It almost goes without saying, but defence is one of the most vital sectors in any economy. That’s why in defence procurement, cybersecurity requirements are increasingly stringent on both sides of the Atlantic.

The UK and the US have distinct cyber frameworks for defence contractors. For the UK, it’s the Defence Cyber Protection Partnership (DCPP) with its Defence Cyber Certification (DCC). Meanwhile, for the US, it’s the Cybersecurity Maturity Model Certification (CMMC). In this blog, we’ll look at the differences between the two, including their structure, certification approaches and impact on defence contractors.

What is the DCPP?

DCPP is a joint UK Ministry of Defence (MOD) and industry scheme to strengthen supply chain resilience to cyber threats. Through its Defence Standard 05-138, it lays out the minimum cybersecurity controls defence suppliers need to achieve.

There are four levels to this, each with an increasing number of controls, covering areas like governance, technical measures, personnel, and supply chain risk. The levels are:

• Level 0 (Basic, 3 controls)
• Level 1 (Foundational, 101 controls)
• Level 2 (Advanced, 139 controls)
• Level 3 (Expert, 144 controls)

All MOD contracts undergo a cyber risk profile (CRP) assessment based on these levels. And, suppliers must demonstrate compliance with controls relevant to the profile to be considered for contracts.

How about CMMC?

CMMC shares many similarities with DCPP. Like the UK, the US has seen its share of attacks on its defence industrial base in recent years. Most notably, the 2025 ransomware attack on the National Defence Corporation and its subsidiary, AMTEC.

CMMC is the US Department of Defense’s (DoD) response to such incidents. The model also aims to enforce security for Federal Contract Information and Controlled Unclassified Information.

The standard has three levels, with each mapping onto a set of requirements:

• Level 1 (Foundational) aligns with the Federal Acquisition Regulation or FAR clause
• Level 2 (Advanced) to NIST SP 800-171 with 110 controls
• Level 3 (Expert) with NIST SP 800-172’s 172 controls

Controls are grouped into 14 domains, including access control, configuration management, incident response, and media protection.

What does each certification approach look like?

DCC (UK)

Certification body

Managed by IASME, a UK government-appointed authority for cyber certification. DCC builds on Defence Standard 05-138 by applying a uniform, evidence-based certification process at the organisation level, not contract-by-contract. Certification is independently verified, rather than a self-assessment.

Process

Suppliers select and achieve certification for a relevant cyber risk profile, and present their completed DCC during the bidding process. Certification lasts three years, with mandatory annual check-ins.

You’ll also need at least a Cyber Essentials certification for every level, with levels 2 and 3 requiring a Cyber Essentials Plus certification too.

Scope

Certification covers your whole organisation and its processes, raising assurance and consistency across the defence supply chain.

CMMC (US)

Certification body

Assessments for Level 1 are self-attested. Level 2 requires third-party evaluation by a Certified Third-Party Assessment Organisation (C3PAO).  Meanwhile, Level 3 exams are run by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).

Process

Contractors must pass all required controls at their level. However, there is some leeway depending on the level. For example, Level 2 allows limited gaps in its 110 controls. Whereas Level 3 is far stricter with no gaps permitted.

Scope

Unlike DCC, CMMC certification is “per environment or network” that handles Federal Contract Information or Controlled Unclassified Information and can also be contract-specific, meaning organisations may need to complete it multiple times.

Practical implications for suppliers

Coverage and applicability

DCC

Certification allows bidding on all MOD contracts up to that risk profile, making planning more predictable. Certification isn’t currently required for every contract, but this is expected to become universal soon.

CMMC

Until late 2026, requirements will be rolled out in phases, starting with high-priority contracts. By 2028, all DoD contracts will require CMMC certification matching the contract’s risk level.

Control counts and complexity

Costs and burden

DCC

UK costs depend on organisation size and CRP level. Full DCC certification is expected to be less expensive for SMEs compared to CMMC, with Cyber Essentials serving as the entry requirement in most cases. Costs scale up with evidence gathering, control implementation, and ongoing review.

CMMC

Estimates for compliance and certification vary. Small US contractors face costs of $30,000–150,000, rising to $500,000 or more for large enterprises. Delaying compliance can risk contract disqualification.

Assessment and renewal

DCC

The UK process is evidence-based and standardised. Certification bodies must be accredited and operate under IASME. All suppliers undergo annual check-ins and recertification every three years.

CMMC

Aside from Level 1, a third part will carry out your assessment. For example, C3PAO oversees Level 2, and the DoD itself tackles Level 3. Assessments are rigorous, requiring full documentation and audit evidence. What's more, failed controls require remediation and re-testing.

International alignment

Both schemes draw on international standards. DCC is built on NIST, ISO 27001, and Cyber Essentials. Meanwhile, CMMC is based purely on NIST SP 800-171 and 800-172.

