From DCPP to DCC: What the Transition Actually Means for Existing Defence Suppliers

For a decade, UK defence suppliers demonstrated cybersecurity compliance by completing a Supplier Assurance Questionnaire (SAQ) under the MOD's Defence Cyber Protection Partnership (DCPP) framework. That era is ending. Defence Cyber Certification (DCC) - independently assessed, formally certified - is now the scheme MOD buyers expect suppliers to hold.

The transition is neither instant nor uniform. Some primes have already moved to DCC-required procurement. Others still accept DCPP SAQ during a defined transition window. This guide explains what the transition actually means operationally: what existing DCPP suppliers need to do, on what timeline, and how to manage buyer communication while both models are live.

For the broader scheme context, see the DCC explainer and the DCC levels guide.

Where things stood under DCPP

The DCPP framework had three moving parts:

1. Cyber Risk Profile (CRP). The MOD classified each contract as Very Low, Low, Moderate, or High risk based on the data and systems involved.
2. DEFSTAN 05-138. The defence standard that specified controls required at each CRP level.
3. Supplier Assurance Questionnaire. A self-completed questionnaire where suppliers declared which DEFSTAN 05-138 controls were in place.

SAQ responses were recorded by the buyer and occasionally spot-checked, but there was no systematic independent verification. The gap between "the supplier declared this" and "the supplier actually does this" was the single largest weakness of the DCPP model, and the rationale for moving to DCC.

What DCC changes operationally

DCC keeps the CRP framework (because it works) and keeps DEFSTAN 05-138 as the underlying standard. What changes is verification. Three concrete shifts:

1. Independent certification. An IASME-licensed Certification Body reviews evidence and issues the certificate. The supplier cannot certify themselves.
2. Standardised levels. The four CRP tiers map to four DCC levels (L0–L3). Buyer specifies the CRP; the DCC level is determined, not negotiated.
3. Continuous compliance model. Certificates are valid three years with annual attestation. This replaces per-tender SAQ submissions.

Under DCPP, a supplier submitted a fresh SAQ for each procurement. Under DCC, a supplier holds a certificate that covers multiple procurements at or below its CRP tier, simplifying bidding.

What DCPP-attested suppliers need to do

The answer depends on your pipeline and buyer posture. Three scenarios:

Scenario 1: Your primary buyer has moved fully to DCC

Some primes (typically the larger ones that were early adopters in the DCC scheme's first year) have moved their supplier base entirely to DCC. If your buyer is in this category, you have a limited window to certify at the DCC level matching your contract CRP. Delay risks exclusion from renewal or future procurement. Plan to certify within three to six months.

Scenario 2: Your buyer is accepting DCPP SAQ during a transition window

Most primes are still accepting DCPP SAQ during a defined transition window, usually with a stated deadline ("DCC required by [date]"). Work backwards from that deadline - add 14 to 21 days for L0 or 6 to 10 weeks for L1 - and start the engagement with a Certification Body before that backstop.

Scenario 3: Your buyer has not yet stated a DCC deadline

Do not wait. The direction of travel is unambiguous: DCC will become mandatory across the MOD supply chain within two to three years. Suppliers who certify early see two benefits: commercial advantage in competitive bids, and the ability to manage the certification on their own schedule rather than under deadline pressure.

How SAQ history maps to DCC preparation

Your existing DCPP submissions are useful as a starting point but do not substitute for DCC evidence. The main differences:

• Evidence standard. SAQ was declarative; DCC requires operational evidence for every answer. A policy statement in SAQ is one line; in DCC it is a policy document plus records of its operation.
• Scope formalism. DCC scope is documented, agreed, and locked in the IASME portal. SAQ scope was often implicit.
• Assessment depth. SAQ was reviewed by the buyer (if at all) at a high level. DCC is independently audited against specific criteria.

A supplier with a strong DCPP record will typically close the gap to DCC L0 in two to three weeks, and to L1 in six to eight weeks. A supplier with a thin DCPP record may find the gap is larger.

Annual attestation under DCC

One of the biggest operational changes under DCC is the continuous compliance model. Rather than submitting a fresh SAQ every tender, a DCC-certified supplier holds a three-year certificate with annual attestation at months 12 and 24.

Annual attestation:

• Confirms that the certified controls continue to operate.
• Involves a lightweight review by the Certification Body (not a full re-audit).
• Is typically a two-to-five-day engagement, not a multi-week assessment.
• Requires the supplier to notify the Certification Body of any material change to scope, controls, or structure during the year.

At Fig, annual attestation is included in the three-year certification fee. Some bodies charge for annual attestation separately; confirm this when comparing quotes (see the DCC pricing guide).

What to tell your buyers during the transition

Buyers appreciate suppliers who communicate proactively about their DCC progress. A good template:

> We are currently certified under DCPP via SAQ as of [date] and are engaged with [Certification Body] for DCC Level [X] certification with a planned completion of [date]. We will share the DCC certificate as soon as it is issued and will continue to meet the DCPP attestation requirements through the transition.

This demonstrates awareness, commitment, and a concrete plan. It also gives the buyer the information they need for their own transition planning.

The risk of delay

Two risks for suppliers who delay the DCC transition:

1. Procurement exclusion. If a prime tightens its requirements at a tender deadline, an uncertified supplier may be ineligible to bid. DCC L1 takes 6–12 weeks to complete; you cannot start it on the day the tender closes.
2. Assessor availability. As the transition accelerates, demand for Certification Body capacity is rising. Booking an L1 engagement with a preferred body in Q4 2026 or Q1 2027 is materially harder than it was in early 2026.

The practical conclusion: certify now at the level matching your current pipeline, whether or not your current buyer is formally requiring it.

How Fig Group supports the transition

Fig's DCPP-to-DCC transition support includes:

• Gap analysis against the specific CSM v4 level you need, using your existing DCPP SAQ as a starting point.
• Evidence preparation to upgrade from declarative SAQ answers to operational DCC evidence.
• Technology platform analysis across your in-scope estate to surface technical gaps before assessment.
• Consultant-led engagement throughout, not handover to an audit team.

L0 pricing starts at £999.99 + VAT; L1 pricing starts at £9,999.99 + VAT for micro organisations. See DCC pricing for the full breakdown.

Talk to a DCC assessor → | View DCC pricing →