Skip to contentAbout Fig Group
Compliance

Do I Need DCC for MOD Contracts? MOD Asks Suppliers for DCC Level 0 by End of 2026

The MOD's Director of Cyber Defence and Risk, Eleanor Fairford, has asked all industry partners to achieve Defence Cyber Certification (DCC) Level 0 by 31 December 2026, including Cyber Essentials for business-critical systems. This guide explains what the MOD has actually said, who it affects, how DCC levels map to your contract, and what suppliers should do now - with the primary gov.uk sources.

Author

Jay Hopkins

Editor

Edited by Jack Wickham

Published

Last reviewed

Read time

9 min read

Share

Section 01

Do I Need DCC for MOD Contracts? The MOD Has Asked Suppliers to Achieve DCC Level 0 by End of 2026

In a MOD Defence Digital blog published on 8 May 2026, Eleanor Fairford, the Ministry of Defence's Director of Cyber Defence and Risk, stated: "I have also recently asked all industry partners to achieve Level 0 DCC certification by 31st December 2026, which includes a requirement for obtaining Cyber Essentials for all applicable business-critical systems." Separately, Industry Security Notice (ISN) 2026/02 confirms that DCC is now the MOD-recognised way to evidence the controls required by DEFSTAN 05-138 under DEFCON 658, with the DCC level you need mapped to your contract's Cyber Risk Profile. Taken together, the direction of travel is clear: DCC Level 0 is becoming the baseline expectation across the MOD supplier base, with higher levels pulled by individual contract profiles on top. This guide explains what has actually been said, who it affects, and what to do now.

This is the most significant shift in UK defence supplier cyber assurance since the Defence Cyber Protection Partnership (DCPP) Supplier Assurance Questionnaire began giving way to independently audited DCC. The two primary sources are the MOD Defence Digital blog One year of Defence Cyber Certification (8 May 2026) and Industry Security Notice 2026/02 (30 March 2026). Everything in this guide is tied back to one of them, and where we give our own view of what happens next we say so explicitly.

Fig Group is an IASME-licensed Certification Body for Cyber Essentials, DCC Level 0, and DCC Level 1. The mandate is set by MOD; the scheme is administered by IASME; assessments are delivered by IASME-licensed Certification Bodies including Fig. You can verify accreditation on the IASME directory.

Section 02

What the MOD has actually said

There are two distinct, officially published pieces to understand, and it is worth being precise because they say different things.

One: the MOD has asked all industry partners to achieve DCC Level 0 by 31 December 2026. This is a direct statement from Eleanor Fairford, Director of Cyber Defence and Risk, in the MOD's 8 May 2026 Defence Digital blog. Note the exact wording: the MOD has "asked" suppliers to achieve Level 0 - a clear directive with a firm date - and it explicitly includes obtaining Cyber Essentials for all applicable business-critical systems. It is framed as a request to the whole supplier base rather than, at this stage, a blanket contractual bar.

Two: DCC is the recognised way to evidence DEFSTAN 05-138 compliance, with the level tied to your Cyber Risk Profile. ISN 2026/02 (30 March 2026) confirms that a supplier holding valid DCC certification "at a level equal to, or greater than" the level required by their contract may submit it as evidence of satisfying DEFSTAN 05-138 under DEFCON 658. The required level is set by the contract's Cyber Risk Profile (CRP): a Level 0 requirement is met by DCC Level 0; a higher CRP needs the correspondingly higher level, up to Level 3. A higher-level certificate always satisfies the lower requirements beneath it.

Fig's read on where this goes. Combining the two: DCC Level 0 is becoming the effective baseline for the MOD supplier base, with higher levels pulled by individual contract CRPs on top. Our assessment is that, over time, DCC will function as a gating control - prime contractors verifying it down their supply chains, and suppliers without it increasingly unable to bid for or hold MOD work. That consequence is our view of the direction of travel, not a stated MOD position today. The firmly sourced facts are the 31 December 2026 Level 0 ask and the CRP-to-level mapping above.

Section 03

Why MOD is moving this way

The mandate has been signalled through several MOD strategic communications and procurement reforms over the last 18 months. The pieces fit together.

DCPP self-attestation no longer fits the threat environment. The Defence Cyber Protection Partnership SAQ was a paper exercise. Suppliers ticked boxes; nobody audited. Sophisticated adversaries treated the supply chain as the most fruitful route into MOD environments, and the SAQ provided no defensible evidence that suppliers were actually implementing the controls they claimed. DCC moves to independent third-party audit by an IASME-licensed Certification Body. The audit standard is Defence Standard (Def Stan) 05-138 issue 4. Buyers can verify the certificate; the SAQ form cannot be verified.

