Our expertise
Our services
Who we serve
Insights
About us
Digital Threat Digest Insights Careers Let's talk

DCC Applicant Guidance May 2026 update: Here’s what you need to know

Everything you need to know about the latest DCC Applicant Guidance update, and how it impacts you.

SMSSC
Samuel Middleton, Senior Security Consultant
Double circle designs2

The Ministry of Defence (MoD) recently requested that all industry partners must achieve at least DCC Level 0 by the end of 2026.

To support the application process, the Defence Cyber Certification (DCC) Applicant Guidance has been updated as of May 2026. If you’re considering or working towards DCC certification, or preparing for assessment, you should now refer to this latest version of this document . 

The updates bring clarity to several areas including scoring, the Level 2/3 hybrid approach and what happens if your Assessment Submission Record is incomplete. 

Here’s a summary of what’s changed and what it means for your application, whether you’re considering DCC or currently in the certification process.

Support with DCC from third parties

The updated guidance provides clarity that applicants can seek external support from a third party throughout the process. They do not need to be an official DCC certification body; however, choosing a provider who understands the controls, scoping requirements and what assessors are looking for is highly recommended and will put you in a stronger position to pass the audit successfully.

A good provider can support you by:

  • Explaining the DCC scheme and its certification levels. 
  • Clarifying the controls and provide guidance on how to meet them. 
  • Helping you understand the questions and identify the key components needed for a complete and accurate response. 
  • Describing the evidence required to demonstrate that a control has been met. 
  • Verifying the scope of your assessment.
  • Providing template documents for your use. 
  • Offering support to help you meet Cyber Essentials or Cyber Essentials Plus, as allowed under the current Cyber Essentials scheme. 
  • Facilitating Clarification Rounds (as defined later in the process). 
  • Helping you achieve Cyber Essentials/Cyber Essentials Plus. 
Conflict of interest

The updated guidance now includes further information on the ‘Conflict of Interest’ statement, including an example of how it should be completed. Where conflict exists, it must be declared and signed by both parties where a conflict exists. Failure to disclose a conflict could result in the entire assessment being failed.

The concern is straightforward: If the organisation helping you prepare for DCC is also the one certifying you, their ability to act as an impartial assessor is compromised. The guidance provides an example statement that can be used, but the responsibility to identify and declare any conflict sits with both the applicant and the Certification Body.

It’s worth noting that a Certification Body that has previously assessed you for Cyber Essentials or Cyber Essentials Plus is not automatically conflicted as those are separate schemes and that prior relationship is considered acceptable. 

The practical takeaway here is: If you’re using external support to get assessment-ready, make sure the boundary between preparation and certification is clearly defined and documented from the outset.

Your responsibilities under DCC


The updated guidance includes a dedicated section on what the applicant is responsible for throughout the certification process. 

These responsibilities are:

  • Determining the scope of the assessment. 
  • Accurately documenting and recording the scope. 
  • Completing the Assessment Submission Record. 
  • Assisting the Assessor. 
  • Document storage and retention. 
  • Maintaining certification. 

The guidance also states that its solely the applicant's responsibility to ensure the DCC scope is both adequate and accurate. Before determining what falls within or outside of scope, applicants must consult the DCC Scoping Guide. The scope documentation itself must be clear and detailed, covering what is included and excluded, and should include business organisation diagrams, network diagrams and lists of systems. It must also explicitly indicate which systems fall within the scope of your Cyber Essentials or Cyber Essentials Plus certification.

This documentation exists to give assessors and moderators a clear and unambiguous picture of what is being assessed. An unclear or poorly structured scope can add unnecessary delays to the process if the assessor needs to seek clarity before they can proceed.

Hashing

There is also more detail around hashing and why it matters, but no support on how to do   it. There are multiple free methods to achieve this, but it must be using SHA-256. 
Windows, Linux and Mac have in-built solutions which can support with one file at a time; such as ‘certutil’, ‘sha256sum’ and ‘shasum’. They can be used to create SHA-256, but due to the volume of evidence, you may have to be creative to hash on mass. Always read the manuals for the tools before using.

Document storage and retention 

Evidence must be retained for 3.5 years from the point of certification and the MoD or IASME may request documentation for moderation at any point within that window. You must also be able to evidence that no data has been altered since submission.

Maintaining certification 

A significant change in your scope   outside of normal operational changes may require a full renewal of the certification. If your organisation is planning any changes that could affect what falls within your DCC scope, you should consult with your Certification Body.

DCC guidance over time

Finally, the guidance acknowledges important element: Def Stan 05-138i4, the underlying controls standard that DCC is built on, was finalised in May 2024 and will inevitably become dated as technology evolves. If a question in the assessment appears to reference old technologies or seems unclear in the context of your current environment, it can’t be marked as not applicable or ignored. The DCC guidance will be updated over time to reflect changes, which is why it is essential to always work from the latest version of the standard.

How we can support you with DCC

We work with defence suppliers across the supply chain on DCC readiness—from scoping and gap analysis through to audit-ready submission. If you want to understand where your organisation stands today or need support closing security gaps before your assessment, let’s talk.