Login Book a call
Search
Clear search icon

CSMv4 Is Live: What Defence Suppliers Need to Know About DCC Requirements

Maddie Parker
Back to blog

Want to speak with sales?

Book a call

DCC Playbook Download

As of December 3rd, 2025, the Cyber Security Model version 4 is live. If you're in the defence supply chain, the days of self-assessment questionnaires are ending. Defence Cyber Certification (DCC) is the assurance framework the MOD expects you to use.

The MOD's letter to industry is unambiguous: certification will increasingly be specified as a precursor requirement for contracting with Defence. That future is arriving now with individual contracts already mandating certification. Begin your certification journey, or risk being locked out of MOD opportunities.

What Actually Changed on December 3rd

The new cyber security standards launched via Industry Security Notice 2025/07. These standards, developed in partnership between the MOD and defence suppliers through the Defence Cyber Protection Partnership, replace the inconsistent self-assessment approach that's been the norm.

The Defence Cyber Certification scheme was announced in May 2025, with Level 0 going live in July and Levels 1-3 following in August. December 3rd marks the official launch of CSMv4, signalling the MOD's formal shift toward requiring DCC for defence contracting.

Why This Matters Now

The Strategic Defence Review stated bluntly that UK Defence continues to carry intolerable levels of cyber risk. The Defence Industrial Strategy sets out the ambition to develop a resilient UK industrial base. Recent attacks on Marks & Spencer, the Co-op, and Jaguar Land Rover demonstrate the threat is real and immediate.

The UK Defence supply chain is a priority target for adversaries. Your subcontractors, suppliers, and partners are all potential entry points. The MOD is closing those gaps.

Understanding the Four Certification Levels

The DCC operates across four levels, each corresponding to the cyber risk profile of your contracted work:

Level 0 (Very Low Risk) – The entry point. Beyond Cyber Essentials, you'll need two additional basic controls. This is the very minimum defence contractors will need. Suitable for suppliers providing low-risk goods like stationery or facilities management with minimal MOD system interaction.

Level 1 (Low to Moderate Risk) – Many defence suppliers will land here. Requires 101 controls covering governance, risk management, protective controls, incident response, and staff training. Cyber Essentials remains the technical baseline. Typical for IT support services, standard software solutions, training, consultancy, or logistics where you have some access to MOD systems or official data.

Level 2 (High Risk) – Demands 139 controls with sophisticated governance, continuous monitoring, and robust technical assurance. Cyber Essentials Plus becomes mandatory. Aimed at suppliers regularly handling sensitive MOD data, providing managed IT services for defence operations, or developing bespoke software integrating with MOD infrastructure.

Level 3 (Substantial Risk) – The highest level, requiring 144 controls and expert cyber security capabilities. Reserved for mission-critical work: command and control systems, cloud infrastructure for classified operations, weapons systems components, or advanced defence technology where compromise could have severe operational impact.

Start with Level 0, Plan for Higher

The MOD's guidance is clear: start seeking certification now, beginning with Level 0. Higher levels may subsequently be required as appropriate to your contract specifics.

A single DCC certificate covers all MOD contracts, provided they're assessed at or below your certification level. If you achieve Level 1, you can use that certificate for any Level 0 or Level 1 contracts, eliminating repeated contract-by-contract security assessments.

Certification lasts three years, subject to annual attestations and maintaining valid Cyber Essentials certification.

Common Pitfalls to Avoid

Letting Cyber Essentials lapse – If your Cyber Essentials certification expires during the DCC assessment process, you'll automatically fail. Even if everything else is perfect.

Scoping too narrowly – You can't exclude parts of your organisation that don't directly handle MOD data. The scheme demands organisation-wide compliance.

Assuming certification means you're set for three years – You must complete annual attestations confirming ongoing compliance and renew Cyber Essentials annually. At the three-year mark, full recertification is required.

Treating it as a checkbox exercise – Assessors will interview staff, request demonstrations, and verify operational evidence. Policy documents without proof of implementation won't suffice.

What You Actually Need to Do

This is where suppliers typically hit friction. Many organisations already follow good security practices but lack documentation. DCC assessments are evidence-driven. You need policies, logs, training records, and proof of implementation for each control.

Here's the systematic approach:

  1. Confirm your required level – Check your MOD contract to determine whether you need Level 0, 1, 2, or 3. If you're preparing to bid without a current contract, consider which level aligns with your anticipated work.
  2. Get Cyber Essentials certified – This is the baseline for all DCC levels. It covers firewalls, secure configuration, user access control, malware protection, and security update management. Levels 2 and 3 require Cyber Essentials Plus.
  3. Define your scope – DCC takes a whole-organisation approach. You can't certify only the team handling MOD work directly. Every business critical system and department must be in scope. Document this clearly in your Statement of Scope.
  4. Conduct a gap analysis – Compare your current security measures against the required controls for your level. Level 1 alone requires 101 additional controls beyond Cyber Essentials. Create a tracker listing each control, its status, supporting evidence, and outstanding actions. CyberSmart provides a gap analysis framework as part of our Defence Readiness Package to streamline this process.
  5. Address the gaps – Develop or update security policies, implement technical measures like logging and vulnerability scanning, establish new processes for risk assessments and supplier vetting, and assign clear roles for administering security measures.
  6. Collect evidence – Organise written policies, training records, system configuration screenshots, patch management reports, access control lists, incident logs, backup logs, risk registers, and supplier security questionnaires. Cross-reference everything against specific controls.
  7. Build your risk register – Document your information assets, threats, vulnerabilities, existing controls, and risk treatment decisions. DCC requires systematic risk management with periodic reviews.
  8. Run an internal review – Before formal assessment, have someone outside the direct process review your scope definition, compliance documentation, staff awareness, and evidence quality. Identify weak spots while you can still address them.
  9. Book your assessment –Engage an IASME-accredited DCC certification body like CyberSmart. We'll review your submission, conduct interviews or demonstrations to verify controls, and issue your certificate upon successful assessment.

