Defence Cyber Certification (DCC)
DEFENCE CYBER CERTIFICATION (DCC)
Defence Standard 05-138 (DefStan 05-138) has long been the benchmark for cyber security in the defence supply chain, the DCC scheme enhances this by providing a structured certification process that aligns with the cyber risk profile associated with specific contracts.
What is a Defence Cyber Certification?
The Defence Cyber Certification (DCC) is a comprehensive cybersecurity framework developed by the UK Ministry of Defence and delivered by IASME. It aims to strengthen the cyber resilience of the UK’s defence sector by providing a structured certification process for suppliers.
DCC offers a single, organisation-level assurance that suppliers can present in support of UK Defence procurements. Certifications are subject to annual check-ins and re-certification every three years.
Being certified against this standard ensures suppliers meet and maintain robust cybersecurity across their organisation.
Key objectives:
- Protect MOD supply chain integrity
- Provide confidence in supplier cyber maturity
- Reduce cyber risks across national defence infrastructure
This certification is part of a broader national effort to bolster cyber resilience in industries critical to national infrastructure.
What are the Different Levels of the Certification?
The DCC framework comprises four levels, each corresponding to the assessed cyber risk associated with a supplier’s output:
| Level | Controls | Requirements | Risk |
|---|---|---|---|
| Level Zero | 3 | Basic controls, entry-level requirement | Very low level of assessed cyber risk. Requires demonstration of basic cybersecurity practices. |
| Level One | 101 | Substantial controls, starts with Cyber Essentials | Low to moderate level of assessed cyber risk. Requires a comprehensive cybersecurity programme with good practices. |
| Level Two | 139 | Advanced controls, requires Cyber Essentials Plus | High level of assessed cyber risk. Requires advanced cybersecurity oversight and planning |
| Level Three | 144 | Highest controls, requires Cyber Essentials Plus | Substantial level of assessed cyber risk. Requires expert cybersecurity capabilities. |
Required certification levels will be determined by each contract’s specific cyber risk profile. The MOD will assess your projects’ sensitivity and requirements and then assign the appropriate DCC level. This means your organisation’s security measures will be directly matched to the risks you face, ensuring both efficiency and robust protection.
- Level Zero (3 Controls): For suppliers with a very low level of assessed cyber risk. Requires demonstration of basic cybersecurity practices.
- Level One (101 Controls): For suppliers with a low to moderate level of assessed cyber risk. Requires a comprehensive cybersecurity programme with good practices.
- Level Two (139 Controls): For suppliers with a high level of assessed cyber risk. Requires advanced cybersecurity oversight and planning, including Cyber Essentials Plus certification.
- Level Three (144 Controls): For suppliers with a substantial level of assessed cyber risk. Requires expert cybersecurity capabilities and Cyber Essentials Plus certification.
Each level builds upon the previous, ensuring a scalable approach to cybersecurity maturity.
PIC NEEDED
The Certification Process example for Level Zero
Understand the DCC Level Zero scope. Before proceeding with DCC Level Zero, a Cyber Essentials certification needs to be in place.
Scope is Critical so be aware of the following:
- Your Cyber Essentials certification must cover all internet-connected areas within the DCC scope.
- DCC also includes non-internet connected devices.
- If your Cyber Essentials scope does not adequately align, it is an automatic failure.
Next prepare and submit your answers and evidence related to:
- Your Cyber Essentials scope
- Data security basics
- UK GDPR compliance (data governance)
- Network and system resilience (evidence of planning and recovery capability)
Our assessors will then conduct a teams session to:
- Discuss submitted evidence
- Clarify scope differences
- Review supporting documentation
Based on your evidence, Baigents will determine your certification outcome. A successful assessment will result in a Level Zero certification valid for 36 months.