Supply-chain visibility requires a uniform baseline. Under DCPP the MOD had patchy visibility across its supplier estate - some suppliers held strong SAQ documentation, others held nothing. Without a uniform baseline, prime contractors could not credibly evidence the cyber posture of their tier-two and tier-three supply chain. The 2026 Level 0 mandate creates that uniform baseline. Every supplier holds at least L0; primes can demonstrate flow-down assurance to their tier-one MOD contracts.

The 2024 NCSC Cyber Assurance Framework alignment closed the standards gap. DCC controls now align with the NCSC Cyber Assurance Framework (CAF), which other regulated UK sectors already operate against. The same control vocabulary now spans defence, critical national infrastructure, and the new NIS2-aligned regimes. MOD adopting DCC universally aligns its supplier base with the wider UK cyber assurance estate rather than running a defence-only register.

The IASME partnership scaled the certification capacity. Until DCC was operationalised through IASME-licensed Certification Bodies in 2024-2025, the MOD did not have the assessment capacity to make universal certification feasible. By end of 2026, the IASME-licensed CB population in the UK is sufficient to absorb the supplier base at L0 scale. Higher levels remain capacity-constrained, which is why MOD has chosen L0 as the universal floor rather than L1.

Procurement reform is moving the same way across UK government. PPN 014/21 already made Cyber Essentials effectively mandatory for public-sector procurement at scale. The MOD's ask that all suppliers achieve DCC Level 0 by 31 December 2026 is the defence-specific extension of the same direction of travel: assurance increasingly gates on independently audited cyber posture, not on supplier self-claim.

Section 04

Who is in scope of the mandate

Every supplier to the UK MOD. There are no contract-value exemptions, no sector exemptions, and no supplier-size exemptions. The mandate applies by relationship to MOD, not by contract characteristics.

Prime contractors. Direct MOD contract holders. Primes typically certify at DCC Level 1 or above because their contracts name a Low CRP or higher. Level 0 is the floor; primes hold the floor and additional levels triggered by their specific CRPs.

Tier-1, tier-2 and tier-3 subcontractors. Subcontractors in the MOD supply chain. The 2026 mandate makes DCC Level 0 a flow-down requirement to every supplier in the chain. Tier-three suppliers with no direct MOD line of sight are still in scope when their parent contract delivers to MOD.

Framework suppliers. Suppliers on MOD frameworks (DE&S, DIO, DSTL, Defence Sourcing Portal call-offs, Crown Commercial Service routes feeding MOD spend) are in scope from the mandate deadline. Framework operators will reject framework applications from suppliers who do not present a current DCC certificate.

Professional services and technology vendors. Consulting, legal, financial, training, software, cloud, and managed services into the MOD supply chain. These suppliers often hold lower CRPs (Very Low or Low) and certify at DCC Level 0 or Level 1. The mandate removes the option of operating without certification.

Direct MOD procurements. Suppliers responding to MOD procurements directly, including small-value contracts under departmental thresholds. The 2026 mandate does not exempt small contracts.

MOD-adjacent supply chains. Suppliers into defence-aligned regulated programmes - defence-aligned NHS contracts, defence-aligned critical national infrastructure work, defence research consortia - inherit DCC obligations where the parent contract flows down Def Stan 05-138 requirements.

The only suppliers outside scope are those with no relationship to MOD procurement. Holding DCC is a feature of being an MOD supplier, not a feature of being in the defence sector. A defence-sector business that does not supply MOD is not required to certify; an out-of-sector business that does supply MOD is.

Section 05

The certification capacity squeeze

The end-of-2026 deadline applies against a finite UK certification capacity. IASME-licensed Certification Bodies number in the dozens, not the hundreds. The supplier base brought into scope by the mandate numbers in the thousands. The maths is straightforward: suppliers who book DCC scoping in 2026 H1 receive prepared, well-paced engagements. Suppliers who leave scoping until 2026 H2 face queued engagements, late assessor scheduling, and rising prices as CB capacity becomes the binding constraint.

Three patterns Fig is seeing already.

Suppliers without current Cyber Essentials are behind. Cyber Essentials is a prerequisite at every DCC level. Suppliers who do not hold CE today need to start the CE engagement before DCC scoping can begin. Fig issues CE in six working hours from £299.99 + VAT, but suppliers using other Certification Bodies for CE face longer lead times.

Suppliers with vague contract clauses are over-scoping defensively. Contract clauses that say "cyber security in line with defence standards" without naming a CRP push suppliers toward certifying at higher levels than their actual CRP requires. The correct action is to ask the contracting authority in writing for the CRP before incurring assessment cost. The DCC scoping guide covers the contract-clause patterns.

