For many organisations working with the Ministry of Defence, Defence Cyber Certification (DCC) is expected to become mandatory. As a result, we are seeing a lot of uncertainty around where to start, which level applies and how much effort is really involved.
The good news is that most organisations already have parts of what DCC requires. The challenge is usually not starting from scratch, but understanding how existing controls map to the standard, where the gaps are and how to evidence what is already in place.
This guide sets out what preparation looks like in practice and where organisations tend to struggle.
Start with the level you actually need
Before doing anything else, you need to understand what level of certification applies to you.
DCC is structured across four levels, based on the cyber risk profile of the work you are supporting. That level is not something you choose yourself. It is defined by the contract or programme you are working on.
This matters because the difference between levels is significant. Level 0 is relatively straightforward, requiring Cyber Essentials. At the higher end, Level 2 and Level 3 require more robust governance, technical controls and operational maturity.
One of the most common mistakes is over-preparing for the wrong level or underestimating what is required. Clarifying this early will save a lot of time later.
Understand how your current setup compares
Once you know your target level, the next step is to understand where you are today.
This is where many organisations assume they have a gap, when in reality they already have a large portion of the controls in place. If you hold Cyber Essentials or Cyber Essentials Plus, you already have a foundation.
The challenge is that DCC goes further. It looks beyond individual controls and focuses on how cyber security is managed across the organisation.
That includes:
- Governance and accountability
- Policies and procedures
- Technical controls
- Staff awareness and behaviour
- Supply chain risk
A structured review against Defence Standard 05-138 helps you see where things align and where they do not. Without that mapping exercise, it is difficult to prioritise what actually needs attention.
Focus on gaps that matter, not everything at once
After the initial review, most organisations find a mix of strengths and gaps.
The instinct is often to try and fix everything at once. In practice, that rarely works. Some gaps are quick to address; others require more fundamental changes.
The more effective approach is to prioritise based on risk and effort.
For example, documenting an existing process is usually quicker than introducing a new technical control. Strengthening access management or improving logging may take longer and require coordination across teams.
DCC is not just about having controls in place. It is about demonstrating that they are applied consistently and understood across the organisation. That often means focusing as much on clarity and structure as on technology.
Evidence is where most organisations struggle
One of the biggest challenges with DCC is not implementing controls, it is proving they exist and work as intended.
Policies alone are not enough. Certification requires evidence that controls are not only defined but consistently applied and understood.
This might include:
- Access control records
- System configurations
- Training logs
- Incident response records
- Audit trails
In many organisations, the controls are there but the evidence is fragmented or informal. Pulling that together in a clear and structured way is often the most time-consuming part of preparation.
Starting this early makes a significant difference.
Do not overlook people and process
In some organisations cyber security can be seen as a technical issues but DCC places equal weight on people and process.
Staff need to understand their role in protecting information. That includes recognising phishing attempts, following access controls and knowing how to report incidents.
Processes also need to be clear. How incidents are handled, how access is granted and reviewed, how suppliers are assessed. These are all areas that certification will look at.
Organisations that focus only on technical controls tend to struggle here. Those that take a broader view usually find the process smoother.
Look beyond your own organisation
Supply chain risk is a key part of DCC.
Many organisations are more comfortable with their own controls but have less visibility of the suppliers they rely on. In the defence sector, that is a recognised vulnerability.
Preparation should include understanding:
- Which suppliers have access to systems or data
- What level of security they operate at
- How that risk is assessed and managed
This does not mean auditing every supplier in detail but it does mean having a clear and proportionate approach to managing that risk.
Treat preparation as an operational exercise
DCC is often approached as a compliance exercise. That mindset can make the process more difficult than it needs to be.
Organisations that approach it as an operational review tend to get more value from it.
Instead of asking “what do we need to show?”, the more useful question is “how does this actually work in practice?”
That shift helps uncover gaps that matter and avoids building documentation that does not reflect reality.
It also means that once certification is achieved, the controls are more likely to hold up under real conditions, not just during assessment.
Plan for time and coordination
Even for organisations with a strong starting point, DCC preparation takes time.
Not because the controls are complex, but because they sit across different parts of the organisation. IT, operations, HR and leadership all play a role.
Coordinating that effort, gathering evidence and making improvements requires planning.
Leaving it too late often leads to unnecessary pressure and rushed fixes. Starting early allows for a more measured approach and reduces the risk of delays.
Where organisations tend to get stuck
Across the defence supply chain, the same challenges come up repeatedly.
Unclear certification level
Lack of structured gap analysis
Weak or inconsistent evidence
Over-reliance on existing certifications
Limited visibility of supplier risk
None of these are unusual they are all solvable but they do require a structured approach.
More than a certification
Although DCC is often seen as a requirement, it tends to have a wider impact.
Going through the process forces organisations to look at how cyber security is managed across the business, not just within IT.
That often leads to clearer governance, better documentation and more consistent controls.
For organisations working in defence, that also strengthens trust with customers and partners who depend on secure and reliable suppliers.
Final thought
Preparing for Defence Cyber Certification is not about building something entirely new. It is about understanding what you already have, identifying what is missing and bringing it together in a structured and consistent way.
The organisations that find the process easiest are not necessarily the most mature. They are the ones that take a practical approach early, focus on what matters and treat it as part of how the business operates, not just a box to tick.
For suppliers in the defence sector, that approach will make certification far more manageable and far more valuable.
Frequently Asked Questions
Defence Cyber Certification is a UK Ministry of Defence framework that assesses the cyber security of organisations working in the defence supply chain. It provides a consistent way to demonstrate that appropriate controls are in place.
Any organisation working on defence contracts may need DCC, depending on the Cyber Risk Profile (CRP) assigned to that work. This is typically defined by the contracting authority or prime contractor.
DCC has four levels:
Level 0
Entry level certification for lower-risk work – 3 controls | 6 questions
Requirement: Cyber Essentials
Level 1
Introduces wider organisational cyber security requirements covering governance, policies and risk management – 101 controls | 236 questions
Requirement: Cyber Essentials
Level 2
A higher level of assurance with more detailed security and operational controls – 139 controls | 328 questions
Requirement: Cyber Essentials Plus
Level 3
The most comprehensive level of DCC certification, designed for organisations supporting higher-risk defence programmes – 144 controls | 337 questions
Requirement: Cyber Essentials Plus
Cyber Essentials focuses on basic technical controls. DCC goes further by assessing governance, processes, staff awareness and supply chain risk across the whole organisation.
Preparation time varies depending on your starting point, but most organisations take several months. The biggest factor is usually identifying gaps and gathering the evidence needed for certification.
Organisations need to demonstrate that controls are in place and working. This includes policies, system configurations, access controls, training records and evidence of how security processes operate in practice.
It is not mandatory across all defence work, but it is increasingly being required for contracts. Organisations that cannot meet the required level may be unable to bid or continue working on certain programmes.
For most organisations, the challenge is not implementing controls but evidencing them clearly and consistently. Many already have the right measures in place but struggle to demonstrate them.
We take a practical approach, helping organisations understand where they stand, identify what matters and implement changes that hold up in real conditions, not just on paper.