DCC Level 0 vs Level 1: Which Defence Cyber Certification Do You Need?

DCC Level 0 vs Level 1: Which Defence Cyber Certification Do You Need?

The most common question Fig hears at DCC scoping is "can we save money by going with Level 0?" The honest answer is that you do not choose your DCC level - your contract Cyber Risk Profile (CRP) determines it. This guide compares Level 0 and Level 1 head-to-head, explains how to verify which level your contract actually requires, and shows the cases where a strategic Level 1 covers a mixed CRP supplier pipeline more cheaply than running multiple Level 0 engagements over time.

Cyber Risk Profile (CRP) is the lever defence buyers should know about before they shop for a Certification Body. The CRP value is assigned by the MOD awarding body, not negotiated by the supplier, and it maps directly to the required DCC level. Very Low CRP requires Level 0. Low CRP requires Level 1. Moderate CRP requires Level 2. High CRP requires Level 3.

This post focuses on the L0 vs L1 comparison because those two cover the largest share of contracts in the UK MOD supply chain. For Level 2 and Level 3 referrals, Fig refers suppliers to IASME-licensed Certification Bodies that hold those scopes.

What DCC Level 0 covers

Level 0 is the foundational tier. It applies where the contract Cyber Risk Profile is Very Low - typically supplier roles with the lowest assessed risk to the data and functions delivered. Examples include certain professional services into the defence supply chain, non-classified support roles, and tier-2 / tier-3 supplier positions where the contracting authority has assessed the cyber risk as Very Low.

Key facts:

• 3 controls focused on governance, identity, device, and supply-chain context
• Documentation review only - no on-site visit, no technical inspection
• Prerequisite: a current Cyber Essentials certificate (any IASME-licensed body)
• Fig published timeline: 2-3 weeks for prepared organisations
• Fig published pricing: £999.99 / £1,499.99 / £2,499.99 / £4,999.99 + VAT (Micro / Small / Medium / Large)
• Validity: 3 years, with annual attestation at end of years 1 and 2

L0 is suitable when your scope is well-bounded (single legal entity, defined sites, no MOD-classified data handling), your supply chain is small with documented flow-down, and your Cyber Essentials evidence is current and clean.

What DCC Level 1 covers

Level 1 is the formal engagement tier. It applies where the contract Cyber Risk Profile is Low - the most common requirement Fig sees in defence prime / tier-1 / tier-2 contract chains. Level 1 buyers typically include defence subcontractors with cloud or hybrid infrastructure, multi-site operations, or supplier flow-down requirements that go beyond a single tier.

Key facts:

• 101 controls across governance, identity, device, secure configuration, and supply-chain
• Documentation review with clarification rounds and remediation cycles - some scopes trigger evidence-verification calls
• Prerequisite: a current Cyber Essentials certificate (Cyber Essentials Plus is required at L2, not L1)
• Fig published timeline: 6-10 weeks for prepared organisations
• Fig published pricing: £9,999.99 to £49,999 + VAT, scoped by supplier complexity (sites, cloud footprint, legacy systems, supply chain, staff, existing maturity)
• Validity: 3 years, with annual attestation at end of years 1 and 2

Fig bundles a dedicated consultant and the Fig Technology compliance automation platform into the L1 base fee, with up to three structured remediation rounds before formal assessment.

Head-to-head comparison

The price gap between L0 and L1 is real - roughly an order of magnitude at the Micro tier. The work gap is also real: L0 is three controls and a documentation review; L1 is 101 controls plus structured remediation. The right answer is the one that matches the contract requirement, not the one that minimises the immediate fee.

How to verify which level your contract actually requires

Three patterns to read in your contract clause:

1. The clause names a CRP explicitly - Very Low, Low, Moderate, or High. Map directly to the DCC level (L0, L1, L2, L3).

2. The clause names DCC Level X explicitly. Use that level.

3. The clause is vague - phrases like "industry-standard cyber security", "appropriate cyber controls", or "compliance with Defence Standards" without naming the level. Ask the contracting authority in writing. Never assume L0 to save cost.

Phrases that do NOT determine your DCC level on their own:

• "Cyber Essentials required" - this means CE is required, not that DCC is. The contract may be a non-DCC contract.
• "Compliance with Defence Standards" - verify which CRP / DCC level.
• "Industry-standard cyber security" - too vague; ask for explicit CRP.

The cost of getting it wrong

Two failure modes erode value:

• Level 0 when Level 1 was required. The assessor reviews the L0 evidence pack against L0 controls and issues the certificate. Then the prime contractor or contracting authority rejects the certificate as insufficient for the contract requirement. The supplier re-engages at Level 1 - paying again, restarting scoping, and missing the contract acceptance window.
• Level 1 when Level 0 was sufficient. The supplier pays an additional £8,000+ and absorbs four to six extra weeks of work for an outcome that L0 would have delivered.

The asymmetric rule: when uncertain, escalate to L1 rather than risk a failed L0. The cost of a failed L0 plus an L1 re-engagement is materially higher than the cost of starting at L1.

When a strategic L1 beats running multiple L0s

The CRP is contract-specific, but DCC is organisation-wide. If your supplier pipeline includes contracts at different CRPs - for example two Very Low CRP contracts and one Low CRP contract over a 24-month window - certifying once at Level 1 covers all three.

The pricing math (using Fig published bands):

• Two L0 Micro engagements + one L1 Micro engagement = £999.99 + £999.99 + £9,999 = around £12,000 + VAT
• One strategic L1 Micro engagement = around £9,999 + VAT

You also avoid the operational overhead of running two separate L0 engagements (scoping calls, evidence collection sprints, attestation cycles), and your certificate is at the higher tier when bidding for new work. Most defence buyers find L1 is the practical default if their pipeline is mixed.

The same logic does not apply at every scale - if your pipeline is single-contract Very Low CRP, L0 is the right answer. The decision turns on the realistic 24-month CRP mix.

When to consider L1 even if your CRP says L0

A few additional cases push the decision toward L1 even when L0 would technically satisfy the immediate contract:

• You expect to win Low CRP contracts within 12 months and want to be tender-ready
• You are entering the defence supply chain and want to demonstrate maturity beyond the minimum
• Your prime contractor signals that L1 will be the flow-down requirement on the next contract round
• Your in-scope estate is more complex than the contract itself implies (multi-cloud, legacy systems, multi-tier supply chain)

In these cases, the strategic L1 buys positioning that L0 does not.

Conclusion

You do not choose your DCC level - your contract CRP does. Level 0 is the right level for Very Low CRP contracts with bounded scope; Level 1 is the right level for Low CRP contracts and for suppliers with mixed CRP pipelines that can be covered by one engagement. Level 2 and Level 3 are higher tiers that Fig refers to other IASME-licensed bodies.

Two next steps. Read the DCC Level 0 detail page and the DCC Level 1 detail page to see the full scope at each tier. Or book a 15-minute scoping call and an IASME-licensed assessor will confirm the level your contract requires before any fee is incurred.

For the broader pricing landscape, see the cheapest DCC support page - including a Fig estimate of typical UK market ranges based on public IASME-directory review.