DEFSTAN 05-138 - What does it mean for suppliers?

DEFSTAN 05-138 (also written Def Stan 05-138, and formally Defence Standard 05-138) is the UK Ministry of Defence's published cyber security standard for the defence supply chain. The current version is issue 4. It defines the four control sets that sit underneath the Defence Cyber Certification (DCC) scheme, replaces the legacy Defence Cyber Protection Partnership (DCPP) Supplier Assurance Questionnaire, and is the document UK MOD contracts now point to when they specify the cyber posture a supplier must hold. From end of 2026, the MOD is operating the standard as the single gating control for entry to its supply chain. If you supply the MOD, directly or as a subcontractor at any tier, DEFSTAN 05-138 issue 4 is the standard that determines whether you can hold the contract.

DEFSTAN 05-138 issue 4 is the current published version. The headline change versus the prior regime is the move from supplier self-attestation to independent third-party audit. Under DCPP, suppliers claimed compliance by completing a Supplier Assurance Questionnaire (SAQ) and buyers had to take the form on trust - no independent verification. Under issue 4, suppliers must be assessed by an IASME-licensed Certification Body and pass a formal audit. Buyers can verify the certificate, not just trust the form.

The substantive control changes follow from that audit footing.

The standard defines four control sets, not one. Issue 4 codifies four progressively stringent control sets that map onto the four DCC levels. Level 0 covers three foundational controls. Level 1 covers 101 controls across governance, identity, device, secure configuration, and supply chain. Level 2 covers 139 controls including technical verification. Level 3 covers 144 controls and is the most demanding tier. The total control universe is 148 controls across the four levels.

Levels are pulled by the contract Cyber Risk Profile. Each MOD contract is assigned a Cyber Risk Profile (CRP) by the contracting authority - Very Low, Low, Moderate, or High - and the CRP determines which DCC level the supplier must hold. Issue 4 makes the CRP the contractual dial that points to the applicable control set. Suppliers do not choose their level; the contract does. See the Cyber Risk Profile reference for the full mapping and the contract-clause language that triggers each level.

Scope is the supplier's overarching corporate or enterprise environment. Issue 4 clause 1.1 sets the scope of the standard as the supplier's overarching corporate or enterprise environment - all systems, processes, procedures, and data necessary for the effective protection of the data and functions in scope of the MOD contract. This is intentionally broad. It goes beyond protecting only the information provided to the supplier in support of the contracted output. Per the IASME Scoping Guide, scope is not just about the data held: if the processes and systems are essential for the organisation to operate as a business in support of the contract, they are within scope. The conservative test the DCC scoping guide sets out: if removing a system would impair the supplier's ability to deliver the contracted output, that system is in scope.

Cyber Essentials is the prerequisite at every level. Issue 4 makes a current Cyber Essentials certificate the floor for every DCC engagement. Levels 0 and 1 require standard Cyber Essentials. Levels 2 and 3 require Cyber Essentials Plus. The certificate must be within its 12-month validity window and can come from any IASME-licensed Certification Body. Without current CE, DCC scoping cannot start.

Certificates are organisation-wide and run for three years. Under issue 4, a single DCC certificate at the supplier's certified level covers multiple MOD procurements at or below that CRP. The certificate is valid for three years, with annual attestation at the end of years one and two confirming the in-scope controls remain in place. Year three is full re-assessment. This replaces the per-contract SAQ cycle and removes duplicate evidence work across a supplier's MOD pipeline.

Alignment with the NCSC Cyber Assurance Framework. Issue 4 aligns the DCC control sets with the NCSC Cyber Assurance Framework (CAF), which means suppliers already working against CAF principles - including suppliers in other regulated sectors - find substantial control overlap. The standard is also consistent with the IASME DCC Overview Document v1.2, the canonical IASME-published companion that explains how the controls are assessed.

The transition from DCPP self-attestation to independently audited DCC certification is the change suppliers feel hardest. The control universe is larger, the evidence depth is greater, and the verification is external. Suppliers carrying historical SAQ documentation should not assume that material translates directly - the assessor will review it against issue 4 and call out where it does not meet the audit threshold. There is no published issue 5; issue 4 is the current and only operational version of the standard.