Suppliers across multiple MOD contracts are running fragmented CE engagements rather than consolidating. DCC is organisation-wide. A single certificate at the supplier's certified level covers multiple MOD procurements at or below that CRP. Suppliers running CE separately per contract are doing work the 2026 mandate makes redundant.

Section 06

What suppliers should do before end of 2026

Six concrete actions, in order.

One: confirm your Cyber Essentials status today. If you do not hold a current CE certificate, get one. Fig issues CE in six working hours of a compliant submission from £299.99 + VAT for Micro organisations. See Cyber Essentials.

Two: read your existing MOD contracts and prime flow-downs for a CRP. Three patterns appear: the clause names the CRP explicitly, the clause names a DCC level explicitly, or the clause uses vague language without naming the level. If your clause is vague, ask the contracting authority in writing before incurring assessment cost.

Three: book DCC scoping in 2026 H1, not H2. The capacity squeeze is predictable. Suppliers who book before the rush get prepared engagements. Suppliers who book in Q3 or Q4 2026 risk being unable to certify in time.

Four: build the three-year DCC renewal cycle into your calendar. DCC certificates are valid for three years with annual attestation at the end of years one and two. The end-of-2026 deadline is the first deadline, not the only one. Build the annual cadence into the same calendar that holds your CE renewal.

Five: decide whether L0 is enough. Once L0 is universal across the MOD supplier base, L0 stops being a tender differentiator. L1 becomes the meaningful signal of supplier maturity for buyers comparing bids. If your 24-month pipeline includes a Low-CRP contract, certify at L1 once rather than L0 now and L1 later. See DCC Level 0 vs Level 1: which do you need? for the strategic decision.

Six: read the standard. The substantive requirements are in Defence Standard (Def Stan) 05-138 issue 4. The DEFSTAN 05-138 supplier guide covers what the standard requires, what evidence the assessor wants, and how the four control sets map onto the four DCC levels.

Section 07

DCC pricing under the mandate

Fig publishes DCC pricing openly so suppliers can budget before scoping. Pricing structure does not change with the mandate; what changes is the size of the population in scope.

DCC Level 0 is flat-priced by organisation size, delivered in 2-3 weeks for prepared organisations:

  • Micro (1-9 employees): £999.99 + VAT
  • Small (10-49 employees): £1,499.99 + VAT
  • Medium (50-249 employees): £2,499.99 + VAT
  • Large (250+ employees): £4,999.99 + VAT

Cyber Essentials is bundled into the L0 fee where the supplier does not already hold a current certificate. Suppliers holding CE from another IASME-licensed Certification Body keep that work - Fig does not require re-certification of CE.

DCC Level 1 is range-priced from £9,999 + VAT (Micro, simple scope) to £49,999 + VAT (Large, complex scope), delivered in 6-10 weeks for prepared organisations. Variance drivers: site count, cloud footprint, legacy system presence, supply-chain depth, staff population, existing maturity.

For the full pricing detail and variance breakdown, see the DCC pricing detail on the hub.

Section 08

Frequently asked questions

Do I need DCC for MOD contracts?

If your MOD contract requires compliance with DEFSTAN 05-138 (under DEFCON 658), DCC is now the MOD-recognised route to evidence it, at the level matching your contract's Cyber Risk Profile (ISN 2026/02). Separately, the MOD has asked all industry partners to achieve DCC Level 0 by 31 December 2026. So for most MOD suppliers the practical answer is yes - Level 0 as a minimum, and a higher level if your contract's CRP calls for it.

Will DCC be mandatory?

The MOD's Director of Cyber Defence and Risk has asked all industry partners to achieve DCC Level 0 by 31 December 2026 - a firm date and a clear directive, though phrased as a request rather than, at this stage, a universal contractual bar. Where a contract requires DEFSTAN 05-138 compliance, DCC at the CRP-appropriate level is already the accepted way to evidence it. Fig's assessment is that DCC will increasingly function as a gating control for MOD work.

Is DCC Level 0 mandatory for all MOD suppliers by end of 2026?

The MOD has asked all industry partners to achieve DCC Level 0 by 31 December 2026 (MOD Defence Digital blog, 8 May 2026). It is a clear, dated directive to the whole supplier base; higher DCC levels are triggered by individual contract Cyber Risk Profiles. Treat Level 0 as the baseline to plan for.

What happens if I do not hold DCC Level 0 by end of 2026?

