes to DCC with good hygiene already in place will certify quickly regardless of which body they pick. A supplier starting from poor hygiene will take time whether they work with Fig, NCC Group, Bridewell, or any other assessment body.

The argument for picking a specific Certification Body is not that it makes a slow supplier fast. It is that a body with technology platform support and consultant-led engagement (rather than pure audit-and-report) materially compresses the preparation phase by catching gaps early, supporting remediation, and avoiding the adversarial back-and-forth that pure audit engagements can produce.

That is the model Fig runs. More on that in the specific comparison article.

Primary sources

• IASME Consortium — Defence Cyber Certification — scheme administrator with licensed Certification Body lookup.
• NCSC — Cyber Essentials — CE is the technical prerequisite underpinning DCC L0 and L1, and timeline decisions depend on whether CE is already in place.
• GOV.UK — Cyber security for defence suppliers — sets the Cyber Risk Profile framework that determines the DCC level the supplier must certify at.

Talk to a DCC assessor → | See DCC pricing →