DEFSTAN 05-138 issue 4 changes how a UK MOD supplier proves cyber posture, what evidence they need to hold, and how often they need to demonstrate it. Treating the standard as paperwork is the principal failure mode Fig sees at scoping conversations. Treating it as a contract requirement that gates revenue is the right framing.

If your MOD contract names a Very Low Cyber Risk Profile, you must hold DCC Level 0. That means a documentation-led IASME assessment of three controls covering governance, identity, device, and supply-chain context, with a current Cyber Essentials certificate as a prerequisite. Fig published delivery for L0 is 2-3 weeks for prepared organisations. See DCC Level 0 for the full scope.

If your MOD contract names a Low Cyber Risk Profile, you must hold DCC Level 1. That means a consultant-led IASME assessment of 101 controls across governance, identity, device, secure configuration, and supply chain, with current Cyber Essentials and structured remediation rounds before formal assessment. Fig published delivery for L1 is 6-10 weeks for prepared organisations. See DCC Level 1 for the full scope.

If your MOD contract names a Moderate Cyber Risk Profile, you must hold DCC Level 2. L2 requires Cyber Essentials Plus as the prerequisite (not standard Cyber Essentials), 139 controls, and hands-on technical verification including multi-tier supply-chain assessment. Fig refers L2 engagements to IASME-licensed Certification Bodies that hold Level 2 scope - see the IASME directory for accredited bodies.

If your MOD contract names a High Cyber Risk Profile, you must hold DCC Level 3. L3 covers 144 controls, requires Cyber Essentials Plus, and is currently delivered as a Level 2 / Level 3 hybrid pilot. Fig refers L3 engagements.

The supplier obligations that follow from issue 4 are concrete, not abstract.

Read the CRP in your contract clause - do not infer it. Three patterns appear in MOD and prime-contractor flow-down clauses: the clause names the CRP explicitly, the clause names a DCC level explicitly, or the clause uses vague language like "industry-standard cyber security" or "compliance with Defence Standards" without naming the level. The third case is the trap. Ask the contracting authority in writing before incurring assessment cost. Choosing the wrong level is materially more expensive than confirming it.

Hold current Cyber Essentials at all times. CE is the prerequisite at every DCC level and the floor for MOD supply work in general. CE validity is 12 months; a lapsed certificate halts DCC scoping. Fig issues Cyber Essentials within six working hours of a compliant submission from £299.99 + VAT for Micro organisations.

Scope your assessment to the contract, not to everything you own. Over-scoping multiplies evidence work; under-scoping fails certification. The IASME Scoping Guide is explicit: failure to adequately and accurately define the scope, including under-scoping, will result in a failure to achieve certification even if all required controls have been met. Use the DCC scoping guide to bound the engagement before any fee is incurred.

Treat supply-chain evidence as a four-to-six-week workstream, not an attachment. L1 supply-chain controls require documented flow-down (security clauses in supplier contracts), Supplier Capability Assessments (SCAs) against direct suppliers, and visibility on whether suppliers handle in-scope MOD data. Send SCAs to direct suppliers in week one of the engagement, not week five - suppliers respond on their own timelines, and the engagement stalls waiting for them.

Plan for the three-year cycle, not the certificate. The certificate is valid for three years, but annual attestation at the end of years one and two is a contractual requirement, and year three is a full re-assessment. Build the annual attestation cadence into the same calendar that holds your Cyber Essentials renewal so neither lapses mid-engagement.

Certify once at the highest level your pipeline requires. DCC is organisation-wide, not contract-specific. If your pipeline includes contracts at multiple CRPs - for example two Very Low CRP contracts and one Low CRP contract over a 24-month window - certifying once at Level 1 covers all three at lower total cost than running two L0 engagements plus one L1.

Pre-DCPP evidence transfers selectively, not wholesale. Suppliers transitioning from the prior DCPP regime should expect their Cyber Essentials evidence to map directly into Level 0. The wider SAQ documentation - governance narratives, risk registers, supplier lists - is reviewed against issue 4 at scoping and updated where it does not meet the audit threshold. Do not assume historical SAQ artefacts satisfy issue 4 without an assessor sign-off.

The population covered by DEFSTAN 05-138 issue 4 is wide and gets wider in 2026. The principal trigger is a contract with the UK MOD or a flow-down clause from a prime that holds an MOD contract. The standard does not distinguish between size, sector, or contract value at the level of who needs to comply - it distinguishes by Cyber Risk Profile.

