Understanding the Defence Cyber Certification (DCC) Scheme: What Suppliers Need to Know

The Ministry of Defence (MOD), in partnership with the cyber security certification company Information Assurance for Small & Medium Enterprises (IASME), has launched the Defence Cyber Certification (DCC) scheme. The DCC will provide a new cyber security certification framework designed for UK Defence suppliers.

The new scheme will help strengthen the UK's broader ambition to improve the cyber resilience of its Defence supply chain. The DCC will offer a single, organisation-level assurance that suppliers can present in support of UK Defence Procurements.

Defence Standard 05-138 (DefStan 05-138) has long served as the cornerstone of cyber security within the defence supply chain. The newly introduced DCC scheme builds on this foundation by offering a formal certification process that aligns cyber security requirements with the specific Cyber Risk Profile (CRP) of each contract.

Here, we'll explore what the DCC scheme means for defence suppliers, break down the technical and organisational controls at each certification level, and share practical steps to help your organisation confidently prepare for certification.

Overview of the DCC scheme

With the official launch of the DCC scheme earlier this summer (May 8th, 2025), IASME has introduced a formalised approach to assessing cyber security compliance across the MOD supply chain. This structured certification framework enhances confidence in a supplier's cyber resilience and aligns with recognised international standards and best practices.

Created in collaboration with the MOD, the DCC scheme builds upon the established requirements of DefStan 05-138—the MOD's foundational cyber security standard for defence suppliers. While DefStan 05-138 outlines the necessary controls, DCC introduces a consistent, evidence-based approach to verifying that those controls are effectively implemented and operational.

The need for the DCC

The DCC scheme introduces entirely new cyber security controls, and suppliers are assessed against those controls organisation-wide instead of per contract. Suppliers apply for DCC certification to one of four CRP levels. Certification at a CRP level will allow suppliers to bid for MOD contracts risk assessed at that CRP level or below. 

Previously, organisations demonstrated cyber risk management through the Supplier Assurance Questionnaire (SAQ), possibly with a Cyber Implementation Plan (CIP) for non-compliance. While these self-assessments were helpful, they varied significantly in quality and interpretation, leading to inconsistencies in evaluations.

The DCC scheme compliments the SAQ with a formal, independently verified certification process. Once certified, suppliers are required to uphold their cyber assurance for the duration of their contract.

To understand how the DCC integrates with existing MOD frameworks, here's how the key components align:

• Cyber Security Model (CSM): The MOD's overarching framework for assessing cyber risk on a contract-by-contract basis.
• Cyber Risk Profile (CRP): The specific level of cyber risk assigned to a contract, based on its nature and sensitivity.
• DefStan 05-138: The standard that outlines the required controls, tailored to your contract's CRP.
• Defence Cyber Certification (DCC): The new process that verifies whether those controls are effectively implemented and maintained.

Key changes introduced by the DCC scheme

In essence, the DCC scheme compliments self-assessment with a formal, independently verified certification process. Organisations are assessed against one of four defined levels of cyber maturity, ranging from Level 0 (Basic) to Level 3 (Expert).

While certification may not yet be mandatory for all MOD contracts, it is expected to become a requirement soon. Proactively working towards certification now can help suppliers stay ahead of compliance demands.

Once certified, organisations will be expected to go through an annual check-in and re-certification every three years. Organisations must also maintain a valid Cyber Essentials or Cyber Essentials Plus certification, depending on their assigned DCC level.

Below is a simplified breakdown of how CRPs align with DCC certification levels, along with an overview of what each level entails.

Each DCC level builds upon the previous one, with increasing expectations for cyber maturity. Organisations aiming for Level 2 or 3 must demonstrate more advanced governance, continuous monitoring, robust technical assurance, and effective oversight of third-party suppliers.

Certification levels

The DCC scheme is built on four progressive levels. Each level aligns with the controls defined in DefStan 05-138, with increasing levels of rigour: 

Timeline at a glance

• Level 0 Certification: Now live with the first certification awarded, this foundational level is designed for organisations with very low assessed cyber risk. It requires compliance with just three basic controls, forming the groundwork for higher levels of certification.
• Level 1 Certification: Live for applicants at the end of August, this level is aimed at organisations with low to moderate cyber risk and requires compliance with 101 controls.
• Levels 2 and 3 Certification: Live for applicants from the end of August, these levels are designed for organisations with high or substantial cyber risk. They require advanced and expert cyber security capabilities, including a “defence in depth” approach to mitigate evolving threats.
• Applicant guides: Available in late August.

If you're part of the UK defence supply chain:

1.    Check CRP – Identify the Cyber Risk Profile for each MOD contract.

2.    Do a gap analysis – Compare your current controls to DCC level requirements.

3.    Get cyber essentials – Obtain Cyber Essentials or Plus, as needed.

4.    Engage a certifier – Choose an IASME-accredited Certification Body to assess you.

5.    Collect evidence – Gather policies, logs, training records, and reports.

6.    Map to Def Stan 05-138 – Align your controls with MOD's standard.

7.    Review suppliers – Ensure your third parties meet required assurance levels.

8.    Undergo assessment – Complete the audit and fix any gaps.

9.    Maintain compliance – Stay up to date with annual reviews and recertification.

10.  Start early – Prepare now to meet future MOD contract requirements.

At NCC Group, we support organisations across the UK in assessing their cyber readiness, identifying and closing compliance gaps, and preparing for Defence Cyber Certification with confidence. 

• Trusted partner: NCC Group is an IASME-accredited Certification Body experienced in UK Defence cyber requirements, ensuring your certification process is reliable and compliant.
• Expert guidance: NCC Group helps you interpret complex DCC controls, especially at advanced Levels 2 and 3, ensuring you understand exactly what's needed.
• Gap analysis and readiness: Assessments to identify where your current cyber security measures meet the standard and where they fall short.
• Evidence preparation: Many suppliers struggle to document what they already do; NCC Group assists in gathering and organising the required evidence for a smooth certification process.
• Resource support: Preparing for DCC can be time-consuming; NCC Group offers practical, hands-on help to ease the burden and keep your business running.
• Supply chain assurance: NCC Group can support you in managing and validating the cyber security of your subcontractors.