How to Get Defence Cyber Certification (DCC): Step-by-Step Guide for UK MOD Suppliers

How to Get Defence Cyber Certification (DCC): Step-by-Step Guide for UK MOD Suppliers

DCC replaces the per-contract DCPP self-assessment with a single, organisation-wide certification that covers multiple UK MOD procurements. This guide walks the seven steps from contract clause to issued certificate. Cyber Risk Profile (CRP) determines the level you need (L0, L1, L2 or L3). Cyber Essentials is a prerequisite at every level, and Cyber Essentials Plus is required at L2 and L3. Realistic timelines: DCC Level 0 in 2-3 weeks, Level 1 in 6-10 weeks, for organisations that arrive prepared.

If you are a UK supplier reading this because a contract clause has just landed on your desk specifying a Cyber Risk Profile, or because a defence prime has flagged DCC as a flow-down requirement, you need a clear picture of the path between where you stand and an issued certificate. This guide describes the seven steps end-to-end, including what an IASME-licensed Certification Body can and cannot help you with along the way.

Disclosure: Fig Group is an IASME-licensed Certification Body for Cyber Essentials and for Defence Cyber Certification at Level 0 and Level 1. The scheme structure described here is set by IASME and the UK Ministry of Defence; the delivery details reflect how Fig runs the engagement. The same seven steps apply to any IASME-licensed Certification Body you choose - you can verify accreditation on the IASME directory.

What DCC is, in one paragraph

Defence Cyber Certification is the UK MOD's organisation-wide cyber assurance scheme for defence suppliers. It is built on Defence Standard (Def Stan) 05-138 issue 4 and aligns with the NCSC Cyber Assurance Framework (CAF). It replaces the contract-by-contract Supplier Assurance Questionnaire under DCPP with a single certificate that covers multiple MOD procurements at the level of risk specified by the contract. Certificates are valid for three years, with annual attestation at the end of years one and two. Assessments are delivered by IASME-licensed Certification Bodies; IASME is the MOD's official partner for the scheme.

Step 1 - Confirm your contract's Cyber Risk Profile

The Cyber Risk Profile (CRP) is assigned by the MOD awarding body for each contract. Suppliers do not choose their CRP. The CRP value - Very Low, Low, Moderate, or High - maps directly to the required DCC level:

If your contract clause does not name a CRP explicitly, ask the contracting authority in writing before incurring assessment cost. Choosing the wrong level is materially more expensive than confirming it - a failed Level 0 followed by a Level 1 re-engagement costs more than starting at Level 1 in the first place.

Step 2 - Hold a current Cyber Essentials certificate

Cyber Essentials is a prerequisite for every DCC level. Levels 2 and 3 require Cyber Essentials Plus. The certificate must be current - within its 12-month validity window - and can come from any IASME-licensed Certification Body.

If you already hold CE from another body, your DCC engagement starts from there. Fig does not require you to re-certify CE with us if you already hold a current certificate. If you do not hold CE, Fig issues it within six working hours of a compliant submission and bundles it into the DCC fee, so the engagement is a single invoice rather than two. CE pricing is published from £299.99 + VAT for Micro organisations (1-9 employees).

For suppliers transitioning from the prior DCPP regime, the Cyber Essentials evidence you already hold typically maps directly into Level 0 - you keep that work. Talk to the assessor at scoping; they will review what reuses cleanly and what needs updating against Def Stan 05-138 issue 4.

Step 3 - Book a scoping call with an IASME-licensed Certification Body

Choose a Certification Body that holds the IASME licence at your required level. Some bodies are licensed for L0 / L1 only, others for L2 / L3 - verify accreditation status on the IASME directory before you commit. The scoping call confirms scope, level, timeline, and price band, and it is normally free of charge before any engagement fee.

What an assessing Certification Body may do during the engagement, per the IASME Applicant Guide:

• Help you prepare for and attain Cyber Essentials and Cyber Essentials Plus where these are prerequisites
• Explain the DCC scheme and its levels
• Explain the controls and how to meet them
• Clarify the questions and the components needed for a complete answer
• Describe the evidence needed to demonstrate that a control has been met
• Verify scope
• Supply blank template documents

What the assessing Certification Body may not do, by scheme rule:

• Implement any policy
• Implement any change
• Answer any question on behalf of the applicant
• Complete any documentation or prepare any answers or evidence that they will later assess

This is a quality control rule built into the scheme: the same person cannot both write your evidence and assess it. If you need additional support beyond the advisory role of the Certification Body, you have the option to engage a separate technology provider.

Step 4 - Determine and document scope

Per the IASME Scoping Guide, "Failure to adequately and accurately define the scope (e.g. under scoping) will result in a failure to achieve certification, even if all required controls have been met." Scoping is the most critical first step.

Def Stan 05-138 issue 4 is intentionally broad. The standard's scope is the supplier's overarching corporate or enterprise environment - all systems, processes, procedures, and data necessary for the effective protection of the data and functions in scope of the MOD contract. This goes beyond protecting just the information provided to the supplier in support of the contracted output. The scope is not just about the data held: if the processes and systems are essential for the organisation to operate as a business in support of the contract, they are within scope.

