Defence Cyber Certification
Strengthen your position in the defence supply chain, meet your supplier obligations, and win MoD tenders, with CyberSmart’s easy route to DCC compliance.
What is the Defence Cyber Certification?
The DCC is a new cybersecurity certification for defence contractors jointly created by the MoD and IASME. It is a single organisation-wide assessment, valid for three years while requiring ongoing controls and annual attestation, to prove your cyber credentials for MoD contracts.
What’s changed from the Supplier Assurance Questionnaire?
Applicant guide
This document helps your organisation to compile and map documented evidence to the DefStan 05-138 Issue 4 controls.
Compliance is no longer contract-by-contract
Unlike the SAQ, once certified, DCC is valid for three years aside from annual check-ups.
Governance-focused
DCC is an evidence-based certification that requires your business to show that cybersecurity is embedded across essential organisational functions.
Why your organisation needs DCC
To bid for MoD contracts
Some MOD contracts specify DCC as a requirement. Check individual contract requirements to determine whether certification is needed.
Win contracts and credibility
DCC compliance goes beyond MoD tenders; it can also help you win credibility and contracts throughout the defence sector.
Improve your organisation’s cybersecurity posture
DCC is more than just a tick in a box; it can help improve your organisation’s day-to-day cybersecurity, ultimately protecting you from attack.
The four levels of DCC
DCC is built on four progressive levels, each with an increasing number of controls defined by Defence Standard 05-138. These controls encompass areas such as governance, technical measures, personnel, and supply chain risk and require different levels of Cyber Essentials certification as a baseline.
Level 0
3 controls, 6 questions – Cyber Essentials required
Level 1
101 controls, 236 questions – Cyber Essentials required
Level 2
139 controls, 328 questions – Cyber Essentials Plus required
Level 3
144 controls, 337 questions – Cyber Essentials Plus required
All MOD contracts are assigned a Cyber Risk Profile according to one of these four tiers, and suppliers must demonstrate their compliance with the corresponding level of DCC to bid.
Why choose CyberSmart for DCC?
Rapid turnaround
Our experienced assessors will help you get DCC certified quickly.
DCC and Cyber Essentials in one package
With our Defence Readiness Package, you’ll get DCC, Cyber Essentials certification, and year-round assurance in a single purchase.
Expert support
Get expert support from our team of cybersecurity experts, including technical queries, guidance on preparing evidence for the Applicant Guide and renewal advice.
Continuous protection and monitoring
We go beyond assessment day with continuous monitoring, actionable alerts, and regular compliance reporting to help maintain your cybersecurity posture year-round.
Pre-assessment preparation
Benefit from pre-assessment support to review your current cybersecurity posture and identify any vulnerabilities or gaps.
We’re the UK’s leading certification body
CyberSmart is the UK’s most trusted certification body, delivering more certifications than anyone else.
Need help with certification?
Whether you’re a MOD supplier or aiming to be, CyberSmart can help.
Frequently asked questions
Defence Cyber Certification is a cybersecurity standard developed by the Ministry of Defence and IASME for organisations in defence supply chains. Valid for three years, it provides a single, organisation-wide assessment that demonstrates compliance with MOD security requirements.
Yes, depending on the level you need to be certified to, you’ll need at least a Cyber Essentials certification. Levels 2 and 3 also require Cyber Essentials Plus.
All MOD contracts undergo a cyber risk profile (CRP) assessment based on the four levels outlined by Defence Standard 05-138. Each contract is then given a level based on the CRP assessment, which suppliers must demonstrate they can meet when bidding for the contract.
For example, if the contract you wish to bid for has been designated at Level 1, your organisation must be DCC certified to the same level or above.The Applicant Guide is a structured document that helps your organisation to compile and map documented evidence to the DefStan 05-138 controls. It will provided by the certification body assessing your organisation.
Due to the complexity of DCC, there’s no defined timescale as it can depend on your preparedness, the security gaps you need to remediate, and assessor availability.
No. DCC is currently an alternative to other security assessments such as the Security Aspects Questionnaire (SAQ). Some individual contracts may specify DCC as a requirement, but it is not universally mandatory across all MOD procurement.
The certification lasts three years, but an annual review is required to maintain the certificate, along with annual recertification to Cyber Essentials or Cyber Essentials Plus.