Prime contractors to the MOD. Primes holding direct MOD contracts are within scope of DEFSTAN 05-138 at the CRP named in their contract. Primes typically certify at Level 1 or above, and cascade DCC requirements as flow-down to their tier-1 subcontractors.

Tier-1, tier-2 and tier-3 subcontractors. Subcontractors in the MOD supply chain inherit DEFSTAN 05-138 obligations through flow-down. A tier-1 subcontractor on a Low CRP contract holds DCC Level 1. A tier-2 or tier-3 supplier on a Very Low CRP supporting role typically holds DCC Level 0. The CRP is set by the contracting authority - the MOD or the prime in a subcontract scenario - and is named in the contract clause or DCPP requirements section.

Framework suppliers. Suppliers on MOD frameworks (DE&S, DIO, DSTL, Defence Sourcing Portal call-offs, Crown Commercial Service routes that feed MOD spend) are within scope when individual call-offs name a CRP. Holding DCC at the highest CRP the framework triggers is the practical default for framework participants.

Direct MOD procurements. Suppliers responding to direct MOD procurements, including small-value contracts under departmental thresholds, are within scope when the contract clause names DCC or a CRP. The standard does not exempt small contracts.

Professional services and technology vendors. Professional services suppliers (consulting, legal, financial, training) and technology vendors (software, cloud services, managed services) into the MOD supply chain are within scope at the CRP their contract names. Many professional services suppliers find their CRPs sit at Very Low or Low, mapping to DCC Level 0 or Level 1. Technology vendors with privileged access to MOD environments typically sit at Moderate or High CRP.

Operational technology and infrastructure suppliers. Suppliers providing operational technology - OT systems, ICS components, infrastructure services - with material consequence on MOD systems typically certify at Level 2. Suppliers whose compromise would expose national-security-relevant data certify at Level 3.

MOD-adjacent regulated supply chains. Suppliers into defence-adjacent procurement routes (defence-aligned NHS, defence-aligned critical national infrastructure programmes, defence research consortia) inherit DCC obligations where the parent contract flows down DEFSTAN 05-138 requirements.

Cyber Essentials is a prerequisite for the whole population. Issue 4 requires a current Cyber Essentials certificate at every DCC level. CE Plus is required at L2 and L3. Suppliers who do not yet hold CE need to plan for the CE engagement before DCC scoping begins, or bundle it into the DCC fee at a Certification Body that supports the bundle - Fig is one. See Cyber Essentials for the CE prerequisite detail.

If you are unsure whether your contract triggers DCC, the practical test is the contract clause. If the clause names a CRP, names a DCC level, or references DEFSTAN 05-138, you are in scope. If the clause is vague, ask the contracting authority in writing before incurring assessment cost. Use the DCC scoping guide or book a scoping call to confirm the level your contract requires before any fee is incurred.

The single most consequential development for the UK defence supplier base in 2026 is the MOD Chief Information Security Officer's confirmation that DCC Level 0 will be mandatory for every supplier to the MOD by the end of 2026. The shift moves DCC from a contract-by-contract certification to a baseline gating control for the entire MOD supply chain. Suppliers who are not certified at DCC Level 0 or above by the end of 2026 will not be eligible to bid for, or hold, MOD contracts. The full mandate detail is in our companion guide: MOD CISO confirms DCC Level 0 mandatory for every UK defence supplier by end of 2026.

The mandate is significant for three reasons.

It removes the contract-clause trigger. Before the mandate, DCC obligations arose only when a specific contract clause named a CRP or a DCC level. Suppliers without an active MOD contract clause specifying DCC could legitimately defer certification. After the mandate, every supplier in the MOD supply chain - direct, subcontracted, framework, call-off - is in scope of DCC Level 0 regardless of any individual contract's CRP. Level 0 becomes the supply-chain floor.

It compresses the timeline. Suppliers who have not started DCC scoping have until the end of 2026 to hold a current certificate. Fig's published L0 delivery is 2-3 weeks for prepared organisations, but unprepared organisations - particularly those without current Cyber Essentials - need to plan for the longer end of the band. The IASME-licensed Certification Body capacity in the UK is finite, and demand will concentrate in the second half of 2026. Suppliers leaving DCC scoping until Q3 or Q4 2026 risk being unable to certify in time.