There is no published MOD statement that non-compliant suppliers will be barred. Fig's assessment, from the direction of travel, is that DCC Level 0 will increasingly become a condition of bidding for and holding MOD contracts, with prime contractors verifying certification down their supply chains. Planning to hold Level 0 by the 31 December 2026 date the MOD has set is the safe course.

Does the mandate apply to subcontractors as well as prime contractors?

Yes. The mandate applies to every supplier in the MOD supply chain - direct, subcontracted at any tier, framework, and call-off. There are no exemptions by tier, size, or contract value.

Can I be certified at a higher level instead of Level 0?

Yes. A DCC certificate at any level (L1, L2, L3) satisfies the L0 mandate. Suppliers with a Low, Moderate or High CRP on any of their MOD contracts must hold the corresponding higher level anyway.

How long does DCC Level 0 take?

Fig's published Level 0 delivery is 2-3 weeks for prepared organisations. The variance lives in the Cyber Essentials prerequisite - suppliers without current CE need to add the CE engagement time.

What does DCC Level 0 cost?

Fig publishes Level 0 from £999.99 + VAT (Micro, 1-9 employees) to £4,999.99 + VAT (Large, 250+ employees). Cyber Essentials is bundled where the supplier does not already hold a current certificate. See the DCC pricing detail.

What is the difference between DCC and Cyber Essentials?

Cyber Essentials is the UK foundational cyber certification, required as a prerequisite at every DCC level. DCC is the MOD-specific organisation-wide certification built on top of CE, governed by Def Stan 05-138 issue 4. CE proves endpoint and network baseline; DCC adds organisation-level governance, supply-chain, and resilience controls.

What if my contract does not name a Cyber Risk Profile?

Read the contract clause carefully. If the CRP is genuinely not named and the clause refers to "defence standards" or "industry cyber security", ask the contracting authority in writing before incurring assessment cost. Regardless of an individual clause, the MOD has asked all suppliers to achieve DCC Level 0 by 31 December 2026; higher levels apply when a CRP is assigned.

Section 09

Where to start

The three practical entry points for suppliers facing the 2026 mandate are the same regardless of where the trigger came from.

1. Read the DCC scoping guide for the scope boundaries and the IASME-published scoping principles.

2. Read the Cyber Risk Profile reference for the contract-clause language that determines your level.

3. Book a 15-minute scoping call with an IASME-licensed assessor. We will confirm your CRP, review your existing Cyber Essentials evidence, and give you a realistic deadline-aware timeline before any fee is incurred.

The earlier in 2026 you start, the more options you have. The closer to end of 2026 you leave it, the fewer.

About the author

Jay Hopkins

Jay Hopkins

Managing Director, Fig Group

IASME-licensed Cyber Essentials AssessorIASME Cyber Assurance Assessor

Jay Hopkins is the Managing Director of Fig Group and an IASME-licensed Cyber Essentials assessor. He was previously Head of Technology for a global regulated firm. He works with UK organisations across regulated sectors on baseline compliance, supply-chain assurance, and AI-augmented security tooling.

Next step

Want to see how Fig handles this?

Explore how Fig automates compliance mapping, evidence collection, and framework alignment across 65+ standards.

Request a demo

Related solutions

Continue exploring Fig

More from Compliance

Continue reading

Compliance

DEFSTAN 05-138 - What does it mean for suppliers?

DEFSTAN 05-138 issue 4 is the UK MOD's published cyber security standard for the defence supply chain - the document that DCC Level 0 to Level 3 assesses against. The MOD has asked all suppliers to achieve DCC Level 0 by 31 December 2026, and DCC is the recognised route to evidence this standard under DEFCON 658. This guide explains the standard, the supplier obligations, who is in scope, and what certification costs.

·13 min read
Compliance

DCC vs Cyber Essentials: What UK MOD Suppliers Must Know

A common defence-supplier misconception: "I have got Cyber Essentials, do I still need DCC?" The answer is yes, where the contract requires DCC. Cyber Essentials and Defence Cyber Certification are complementary, not substitutes. CE is the endpoint baseline; DCC is the org-level resilience the MOD requires. CE is a prerequisite at every DCC level. This guide explains the relationship, the practical pathways, and what suppliers should actually do depending on their situation.

·9 min read
Compliance

How to Get Defence Cyber Certification (DCC): Step-by-Step Guide for UK MOD Suppliers

DCC replaces the per-contract DCPP self-assessment with org-wide certification covering UK MOD procurements. This guide walks the seven steps from contract clause to issued certificate - what the Cyber Risk Profile means, how to scope, what evidence to prepare, what an IASME-licensed assessor can and cannot help with, and the realistic timelines (Level 0 in 2-3 weeks, Level 1 in 6-10 weeks for prepared organisations).

·12 min read