The aim of both is to harmonise security expectations for global defence supply chains while retaining local regulatory control.

Practical guidance for suppliers: What should you do?

1. Start early

Both the UK and US frameworks require substantial evidence and preparation, so start early and don’t get caught cold. Cyber Essentials is the base for the UK, while an inventory and system security plan is the minimum in the US.

2. Know your contract’s risk profile

To get certified to the correct level, you need to know your contract’s risk profile. For example, if the UK contract you’re bidding for is considered high risk, you’ll likely need to comply with CMMC Level 2 or even 3.

3. Document everything

And we do mean everything. The controls associated with each level must be implemented, evidenced and easily auditable by assessors.

4. Budget for certification and maintenance

If you’re going to complete CMMC or DCC certification, you’ll need to budget for a few things beyond the list price. For instance, you’ll also need to factor in annual reviews, any remediation costs and the staff cyber awareness demanded by some controls (in the form of cybersecurity awareness training).

5. Leverage overlap (if you need to do both)

If you find yourself in the position where your organisation has to comply with both CMMC and DCC, there’s some good news. Controls in both frameworks do align in a few foundational areas, such as access management, incident response, and supply chain measures. This means that you don’t necessarily need to start from scratch each time if you’re a multi-national business.

DCC vs CMMC at a glance

Get ahead of the curve

In conclusion, if you’re a defence contractor that’s part of an MoD or DoD supply chain, you likely need to be thinking about DCC or CMMC. Both are going to become mandatory requirements for all defence sector contracts in the near future, so it pays to get ahead of the curve and begin planning now.

If you’re a small business struggling with DCC Level 0 or Level 1 requirements, CyberSmart can help you. We offer specialised cybersecurity packages, designed to help small businesses fulfil DCC criteria. Find out more here.

Whaling is a sophisticated form of cyberattack that targets high-profile executives and senior decision-makers within organisations – aka the “big fish”.

Unlike standard phishing attacks that cast a wide net, whaling attacks are meticulously crafted and highly personalised campaigns. They’re designed to deceive C-suite executives into authorising fraudulent transactions or revealing sensitive information – making them one of the most dangerous threats facing businesses.

How do whaling attacks work?

Whaling attacks typically begin weeks or even months before the victim receives the first malicious email. Cybercriminals gather information from various sources, studying their targets’:

• Communication style
• Business relationships
• Operational schedules

This enables them to build a comprehensive picture of how the target operates.  

Armed with this knowledge, attackers craft seemingly authentic emails that appear to come from trusted sources. Think board members, legal counsel, or business partners.

Why do cybercriminals target the C-suite?

Hackers focus on executives because they are the highest value targets in any organisation. Senior leaders typically have:

• Unrestricted access to financial systems
• The authority to approve large transactions without extensive oversight
• Intimate knowledge of business operations, strategic plans, and sensitive client information

Their busy schedules mean they're more likely to act quickly on urgent requests without following standard verification procedures.

What makes whaling attacks so dangerous?

When criminals successfully deceive an executive, the potential payoff is exponentially higher than targeting regular employees. Successful CFO or CEO fraud can result in hackers gaining access to highly sensitive business data and the theft of millions of pounds in fraudulent transfers.

What makes whaling dangerous?

• Attackers extensively research and personalise their campaigns
• Criminals exploit the authority and trust that senior positions command
• Financial losses typically run much higher than standard phishing attempts
• Their sophisticated nature makes them harder to detect

Whaling vs phishing vs spear phishing

While all three attack types fall under the social engineering umbrella, they differ significantly in scope and targeting.

Phishing

Phishing casts the widest net, sending generic malicious emails to thousands of recipients, hoping to land a catch. These attacks often contain obvious red flags like poor grammar or suspicious links.

Spear phishing

Spear phishing narrows the focus to specific individuals or groups within an organisation. In spear phishing attacks, hackers use publicly available information to create convincing messages tailored to the target.

Whaling

Whaling goes further still, exclusively targeting high-value executives with extensively researched, highly personalised attacks that can take weeks or months to prepare. Criminals invest this time because the potential payoff is enormous.

AI’s impact on whaling attacks

AI has made whaling and other social engineering attacks more sophisticated and accessible than ever before. Recent research claims cybercriminals use AI in 67.4% of all phishing attacks. The question is, how?

Content creation

AI allows hackers to create emails that perfectly mimic an executive's writing style, tone, and communication patterns. Gone are the days when you could spot a fake email by looking for typos or unusual phrasing.

Voice phishing

Voice phishing (or vishing) attacks surged 442% between the first and second halves of 2024. Cybercriminals use AI-generated voice clones that can replicate an executive's speech patterns from just a few seconds of audio.