To document scope, your assessor will expect:

• A list of systems, services, and functions that are in scope and out of scope for DCC
• A list of systems, services, and functions that are in scope and out of scope for Cyber Essentials and Cyber Essentials Plus
• Diagrams showing how the different scopes overlap
• A list of sites and their functions (workshop, head office, etc.)

The assessor reviews and may challenge your scoping statement. Both under-scoping (excluding too much) and over-scoping (including too much) cause problems. The cleanest scope is the smallest set of assets that genuinely supports the contract output, fully documented.

Step 5 - Collect evidence

For Level 0, evidence is focused on three controls covering governance, identity, device, and supply-chain context. For Level 1, the evidence pack covers all 101 controls in the same domains, in greater depth.

A Level 0 evidence pack typically includes information security policy or policy framework, roles and responsibilities for cyber security, an incident response procedure, joiner / mover / leaver process documentation, authentication and privileged access evidence, patch management cadence and malware protection evidence, an asset inventory, and a supplier list with standard supplier security clauses.

A Level 1 evidence pack adds depth to each of those domains, plus secure-configuration baselines, supply-chain Supplier Capability Assessments (SCAs), and evidence of identity and access control under load. Fig's compliance automation platform pre-checks evidence against the L0 / L1 control requirements before formal assessment, so gaps surface in days rather than after a failed audit.

Realistic effort: Level 0 evidence work is typically one to two weeks of focused activity for a prepared organisation; Level 1 evidence work is typically two to three weeks plus two to three remediation cycles.

Step 6 - Formal assessment and remediation

The IASME-licensed assessor reviews your evidence pack against the controls for your level. At Level 0, this is a documentation review with no on-site visit. At Level 1, it is documentation plus clarification rounds, with some scopes triggering evidence-verification calls. Findings are returned with structured remediation guidance.

Remediation rounds at Level 1 are typically two to three. A clean evidence pack with minor findings runs through them in two weeks. A pack with widespread gaps - for example, unpatched critical vulnerabilities in scope, unsupported operating systems, or missing supplier flow-down clauses - can stretch remediation to six or eight weeks before the formal assessment can complete.

If pervasive gaps emerge (more than around 20% of controls non-compliant), the honest path is to pause the formal assessment, run a focused remediation programme, and re-enter assessment. Pushing through with widespread gaps risks a failed audit and a re-engagement.

Step 7 - Receive your certificate and plan attestation

When the assessor recommends certification and IASME issues the certificate, it is valid for three years. Annual attestation at the end of year one and the end of year two confirms the controls in scope at the original assessment remain in place. Year three is full re-assessment.

What the certificate evidences: a single, organisation-level assurance that you can present in support of UK Defence Procurements, replacing per-contract assessments at the level you certified. If your supplier pipeline has mixed CRPs (for example, two Very Low CRP contracts and one Low CRP contract over a 24-month window), certifying once at Level 1 covers all three rather than running two Level 0 engagements plus one Level 1.

Common mistakes that delay or fail certification

Five errors account for most DCC delays and failures we see at scoping conversations:

• Wrong level chosen. Running Level 0 when the contract requires Level 1, or vice versa.
• Scoping too narrow or too broad. Either misjudgement causes the assessment to stall.
• Stale Cyber Essentials evidence. A CE certificate that lapses mid-engagement forces a re-issue.
• Underestimating supply-chain evidence depth. L1 requires SCAs against direct suppliers - send these in week one of the engagement, not week five.
• Legacy systems in scope without a remediation plan. Unsupported operating systems are a high-severity finding; decommission, move out of scope, or document compensating controls before formal assessment opens.

For a deeper treatment, see DCC scoping mistakes that fail certification.

Realistic total cost of getting DCC for the first time

Pricing varies across IASME-licensed Certification Bodies. Fig's published DCC pricing:

• Level 0: £999.99 to £4,999.99 + VAT, flat-priced by organisation size, plus Cyber Essentials bundled if not held (no separate CE invoice)
• Level 1: £9,999.99 to £49,999 + VAT, scoped according to the variance drivers named on the DCC hub (sites, cloud footprint, legacy systems, supply chain, staff population, existing maturity)

Hidden costs to budget for separately: internal time (one or two FTEs across six to ten weeks at L1), legacy decommissioning where applicable, and supplier SCA response wait time (suppliers respond on their own schedules; allow buffer).

For pricing context, see the cheapest DCC support page - which includes a Fig estimate of typical UK market ranges based on review of public IASME-directory listings - and the fastest DCC support page for the timeline detail.

Conclusion

DCC is a seven-step process: confirm CRP, hold or buy Cyber Essentials, scope with an IASME-licensed Certification Body, document scope, collect evidence, complete formal assessment with remediation, receive the certificate and plan annual attestation. Level 0 is typically two to three weeks for a prepared organisation; Level 1 is typically six to ten weeks. The cost of getting the level wrong materially exceeds the cost of confirming it - book a scoping call before you commit.

If you are ready to talk to an IASME-licensed assessor, contact Fig for a fifteen-minute scoping call. We will confirm your level, walk through what evidence you already hold, and give you a realistic timeline before any fee is incurred. To verify Fig's accreditation, see our IASME licence evidence page or check the IASME directory.