It changes the procurement risk calculation. Holding DCC L0 in advance of the mandate becomes a competitive differentiator at tender. Suppliers without DCC at award become an unacceptable counterparty risk for primes who themselves rely on certified flow-down. The procurement consequence of not holding DCC by the end of 2026 is exclusion from the supply chain, not a remediation conversation.

What suppliers should do now:

1. Confirm your Cyber Essentials status today. CE is the prerequisite. If you do not hold a current CE certificate, get one - Fig issues in six working hours from £299.99 + VAT. See Cyber Essentials.

2. Read your existing MOD contracts and prime flow-downs for a CRP. If your contracts already name a CRP, certify to that CRP rather than to Level 0 - a higher-level certificate satisfies the Level 0 mandate.

3. Book DCC scoping in 2026 H1, not H2. The capacity squeeze is predictable. Suppliers who book before the rush get prepared engagements rather than queued engagements.

4. Build the three-year DCC cycle into your renewal calendar. Certificates are valid for three years with annual attestation at years one and two. The end-of-2026 deadline is the first deadline, not the only one. See the DCC scoping guide.

5. Read the full step-by-step path from contract clause to certificate. Our companion guide, How to get Defence Cyber Certified: step-by-step for UK MOD suppliers, walks the seven steps end-to-end.

The mandate also changes the calculus on level selection. Suppliers who would otherwise have certified at Level 0 to meet a specific Very Low CRP contract should consider whether their 24-month pipeline justifies a strategic Level 1 instead. Once L0 is universal, L0 stops being a differentiator at tender; L1 becomes the meaningful signal of supplier maturity for buyers comparing bids. The DCC Level 0 vs Level 1 comparison walks the strategic decision in detail.

Fig publishes DCC pricing openly so suppliers can budget before scoping. The pricing structure follows the level - L0 is flat-priced by organisation size, L1 is range-priced by variance drivers - and Cyber Essentials is bundled into the DCC fee where the supplier does not already hold a current certificate.

DCC Level 0 is flat-priced by organisation size, delivered in 2-3 weeks for prepared organisations:

• Micro (1-9 employees): £999.99 + VAT
• Small (10-49 employees): £1,499.99 + VAT
• Medium (50-249 employees): £2,499.99 + VAT
• Large (250+ employees): £4,999.99 + VAT

Cyber Essentials is bundled into the Level 0 fee where the supplier does not already hold a current certificate. Suppliers holding CE from another IASME-licensed Certification Body keep that work - Fig does not require re-certification of CE.

DCC Level 1 is range-priced according to supplier complexity, delivered in 6-10 weeks for prepared organisations:

• From £9,999 + VAT (Micro, simple scope, clean estate)
• Up to £49,999 + VAT (Large, complex scope, multi-cloud, large supply chain)

The variance drivers Fig prices against are site count, cloud footprint, legacy system presence, supply-chain depth, staff population, and existing maturity. A clean single-site organisation with current ISO 27001 alignment sits at the lower end of the band. A multi-site, multi-cloud organisation with a legacy Windows estate and a 50+ supplier base sits at the upper end. Cyber Essentials is bundled into the Level 1 fee.

Cyber Essentials prerequisite cost is from £299.99 + VAT for Micro organisations, with size-banded pricing for Small / Medium / Large. CE is required at every DCC level and is bundled into Fig's DCC pricing where the supplier does not already hold a current certificate. CE Plus is required at L2 and L3.

DCC Level 2 and Level 3 are not within Fig's licensed scope. Fig refers L2 and L3 engagements to IASME-licensed Certification Bodies that hold those scopes. L2 engagements are typically £40,000 to £90,000 + VAT scoped against the contract. L3 engagements are typically priced bespoke, often six figures.

Hidden costs to budget for separately: internal time (one to two FTEs across six to ten weeks at L1), legacy decommissioning where applicable, and supplier SCA response wait time. For the full pricing detail, including the variance-driver breakdown, see the DCC pricing detail on the hub.

Is DEFSTAN 05-138 mandatory?

