Question 1

What is Defence Cyber Certification?

Accepted Answer

Defence Cyber Certification (DCC) is the Ministry of Defence’s cyber assurance framework for organisations operating within the UK defence supply chain. It was developed in partnership with IASME to create a more consistent and risk-based approach to supplier security.

At an organisational level, DCC confirms that a supplier has the required cyber security controls, governance and processes in place to protect sensitive defence information and operate securely within defence environments.

It replaces the previous reliance on contract-by-contract assurance and introduces a structured certification model aligned to Defence Standard 05-138.

Question 2

Why has Defence Cyber Certification been introduced?

Accepted Answer

DCC has been introduced to address inconsistency in how cyber risk was previously assessed across the defence supply chain.

Historically, suppliers were often required to complete a Supplier Assurance Questionnaire for each contract. This created duplication and varied levels of assurance.

DCC provides a standardised, organisation-level approach. It ensures that suppliers are assessed against a common framework, making it easier for the MOD and prime contractors to understand and manage risk across large, complex supply chains.

It also reflects the increasing focus on supply chain security, particularly in response to threats targeting smaller or less mature organisations as entry points into defence programmes.

Question 3

Who needs Defence Cyber Certification (DCC)??

Accepted Answer

Any organisation working within, or looking to enter, the UK defence supply chain may require certification.

This includes:

SMEs providing specialist services

technology providers and software vendors

consultancies supporting defence programmes

organisations with access to defence systems or data

The requirement depends on the type of work being delivered and the level of cyber risk associated with that work.

Even where it is not yet mandatory, suppliers are being encouraged to begin certification early to avoid delays in future procurement or onboarding activity.

Question 4

What are the different DCC levels?

Accepted Answer

There are four levels of Defence Cyber Certification, each aligned to a different level of cyber risk.

Level 0
Entry level for low-risk activity. Covers a small set of baseline controls and requires Cyber Essentials.

Level 1
Introduces a broader and more structured set of requirements, including governance, policy and risk management.

Level 2
Aligned to higher-risk environments, with more extensive controls and assurance requirements.

Level 3
The highest level, designed for organisations operating in high-risk or highly sensitive defence environments.

The level required is determined by the Cyber Risk Profile assigned to the contract or activity.

Question 5

Is Cyber Essentials required?

Accepted Answer

Yes. Cyber Essentials is a prerequisite for all levels of Defence Cyber Certification. Level 0 & 1 - Cyber EssentialsLevel 2 & 3 - Cyber Essentials Plus

Question 6

How long does certification last?

Accepted Answer

DCC certification is valid for three years.

During that period, organisations are required to:

complete annual attestations to confirm controls remain in place

maintain Cyber Essentials or Cyber Essentials Plus certification

This reflects the expectation that security is maintained over time, rather than treated as a one-off activity.

Question 7

How is DCC different from ISO 27001?

Accepted Answer

While there are similarities between DCC and ISO 27001, they are not the same.

ISO 27001 provides a broad information security management framework that can be applied across sectors.

DCC is specifically designed for the UK defence supply chain and is aligned to Defence Standard 05-138. It focuses on the types of risks and requirements relevant to defence contracts and MOD expectations.

Organisations with ISO 27001 may already meet some DCC requirements, but they will still need to map controls and provide evidence specifically aligned to DCC.

Question 8

What does a DCC assessment involve?

Accepted Answer

A DCC assessment looks at whether your organisation meets the required controls and can demonstrate that they are implemented and effective.

This typically includes:

reviewing policies, procedures and governance structures

assessing technical and organisational controls

examining supporting evidence and records

confirming that controls are consistently applied

The emphasis is on evidence, not just documentation. Organisations are expected to demonstrate how controls operate in practice, not just how they are described.

Question 9

How long does it take to prepare for DCC?

Accepted Answer

Preparation time varies depending on the organisation’s starting point.

Organisations with existing controls, such as Cyber Essentials or ISO 27001, may be able to focus on alignment and evidence.

Others may need to implement new controls, formalise processes and develop documentation.

In most cases, the effort is less about building everything from scratch and more about:

aligning existing controls to DCC requirements
addressing gaps in consistency and coverage
structuring evidence for assessment

Question 10

What are the most common challenges?

Accepted Answer

Across DCC readiness work, several challenges come up consistently:

Understanding scope
Determining which parts of the organisation are in scope for certification

Aligning controls
Mapping existing controls to Defence Standard 05-138

Building evidence
Demonstrating that controls are implemented and effective

Consistency
Ensuring controls are applied across all relevant areas, not just in isolated teams

Many organisations find that evidence is the most time-consuming part of preparation, particularly if it has not been considered early in the process.