What the MOD Expects Beyond Certification

The December letter also highlights two foundational approaches the MOD wants to see embedded across supplier organisations:

Active Cyber Defence – The NCSC's framework for protective DNS, mail check, web check, and early warning systems that actively defend against cyber threats rather than simply reacting to them.

Secure by Design – Building security into products and services from the ground up rather than bolting it on later. This approach reduces vulnerabilities and creates more resilient systems.

These approaches represent the MOD's expectation that cyber security becomes fundamental to how defence suppliers operate, embedded in everything from product development to daily operations.

Why Early Adoption Matters

Many prime contractors are already requesting certification from their subcontractors ahead of any formal mandate. This creates adoption pressure across the entire supply chain.

Early certification puts you ahead of the inevitable rush when mandatory status is announced. Certification bodies will face backlogs, and assessment slots will become scarce. Starting now means you avoid competing for limited appointment availability with hundreds of other suppliers scrambling to meet sudden deadlines.

Practically, early adoption also positions you to respond quickly when contract opportunities begin factoring DCC into their evaluation criteria. Prime contractors are already asking subcontractors about their certification status during procurement discussions, signalling that the commercial landscape is shifting ahead of any formal mandate.

According to Thales' 2024 Data Threat Report, 93% of organisations in the critical national infrastructure sector observed an increase in cyber-attacks in 2024. The threat environment continues to worsen. Getting ahead of certification requirements means building genuine resilience, not just meeting compliance obligations.

Cascade This to Your Subcontractors

The MOD letter explicitly asks that you cascade this information to all defence subcontractors within your supply chain. If you work with other suppliers on MOD contracts, they need to know these requirements apply to them too.

Your certification doesn't insulate you if your subcontractors present security weaknesses. The defence supply chain is only as strong as its weakest link.

What Happens If You Don't Get Certified

The timeline for mandatory DCC implementation depends on formal contractual invocation of CSM version 4. The MOD will announce this via Industry Security Notice. When it becomes mandatory, suppliers without appropriate certification levels will be ineligible to bid on contracts requiring them.

Even before formal mandate, commercial reality is already creating pressure. If your competitors are certified and you're not, you're at a disadvantage in competitive bids.

Getting Support

If you don't have a dedicated in-house cybersecurity team, preparing for DCC can feel overwhelming. Working with an experienced certification partner simplifies the process significantly.

Look for partners offering guidance at every stage, scoping support, policy and documentation advice, technical implementation assistance, and training programmes to embed security awareness across your teams.

The right partner translates technical jargon into actionable steps, provides templates and examples for policies, recommends appropriate tools and configurations, and helps you understand what good evidence looks like for each control. Certification bodies assess your compliance but cannot implement solutions. The scheme requires this separation to maintain assessment independence.

CyberSmart's Defence Readiness Package

CyberSmart is the UK's most trusted certification body, delivering more certifications than any other provider. Our Defence Readiness Package combines DCC and Cyber Essentials certification with year-round protection in a single purchase, eliminating the complexity of coordinating multiple certification bodies.

What sets us apart:

Rapid turnaround – Our experienced assessors move you through the certification process efficiently, understanding exactly what's required at each stage.

Pre-assessment preparation – We review your current cybersecurity posture and identify vulnerabilities or gaps before formal assessment, saving you time and avoiding failed attempts.

Expert Support – Utilise our team of cybersecurity experts for technical queries, guidance on preparing evidence for the Applicant Guide, and renewal advice throughout your certification journey.

Continuous protection and monitoring – We go beyond assessment day with continuous monitoring, actionable alerts, and regular compliance reporting to help maintain your cybersecurity posture year-round. This includes CyberSmart Active Protect for 24/7 protection and comprehensive asset management.

Integrated tools and training – Smart Policies provides trackable DCC-aligned governance policy creation and distribution, while CyberSmart Learn Lite delivers simple, easy-to-implement security awareness training that embeds best practices across your teams.

The Bottom Line

DCC represents a fundamental shift in how defence suppliers demonstrate cybersecurity competence. The MOD has made clear that independently verified certification is replacing self-assessment as the standard method of proving compliance.

Certification under the scheme will increasingly be specified as a precursor requirement for contracting with Defence. The message from the MOD is unambiguous: "start seeking certification now…your proactive engagement and leadership are critical in continuing to safeguard the UK's defence and national security."

Don't wait for the mandate. Start now.

CyberSmart's Defence Readiness Package combines DCC and Cyber Essentials certification with year-round protection, continuous monitoring, and unlimited expert support. We help defence suppliers navigate the certification process from initial gap analysis through to successful assessment and ongoing compliance.

Download our DCC Playbook for a deeper look, and book a call with our team to get started on your DCC journey!