As cybersecurity threats continue to evolve, so do the requirements for doing business.

So, it’s time to welcome a new framework, the Defence Cyber Certification (DCC), designed to strengthen cyber resilience across the UK defence supply chain.

But what exactly is DCC? Who needs it? And how do you prepare for it without disrupting day-to-day operations?

We'll break it down step by step, so you know exactly what to expect and what actions to take next.

🔒 Strengthen Your Defence Supply Chain Readiness!

See how Theodosiana can help you map directly to DCC requirements with built-in encryption, access controls, and audit-ready reporting.

Book a Demo

What Is the Defence Cyber Certification (DCC)?

The Defence Cyber Certification (DCC) is a new cybersecurity certification scheme introduced in partnership with IASME and the Ministry of Defence (MoD). It plays a central role in Cyber Security Model (CSM) version 4, helping ensure that all suppliers in the defence sector meet baseline cyber hygiene standards.

Unlike generic frameworks, DCC is tailored to the specific threats, risks, and operational needs of the defence sector. And it’s designed to be scalable, meaning requirements vary depending on the sensitivity of the contract or project.

Why Has DCC Been Introduced?

The MoD relies on a vast and complex supply chain, from large primes to niche SMEs. Many of these suppliers handle sensitive information or provide critical services that, if compromised, could pose a national security risk.

Until now, assurance requirements have been inconsistent and difficult to enforce. DCC addresses that by:

  • Standardising cyber requirements across all suppliers
  • Providing a scalable, risk-based approach
  • Simplifying the contract process by aligning cyber controls with contract value and sensitivity

In short, it helps to improve cyber assurance in a more structured and predictable way.

Who Needs to Be DCC Certified?

If you're a supplier bidding for or delivering to the UK Ministry of Defence, DCC will very likely apply to you.

Here’s a quick breakdown:

Supplier Type Likely Requirement
Prime contractors High or very high level DCC
Subcontractors handling sensitive data Moderate to high
SME's with non-sensitive contracts Basic DCC level (aligned with Cyber Essentials)
New bidders for MoD tenders Must meet the DCC level defined in tender docs

The required certification level will be clearly defined in the MoD’s tender documentation or during contract scoping.

What Are the Levels of DCC Certification?

The DCC scheme has four assurance levels, each mapping to a level of cyber risk:

  1. Basic – Equivalent to Cyber Essentials
  2. Enhanced – A step up, aligned with Cyber Essentials Plus, and some additional controls
  3. Substantial – Includes elements from IASME Cyber Assurance and additional sector-specific measures
  4. High/Very High – Custom assurance activities; may require on-site audits or MOD-specific controls

This tiered approach enables the MoD to match security expectations to contract sensitivity; not every supplier needs the highest level.

How Does DCC Relate to Cyber Security Model (CSM) v4?

The Cyber Security Model (CSM) is the MoD’s overarching approach to defining cyber requirements in procurement. With version 4, the DCC becomes the standard mechanism for proving cyber assurance.

To summarise:

  • The CSM defines the level of risk.
  • The DCC provides the certification to prove you're compliant with it.

The new model eliminates ambiguity and provides suppliers with a clear, auditable path to meeting expectations.

How Do You Get DCC Certified?

To begin the certification process, you’ll go through IASME, the official partner managing the scheme.

Here’s how to get started:

  1. Determine your required level – Based on the MoD tender or contract
  2. Review control requirements – These are mapped to frameworks like NIST, Cyber Essentials, and ISO 27001
  3. Assess gaps – Use a readiness checklist or work with a trusted compliance partner
  4. Submit documentation / undergo audit – Depending on your level, this could be self-assessed or independently verified
  5. Receive your DCC certification – Valid for 1 year
💡
Getting pre-certified can help you stand out in defence bids, especially because cyber assurance is a deciding factor.
cyber certification

How Can You Prepare for DCC Without Disrupting Productivity?

Many organizations struggle to balance compliance with day-to-day operations. The key to avoiding friction is by embedding DCC-aligned controls into your existing workflows.

Here’s what that looks like:

  • Use encryption that supports MoD and NCSC standards
  • Implement data loss prevention and access control that maps to DCC control families
  • Document your security processes with audit readiness in mind
  • Use dashboards and reporting to streamline evidence collection

A solid data protection strategy will not only help you pass DCC, but it will also strengthen your overall security posture.

Is It Worth Investing in DCC Early?

Yes, especially if you’re:

  • Already in the defence supply chain
  • Targeting new MoD tenders
  • Supporting primes as a subcontractor
  • Managing sensitive or classified data

Being DCC-compliant isn’t only about obtaining new contracts; it also sends a strong message to partners and regulators about your cyber maturity and operational resilience.

So, What’s Next?

The Defence Cyber Certification (DCC) represents a major shift in how the MoD manages cyber risk, and it’s one that suppliers can’t afford to ignore. By acting early and aligning your security program with DCC requirements, you’ll be better positioned to win business, protect sensitive data, and stay ahead of future regulations.

🔐 Ready for What’s Next in Defence Cyber Compliance?

See how Theodosiana supports a future-proof compliance strategy.

Book Your Demo Now

FAQs: Defence Cyber Certification (DCC)

Is DCC mandatory for all defence suppliers?

DCC is not universally mandatory yet, but it is increasingly required as part of MoD contracts. Suppliers are strongly encouraged to begin certification early, starting at the appropriate level, to avoid delays or disqualification during procurement processes.

How is DCC different from Cyber Essentials?

Cyber Essentials is a baseline cyber hygiene certification and is a prerequisite for all DCC levels. DCC goes significantly further by assessing organisation-wide cyber resilience, governance, technical controls, and evidence of effective implementation. It replaces the older per-contract assurance approach with a single, reusable certification.

Can existing security tools be reused for DCC compliance?

Yes, existing tools can support DCC compliance, but they must be configured to meet the framework’s requirements and provide evidence of effectiveness. DCC focuses on outcomes and assurance, not specific vendors, so organisations must demonstrate that controls work in practice across the entire business

How long does DCC certification last?

DCC certification is valid for three years, with annual attestations required to confirm that controls remain in place and effective. Organisations must maintain ongoing compliance rather than treating certification as a one-time exercise.