How Long Does Defence Cyber Certification Take? Realistic Timelines for L0 and L1

How Long Does Defence Cyber Certification Take? Realistic Timelines for L0 and L1

The honest headline: Defence Cyber Certification Level 0 is typically 2-3 weeks; Level 1 is typically 6-10 weeks for a prepared organisation. Variance is real - the slowest end of the L1 band stretches to 16+ weeks for organisations with widespread evidence gaps, legacy systems, or large supplier flow-down requirements. This guide breaks down where the time actually goes, what you can compress, and what you cannot. Caveat: these timelines reflect Fig published delivery model. Other IASME-licensed Certification Bodies may publish different timelines - verify before committing to a tender deadline.

If you have a tender deadline and a contract clause specifying DCC, the operative question is not whether DCC is achievable but whether it is achievable in the window you have. This guide covers Level 0 and Level 1 stage by stage, then describes the levers you actually control versus the ones built into the scheme.

DCC Level 0 timeline breakdown

Fastest realistic path: around 10 working days when Cyber Essentials is already held and governance documentation is current and well-organised.

Slowest realistic path: 4-6 weeks when starting from no CE and evidence collection is uncoordinated (multiple contributors, no internal lead, scattered policy documents).

What moves the needle on L0:

• CE status. Holding a current Cyber Essentials certificate saves at least one working day immediately and removes the dependency on CE remediation cycles.
• Internal project lead. A single named owner compresses the engagement materially compared to distributed responsibility. Distributed teams produce conflicting evidence; a single owner does not.
• Documentation availability. Policies, procedures, and inventory lists already in place move faster than ones being written during the engagement.

DCC Level 1 timeline breakdown

Fastest realistic path: around 6 weeks for a prepared organisation with strong governance, ISO 27001 alignment, single-site / single-cloud, and a small supply chain.

Slowest realistic path: 16+ weeks for an organisation with widespread evidence gaps, legacy systems requiring decommissioning, multi-site / multi-cloud infrastructure, or large supplier flow-down requirements.

The variance lives in the remediation cycles. A clean evidence pack with five to ten minor findings runs through remediation in around ten working days. A pack with fifty-plus findings - including legacy decommissioning - can stretch to eight or more weeks of remediation alone.

What slows DCC down most often

Five recurring delays account for most timeline overruns:

• Starting with no Cyber Essentials. CE is same-day at Fig if the submission is compliant. If the submission is not compliant, CE itself can take two to four weeks of remediation before DCC scoping starts.
• Legacy systems without a decommissioning plan. Unsupported operating systems or end-of-life software in scope are high-severity findings. The remediation paths are decommission, move out of scope, or document compensating controls in detail. All take time.
• Supplier evidence collection. L1 supply-chain controls require Supplier Capability Assessments. Suppliers respond on their own timelines - some take two to three weeks to return a signed SCA. Send them in week one of the engagement, not week five.
• No internal project lead. Distributed responsibility produces slower decisions, more clarification rounds, and longer evidence cycles. A single named owner compresses every engagement.
• Surprises in scope. Discovering a system, site, or supplier mid-engagement that should have been in scope at week one forces a re-scope that adds two to four weeks. Front-load scoping discovery.

For a deeper treatment of scoping failure modes, see DCC scoping mistakes that fail certification.

What you can compress

Compressible:

• Cyber Essentials issuance - same-day with Fig for compliant submissions
• Platform onboarding - 2-3 days; faster if you are already a Fig Technology platform customer
• Scoping decision-making - book the call early, bring contract clauses, arrive with a defined Cyber Risk Profile
• Internal sign-off cadence - have your authorised representative ready to sign at each gate, not three days later

Not compressible:

• Assessor review time - IASME-licensed assessors work to a defined process. Cutting this corner risks a failed audit, not a faster certificate.
• Remediation work - you cannot move faster than the remediation requires. Rushing causes findings on top of findings.
• Supplier response time - third-party SCAs come back when they come back. Allow buffer.
• Certificate issuance - IASME process governs this and is not negotiable per engagement.

Three realistic scenarios

The variance bands above are abstract. The numbers are easier to read with three concrete scenarios:

Scenario A - Defence subcontractor, 30 staff, current CE, single-site SaaS, Low CRP contract

• Scoping: 3 days
• Evidence gathering: 3 weeks
• Remediation: 2 weeks (clean pack, minor findings)
• Formal assessment + certificate: 1 week
• Total: around 7 weeks for L1

Scenario B - Same supplier but at L0 (Very Low CRP)

• Scoping: 1 day
• Evidence gathering: 1.5 weeks
• Assessor review: 4 days
• Certificate: 1 day
• Total: around 2.5 weeks for L0

Scenario C - Defence contractor, 200 staff, no CE, multi-site, Low CRP, 50+ suppliers, legacy Windows estate

• CE issuance + remediation: 3 weeks
• Scoping: 5 days
• Evidence gathering: 3 weeks
• Remediation: 8 weeks (multiple rounds, legacy decommissioning)
• Formal assessment: 2 weeks
• Certificate: 1 day
• Total: around 16 weeks for L1

The same supplier with a clean estate (current CE, no legacy systems, single site, ten suppliers) drops to around eight weeks. The legacy estate alone adds eight weeks to the engagement.

Conclusion

L0 in 2-3 weeks; L1 in 6-10 weeks for prepared organisations. The biggest lever you control is preparation: hold Cyber Essentials, organise evidence early, name a single internal owner, contact suppliers in week one, identify legacy systems at scoping.

If you have a tender deadline, tell us at scoping. Where the timeline is realistic, Fig sequences assessor scheduling around your deadline. Where it is not, we will say so honestly rather than take the engagement and miss. To start, book a 15-minute scoping call - we will confirm your level, review your existing evidence, and give you a realistic deadline-aware timeline before any fee is incurred.

For the level-detail breakdown, see DCC Level 0 and DCC Level 1. For pricing, see the cheapest DCC support page. For the broader scheme overview, the DCC hub is the right starting point.