Yes, in the contexts where it applies. From end of 2026 the MOD CISO has confirmed DCC Level 0 - which is the IASME-assessed control set drawn from DEFSTAN 05-138 issue 4 - will be mandatory for every supplier to the UK MOD. Where a specific MOD contract names a higher Cyber Risk Profile, the supplier must hold the corresponding higher DCC level (L1, L2, or L3).

When does DEFSTAN 05-138 become mandatory for all MOD suppliers?

The MOD CISO has confirmed end of 2026 as the deadline for DCC Level 0 to be mandatory across the entire MOD supplier base. Higher levels remain triggered by individual contract CRPs and are required from contract award. The full mandate detail is in our MOD CISO mandate guide.

What is the difference between DEFSTAN 05-138 and DCC?

DEFSTAN 05-138 issue 4 is the published Defence Standard - the document defining the four control sets. DCC (Defence Cyber Certification) is the IASME-administered scheme that assesses suppliers against those control sets and issues certificates. Suppliers do not certify against DEFSTAN 05-138 directly; they certify at a DCC level (L0, L1, L2, or L3) that draws its control set from DEFSTAN 05-138 issue 4.

How does DEFSTAN 05-138 relate to Cyber Essentials?

Cyber Essentials is a prerequisite at every DCC level under DEFSTAN 05-138 issue 4. Levels 0 and 1 require a current Cyber Essentials certificate. Levels 2 and 3 require Cyber Essentials Plus. CE proves the endpoint and network baseline; DEFSTAN 05-138 covers the organisation-level governance, supply-chain, and resilience controls that sit on top.

What evidence does DEFSTAN 05-138 require?

The evidence depth scales with level. L0 evidence covers three controls including information security policy, roles and responsibilities, joiner / mover / leaver process, patch and malware evidence, an asset inventory, and a direct-supplier list with standard security clauses. L1 evidence covers all 101 controls in those domains in greater depth, plus secure-configuration baselines, Supplier Capability Assessments, and evidence of identity and access control under load.

Who has to comply with DEFSTAN 05-138?

Every UK MOD supplier from end of 2026 must hold at least DCC Level 0, which assesses against the DEFSTAN 05-138 issue 4 Level 0 control set. Suppliers on contracts with a Low, Moderate, or High CRP must hold the corresponding higher DCC level (L1, L2, L3). The standard applies to primes, tier-1, tier-2 and tier-3 subcontractors, framework suppliers, and direct MOD procurement participants.

What is the latest issue of DEFSTAN 05-138?

Issue 4 is the current published version. There is no issue 5; issue 4 is the only operational version of the standard at the time of writing. It defines the four DCC control sets, aligns with the NCSC Cyber Assurance Framework, and is the document referenced in the IASME DCC Overview Document v1.2 - the canonical IASME companion explaining how controls are assessed.

How much does DEFSTAN 05-138 compliance cost?

Compliance cost is the DCC fee at the level your contract requires. Fig publishes Level 0 from £999.99 + VAT (Micro) to £4,999.99 + VAT (Large), and Level 1 from £9,999 + VAT to £49,999 + VAT scoped to supplier complexity. Cyber Essentials is bundled into Fig's DCC pricing where the supplier does not already hold a current certificate. L2 and L3 are out of Fig's licensed scope.

How long does DEFSTAN 05-138 certification take?

Fig published DCC Level 0 delivery is 2-3 weeks for prepared organisations. Level 1 is 6-10 weeks. The variance lives in the remediation cycles - clean evidence packs run through L1 in around six weeks; packs with legacy decommissioning or widespread gaps stretch to sixteen weeks or more.

Can a single DEFSTAN 05-138 certificate cover multiple MOD contracts?

Yes. DCC certificates are organisation-wide, not contract-specific. A single certificate at the supplier's certified level covers multiple MOD procurements at or below that CRP, valid for three years with annual attestation at the end of years one and two.

The three practical entry points for suppliers facing DEFSTAN 05-138 obligations are the same regardless of where the trigger came from.

1. Read the DCC scoping guide for the scope boundaries and the IASME-published scoping principles.

2. Read the Cyber Risk Profile reference for the contract-clause language that determines your level.

3. Book a 15-minute scoping call with an IASME-licensed assessor. We will confirm your CRP, review your existing Cyber Essentials evidence, and give you a realistic deadline-aware timeline before any fee is incurred.