Defence Cyber Certification explained: what defence suppliers need to know

The Ministry of Defence has long recognised that its supply chain is one of its biggest cyber vulnerabilities. 

Thousands of organisations support defence programmes in some capacity – from technology providers and manufacturers to specialist service suppliers. Each organisation plays a role in the wider defence ecosystem, but each can also represent a potential entry point for an adversary looking for a way in. 

In recent years, attackers have increasingly focused on supply chains rather than attempting to breach large organisations directly. Suppliers often have trusted access, shared systems or embedded personnel, making them an attractive pathway into more sensitive environments. 

These attacks do not always rely on sophisticated technical exploits. In many cases they involve targeted phishing, impersonation or attempts to exploit trusted relationships between organisations. 

For that reason, improving cyber security across the defence supply chain has become a priority. 

Defence Cyber Certification (DCC) was introduced by the Ministry of Defence and IASME to help address this challenge. The framework provides a consistent way for organisations to demonstrate that they have the cyber security controls needed to support defence contracts and programmes. 

For many suppliers, understanding what DCC involves and how to prepare for it is becoming increasingly important. 

What is Defence Cyber Certification (DCC)? 

Defence Cyber Certification (DCC) is a cyber security certification framework developed by the UK Ministry of Defence (MoD) and IASME. 

The scheme was created to strengthen cyber security across the defence supply chain and provide a consistent way of assessing the cyber security posture of organisations supporting defence work. 

DCC replaces the previous Supplier Assurance Questionnaire (SAQ) approach. Under the SAQ model, suppliers often had to complete cyber security questionnaires for individual contracts. In practice, this could mean organisations repeating similar assessments multiple times. 

DCC changes this by introducing a single organisation-wide certification. Once certified, organisations can demonstrate their cyber security capability across multiple defence contracts without repeating the same assessment process. 

The certification examines how cyber security is managed across the organisation. This includes governance, policies and procedures, technical controls, staff awareness and supply chain risk management. 

Certification lasts three years, with a yearly confirmation that the required controls are still in place. 

Achieving DCC demonstrates that an organisation can meet the cyber security expectations of defence customers and prime contractors. 

Why the defence sector introduced DCC 

The UK defence sector relies on a large and diverse supply chain. Thousands of organisations contribute technology, services and expertise that support defence capability. 

As cyber threats have evolved, the Ministry of Defence has recognised that resilience across the entire supply chain is essential. A vulnerability within one supplier can potentially affect wider programmes and partnerships. 

Defence Cyber Certification was developed to address this challenge by setting clearer expectations for cyber security across organisations supporting defence work. 

For suppliers, certification provides a recognised way to demonstrate that they have appropriate controls in place to manage cyber risk. 

For defence customers and prime contractors, it provides a more consistent way to assess cyber security across their suppliers. 

Understanding the four levels of certification 

Defence Cyber Certification is structured into four levels, reflecting the cyber risk associated with the work being carried out. 

Each level is based on controls defined in Defence Standard 05-138, which outlines the cyber security requirements expected of organisations supporting defence programmes. 

The four levels are: 

• Level 0 – Entry level certification for lower-risk work. Organisations must hold Cyber Essentials. 
• Level 1 – Introduces broader organisational cyber security controls covering governance, policies and risk management. Cyber Essentials is required. 
• Level 2 – Higher assurance requirements including stronger operational and technical controls. Cyber Essentials Plus is required. 
• Level 3 – The most comprehensive level of certification, designed for organisations supporting higher-risk defence programmes. Cyber Essentials Plus is required. 

Each defence contract is assigned a Cyber Risk Profile (CRP) that determines the level of certification suppliers must achieve. 

Preparing for Defence Cyber Certification 

For many organisations, preparing for DCC begins with understanding how their existing cyber security practices align with the requirements of Defence Standard 05-138. 

In practice, preparation usually involves a number of practical steps. 

The first step is identifying the certification level required based on the contracts or programmes the organisation supports. 

Next, organisations review their current cyber security policies, procedures and technical controls. Many suppliers already have several of these controls in place, particularly if they hold Cyber Essentials or Cyber Essentials Plus. 

Where gaps are identified, organisations may need to strengthen certain areas. This could involve improving governance, documenting security processes more clearly or implementing additional technical safeguards. 

Another key step is preparing evidence. Organisations must demonstrate how controls are implemented through policies, procedures and operational records. 

This is often where organisations face the most difficulty – not in having controls, but in clearly evidencing how those controls operate in practice. 

Once these steps are complete, organisations can begin the certification process with an accredited certification body. 

More than a compliance exercise 

Although DCC is a certification framework, many organisations find that preparing for it leads to broader improvements in cyber security. 

Reviewing governance structures, documenting processes and strengthening technical controls often helps organisations manage cyber risk more effectively. 

The framework also encourages organisations to look at cyber security across the whole business rather than focusing on individual projects or systems. 

For organisations supporting defence programmes, this can strengthen trust with customers and partners who depend on secure and reliable suppliers. 

Preparing early makes the process easier 

In our experience working with organisations across the defence supply chain, many suppliers already have a number of the controls required for DCC in place. 

The challenge is often understanding how those controls align with Defence Standard 05-138, identifying where gaps exist, and ensuring that policies, processes and evidence are clearly documented. 

Approaching the framework in a structured way usually makes preparation far more manageable and helps organisations strengthen cyber security more broadly across the business. 

Defence Cyber Certification represents an important step in strengthening cyber resilience across the defence supply chain. For organisations supporting defence programmes, understanding the framework and preparing early will help ensure they are ready to meet those expectations.