DCC vs Cyber Essentials: What UK MOD Suppliers Must Know

DCC vs Cyber Essentials: What UK MOD Suppliers Must Know

A common misconception among UK suppliers entering the MOD supply chain: "I have got Cyber Essentials, do I still need DCC?" The honest answer is yes, where the contract requires DCC. Cyber Essentials and Defence Cyber Certification are complementary schemes, not substitutes. CE is your endpoint and access baseline. DCC is the organisation-level resilience the MOD expects. CE is a prerequisite at every DCC level (CE Plus is required at L2 and L3). This guide explains the relationship, the practical pathways depending on your situation, and the budget and timeline implications.

If you have just won a contract requiring DCC, or you are a supplier holding Cyber Essentials and your prime contractor has flagged DCC as a coming flow-down requirement, this is the framing you need.

Cyber Essentials in plain English

Cyber Essentials is the UK NCSC-backed cyber security baseline scheme, delivered by IASME and a network of IASME-licensed Certification Bodies. It covers five technical control families: firewalls, secure configuration, user access control, malware protection, and security update management. Assessment is by self-assessment plus IASME-licensed assessor review. The certificate is valid for 12 months. Pricing across the UK market starts from around £299.99 + VAT for Micro organisations.

Best understood as: your endpoint, network, and access baseline is hardened to the NCSC standard. CE proves the basics are in place across the systems and devices in scope.

Fig issues Cyber Essentials in 6 working hours for compliant submissions, with pricing from £299.99 + VAT for Micro organisations.

DCC in plain English

Defence Cyber Certification is the UK MOD organisation-wide cyber assurance scheme for the defence supply chain. Built on Defence Standard (Def Stan) 05-138 issue 4 and aligned with the NCSC Cyber Assurance Framework (CAF). 148 controls in total across four progressively stringent levels (L0 = 3 controls, L1 = 101, L2 = 139, L3 = 144). Replaces the per-contract DCPP Supplier Assurance Questionnaire with a single org-wide certificate that covers multiple MOD procurements at the level of risk specified by the contract. Validity is three years, with annual attestation at the end of years one and two. Assessments are delivered by IASME-licensed Certification Bodies; IASME is the MOD official partner for the scheme.

Best understood as: the organisation as a whole - governance, identity, supply-chain flow-down, secure configuration, incident response - is at the level of resilience the MOD expects for the contract Cyber Risk Profile.

Fig is IASME-licensed at DCC Level 0 and Level 1. Level 0 is published from £999.99 + VAT (2-3 week typical engagement); Level 1 is range-priced (£9,999 to £49,999 + VAT, 6-10 week typical engagement). Fig refers Level 2 and Level 3 to IASME-licensed Certification Bodies that hold those scopes.

How they relate

CE is a prerequisite at every DCC level. The relationship is layered, not parallel:

What you actually need to do, depending on your situation

Four common starting points. Find the one that matches your case:

Situation 1 - You hold current CE; you have just won an MOD contract requiring DCC

Use your current CE as the prerequisite for DCC scoping immediately. Confirm the contract Cyber Risk Profile with the contracting authority and book a scoping call with an IASME-licensed Certification Body. Total time for a prepared organisation: around 3 weeks for L0, around 8 weeks for L1.

Situation 2 - You hold current CE; you are bidding for an MOD contract that may require DCC

Hold CE and confirm with the prime contractor or contracting authority whether DCC is required at award. If signalled, start DCC scoping pre-tender - being DCC-ready before the award is a competitive advantage. Do not certify at DCC speculatively if there is no contract requirement; DCC is contract-driven.

Situation 3 - You do not hold CE; you have just won an MOD contract requiring DCC

Get CE first, or buy CE bundled into the DCC fee at an IASME-licensed body that supports the bundle (Fig is one). Total time including CE issuance: around 3 weeks for L0, around 8 weeks for L1.

Situation 4 - You are in the defence supply chain and want to be future-proof

Hold CE always - it is the floor for MOD supply work. Add DCC at L0 or L1 only when a contract triggers it (or strategically when your pipeline justifies it). For the strategic L1 case, see DCC Level 0 vs Level 1: which do you need?.

Total cost picture

Approximate published Fig pricing across the bundle:

• CE only: from £299.99 + VAT (Micro), 12-month renewal cycle.
• CE + DCC L0: at Fig, CE is bundled into L0 pricing - total from £999.99 + VAT including CE for Micro, single invoice.
• CE + DCC L1: at Fig, CE is bundled into L1 pricing - total from around £9,999 + VAT including CE for Micro, single invoice.
• CE Plus + DCC L2 / L3: out of Fig licensed scope - refer to IASME directory.

Across the market, CE and DCC are commonly billed as separate engagements by separate Certification Bodies. Bundling CE into the DCC fee, as Fig does, removes that line-item and the second contract.

Common misconceptions, corrected

• "DCC replaces Cyber Essentials." No - CE is a prerequisite at every DCC level. They are layered.
• "My CE is from a different Certification Body, do I need to redo it for Fig DCC?" No - any current CE certificate from any IASME-licensed body satisfies the prerequisite.
• "DCC is just CE for defence." No - CE is the endpoint baseline; DCC is org-level resilience. They cover different layers.
• "L0 is just CE with extra paperwork." No - L0 adds governance, identity, and supply-chain context that CE does not cover, plus formal assessment by an IASME-licensed assessor against Def Stan 05-138 issue 4.

Conclusion

Hold Cyber Essentials always - it is the prerequisite for every DCC level and the floor for MOD supply work. Add DCC at the level your contract requires when it requires it. CE is endpoint baseline; DCC is org-level resilience. The two are layered, not parallel.

If you are a defence supplier without CE, start with Cyber Essentials - Fig issues in 6 working hours for compliant submissions. If you hold CE and have a contract requiring DCC, book a 15-minute DCC scoping call - we will confirm your level, review your existing CE evidence, and give you a realistic timeline before any fee is incurred. The defence sector hub walks the CE-to-DCC pathway for MOD supply-chain organisations specifically.