Are you a supplier in the defence sector? You need to know about DCC

The UK Ministry of Defence (MoD) has introduced the new Defence Cyber Certification (DCC) scheme: a security framework for suppliers in the defence supply chain, designed to enhance overall resilience against cyber threat.  

The DCC is an organisation-wide single comprehensive certification, set to replace, but currently running alongside, the old ‘per-contract’ approach. Suppliers must obtain a DCC certification at the right level to qualify for specific MoD contracts.

Even if your organisation is small, the DCC scheme applies if you deliver services or products that could impact MoD security, even indirectly.

If you’re just getting started on your DCC journey, here’s what you need to know.

What levels of certification are there?

There are four DCC levels determined by the MoD, based on the contract risk level:

• Level 0: Low-risk contracts
• Level 1–3: Increasing levels of sensitivity and cyber risk

Suppliers should target the level relevant to the contracts they want to pursue. Going beyond the necessary level can be time-consuming and expensive, but aiming too low can prevent eligibility for certain contracts.

How does the assessment work?

The assessment is completed by a Certified Assessor recognised by IASME. For first-time applicants starting from scratch, we recommend allowing yourself a 6–12-month window broken into phases to prepare for your practical assessment and achieve certification.  

These phases are designed to ensure that your organisation can effectively demonstrate real, organisation-wide compliance to the DCC framework.

Phase 1 – Readiness 
The first stage focuses on preparation. We work with clients to ensure they have all the necessary documents and understand the DCC framework, the assessment process, and the prerequisites. Scoping your business correctly is critical and we can help you define which functions, systems, and processes need to be included.  

This phase is also the time to be transparent about your organisation’s overall readiness for DCC, as this can save significant cost later on.

Phase 2 – Assessment Record Submission (ASR) 
Once readiness is confirmed, you will start by completing the Assessment Record Submission. This is similar to the Cyber Essentials process in structure but requires input from across the organisation. Applicants must provide detailed answers, policies, and evidence to demonstrate compliance. This phase cannot be outsourced; it is an internal project requiring resourcing and cross-functional collaboration.  

As an assessor, at this stage, we can provide support to ensure your team understands the questions and expectations, but the work like updating policies, implementing procedures and configuring systems will be your responsibility.

Phases 3 & 4 – Review and clarification 
Phase 3 involves theoretical marking, where we review your submitted evidence and responses.  

Phase 4 is a series of clarification rounds if answers are unclear or incomplete. The number of rounds depends on the quality and completeness of the submission. Supplying clear, well-documented evidence from the start can reduce delays and additional consultancy hours.

Phase 5 – Practical assessment 
In this phase, compliance is demonstrated in real time, either remotely or onsite, depending on your scope and DCC level. Practical assessment often focuses on a representative sample of your environment – as such, larger or more complex organisations may require additional time. This is where your policies, procedures and technical controls are validated against the standard.

Phase 6 – Certification 
Once all phases are successfully completed, certification is issued.  

It’s important to remember that DCC is not a fixed-fee or fixed-duration assessment; it takes as long as necessary for your organisation to evidence that you meet the standard has been met. Costs are aligned to the time and resources required.

DCC is a structured, phased approach that ensures businesses have the systems, processes, and governance in place to evidence real cyber security compliance across the organisation.

Which stakeholders does DCC impact?

Implementing DCC affects multiple areas of your business, depending on your maturity. But, it’s important to involve the following teams, to name a few:  

• Bidding and commercial teams: Those who review MoD contracts and decide whether to bid.
• Compliance and governance roles: Managing the DCC project, internal audits, updating policies, and maintaining evidence.
• IT teams: Implementing technical controls, deploying software, and ensuring systems meet requirements.
• Senior management / Directors: Who are responsible for overall accountability and ensuring organisation-wide commitment.

DCC is a cross-functional effort that requires commitment at all levels to achieve and maintain compliance long-term.

How often are the audits?

DCC certification is valid for three years, with an annual check-in with IASME to verify ongoing compliance. This isn’t a full audit, but ensures the business is maintaining the standard. Maintaining Cyber Essentials is a requirement for DCC Level 0 and 1 and Cyber Essentials Plus for DCC Level 2 and 3, which involves its own annual external review.

How long does it take to get DCC certified?

For organisations starting from ground zero, achieving DCC certification is typically a 6-12-month programme. This timeline allows businesses to:

• Understand the relevant DCC framework documents
• Define the correct scope for their organisation
• Upgrade or implement necessary software, systems, and technologies
• Create or update policies and procedures
• Collate evidence for the theoretical assessment
• Prepare for the practical audit (remote or on-site)

Renewals are usually much faster—often expected around 3 months—provided the business has maintained its compliance, keeps policies and systems up to date, and understands its ongoing responsibilities.

Ready to take the next step towards DCC certification?

The Defence Cyber Certification (DCC) scheme is a long-term project requiring cross-functional collaboration and commitment to ensure your organisation can evidence real, organisation-wide cyber security and compliance.  

Get in touch with our team today to find out how we can help you achieve certification.