Deepfake whaling attacks

A relatively recent trend has seen cybercriminals use AI to make sophisticated deepfake video calls. These attacks involve creating realistic avatars of executives that participate in live video conferences, making requests for fund transfers or sensitive information.

The technology has advanced to the point where deepfakes can convincingly replicate facial expressions, speech patterns, and mannerisms, making it extremely difficult for victims to detect.

7 Whaling prevention and mitigation strategies

Protecting your organisation against whaling attacks requires a multi-layered approach that combines technology, processes, and employee awareness.

1. Multi-factor authentication and access controls

Set up multi-factor authentication (MFA) for all senior executives and anyone with access to financial systems. Create separate administrative accounts and ensure that no single person can authorise high-value transactions without additional verification.

2. Verification protocols for financial requests

Establish mandatory dual-channel verification for any financial request over a certain threshold. If someone receives an email requesting a wire transfer, they must verify the request through a different communication method – ideally, an in-person conversation or phone call to a known number.

Create a “safe word” system for urgent requests, where executives and finance teams use predetermined phrases that criminals can’t easily discover through research.

3. Executive phishing awareness training

Run cybersecurity awareness training sessions that specifically address social engineering attacks. Training should include hands-on simulations using realistic scenarios that executives might encounter, such as urgent legal requests or time-sensitive acquisition communications, as well as:

• How to identify social engineering tactics
• The importance of verifying unusual requests through secondary channels
• Staying alert to potential deepfake audio and video attacks

4. Email security and filtering

Deploy advanced email security that can detect sophisticated phishing attempts. For the best protection, consider investing in a system that uses AI to analyse communication patterns and flag unusual requests – even when they come from legitimate-looking accounts.

For added protection, implement domain-based message authentication, reporting, and conformance (DMARC) to prevent domain spoofing and ensure emails claiming to be from your organisation are legitimate.

5. Digital footprint management

Conduct regular audits of executives' online presence and limit the amount of publicly available personal and professional information. This includes:

• Reviewing social media privacy settings
• Limiting biographical information on company websites
• Being cautious about sharing travel schedules or personal details publicly

6. Incident response planning

Develop incident response procedures for whaling and business email compromise (BEC) attacks, and test them regularly to ensure everyone knows what to do in the event of a breach. According to Verizon, over half of BEC victims were able to recover at least 82% of their stolen money when they reported fraudulent transfers quickly.

Your response plan should include immediate contact procedures for banks, law enforcement, and cybersecurity teams, along with clear escalation processes for different types of whaling attempts.

7. Zero-trust architecture

Implement a zero-trust security model that assumes every request could be malicious, regardless of its apparent source. This means verifying every transaction, access request, and communication before acting.

Consider using advanced threat detection that detects unusual patterns in executive communications and financial activities.

Whaling attack examples

Understanding how whaling attacks unfold in practice helps illustrate why these threats are so effective and costly.

The FACC aerospace attack

In 2015, Austrian aerospace manufacturer FACC fell victim to a whaling attack that resulted in €50 million in losses.

Criminals impersonated the company's CEO in an email to a finance employee requesting an urgent fund transfer for what appeared to be a confidential acquisition deal. The finance worker, believing the request came directly from the CEO and feeling pressure to act quickly on the sensitive matter, authorised the transfer without seeking additional verification.

The $25 million deepfake conference call

One of the most sophisticated whaling attacks on record occurred in 2024 when criminals used deepfake technology to orchestrate an elaborate video conference scam targeting Arup, a multinational engineering firm. 

The finance worker believed they were participating in a legitimate meeting with senior colleagues, including the CFO. During the call, hackers convinced the unfortunate employee to transfer $25 million out of the company.

US non-profit fraud scheme

In 2024, law enforcement arrested a Nigerian cybercriminal who’d targeted charitable organisations in the US, stealing over $7 million. 

The attacker first compromised email accounts at one charity, then used that access to study internal communications and procedures. Armed with insider knowledge, the criminal impersonated legitimate employees to request fund transfers from a second charity, making the requests appear routine.

What is whaling in cybersecurity? A threat you can’t ignore

What is whaling in cybersecurity? In a nutshell, it’s one of the most sophisticated and expensive cybersecurity threats facing businesses. With BEC attacks costing companies over $16.6 billion in 2024 and AI making these attacks more accessible, organisations can no longer treat executive targeting as an edge case.

Defending against whaling requires robust technical controls, clear verification processes, and ongoing awareness training. By implementing comprehensive security measures, like those outlined in the government-backed Cyber Essentials certification, you can ensure your organisation's executives don't become the next big catch.

Want to give your people the skills to recognise cyber threats before they turn into breaches? Check out CyberSmart Learn, our cybersecurity focused learning management system.