MOD CISO confirms DCC Level 0 mandatory for every UK defence supplier by end of 2026

The UK Ministry of Defence Chief Information Security Officer has confirmed that Defence Cyber Certification (DCC) Level 0 will be mandatory for every supplier to the MOD by the end of 2026. The mandate moves DCC from a contract-by-contract certification requirement to a supply-chain gating control. Suppliers who are not certified at DCC Level 0 or above by the end of 2026 will not be eligible to bid for, or hold, MOD contracts. This article explains what the mandate covers, why MOD is moving this way, who is in scope, and what suppliers should do now.

The mandate is the largest single change to the UK defence supplier cyber assurance regime since the Defence Cyber Protection Partnership (DCPP) Supplier Assurance Questionnaire was retired in favour of independently audited DCC. It closes the loophole that allowed suppliers without an active DCC contract clause to defer certification, and it sets a single hard deadline against which the entire MOD supplier base must align.

Fig Group is an IASME-licensed Certification Body for Cyber Essentials, DCC Level 0, and DCC Level 1. The mandate is set by MOD; the scheme is administered by IASME; assessments are delivered by IASME-licensed Certification Bodies including Fig. You can verify accreditation on the IASME directory.

The mandate has three concrete components.

Component one: DCC Level 0 becomes the universal floor. Every supplier to the UK MOD - direct, subcontracted, framework, call-off - must hold a current DCC Level 0 certificate by the end of 2026. This applies regardless of contract value, sector, or whether an individual contract clause names a Cyber Risk Profile. Level 0 is the new supply-chain entry control.

Component two: higher levels remain triggered by Cyber Risk Profile. Where an MOD contract names a Low, Moderate or High Cyber Risk Profile, the supplier must hold the corresponding higher DCC level - Level 1, Level 2, or Level 3. The 2026 mandate does not change how the higher levels are assigned; it only universalises the Level 0 floor underneath them.

Component three: certificates must be issued, not in-flight. A supplier who has booked DCC scoping but not yet received an issued certificate by end of 2026 is not compliant. Suppliers must hold an in-date certificate at the gate, not a receipt for one.

The implications cascade. Prime contractors will be required to verify DCC certification on tier-one suppliers as a condition of bid eligibility. Tier-one suppliers will cascade the same requirement to tier-two and tier-three subcontractors. Framework operators will reject framework applicants who cannot present a current DCC certificate. The mandate works through the supply chain rather than only at the top of it.

The mandate has been signalled through several MOD strategic communications and procurement reforms over the last 18 months. The pieces fit together.

DCPP self-attestation no longer fits the threat environment. The Defence Cyber Protection Partnership SAQ was a paper exercise. Suppliers ticked boxes; nobody audited. Sophisticated adversaries treated the supply chain as the most fruitful route into MOD environments, and the SAQ provided no defensible evidence that suppliers were actually implementing the controls they claimed. DCC moves to independent third-party audit by an IASME-licensed Certification Body. The audit standard is Defence Standard (Def Stan) 05-138 issue 4. Buyers can verify the certificate; the SAQ form cannot be verified.

Supply-chain visibility requires a uniform baseline. Under DCPP the MOD had patchy visibility across its supplier estate - some suppliers held strong SAQ documentation, others held nothing. Without a uniform baseline, prime contractors could not credibly evidence the cyber posture of their tier-two and tier-three supply chain. The 2026 Level 0 mandate creates that uniform baseline. Every supplier holds at least L0; primes can demonstrate flow-down assurance to their tier-one MOD contracts.

The 2024 NCSC Cyber Assurance Framework alignment closed the standards gap. DCC controls now align with the NCSC Cyber Assurance Framework (CAF), which other regulated UK sectors already operate against. The same control vocabulary now spans defence, critical national infrastructure, and the new NIS2-aligned regimes. MOD adopting DCC universally aligns its supplier base with the wider UK cyber assurance estate rather than running a defence-only register.

The IASME partnership scaled the certification capacity. Until DCC was operationalised through IASME-licensed Certification Bodies in 2024-2025, the MOD did not have the assessment capacity to make universal certification feasible. By end of 2026, the IASME-licensed CB population in the UK is sufficient to absorb the supplier base at L0 scale. Higher levels remain capacity-constrained, which is why MOD has chosen L0 as the universal floor rather than L1.

Procurement reform is moving the same way across UK government. PPN 014/21 already made Cyber Essentials effectively mandatory for public-sector procurement at scale. DCC Level 0 mandatory for MOD is the defence-specific extension of the same direction of travel: contract eligibility now gates on independently audited cyber posture, not on supplier self-claim.

Every supplier to the UK MOD. There are no contract-value exemptions, no sector exemptions, and no supplier-size exemptions. The mandate applies by relationship to MOD, not by contract characteristics.

Prime contractors. Direct MOD contract holders. Primes typically certify at DCC Level 1 or above because their contracts name a Low CRP or higher. Level 0 is the floor; primes hold the floor and additional levels triggered by their specific CRPs.

Tier-1, tier-2 and tier-3 subcontractors. Subcontractors in the MOD supply chain. The 2026 mandate makes DCC Level 0 a flow-down requirement to every supplier in the chain. Tier-three suppliers with no direct MOD line of sight are still in scope when their parent contract delivers to MOD.

Framework suppliers. Suppliers on MOD frameworks (DE&S, DIO, DSTL, Defence Sourcing Portal call-offs, Crown Commercial Service routes feeding MOD spend) are in scope from the mandate deadline. Framework operators will reject framework applications from suppliers who do not present a current DCC certificate.

Professional services and technology vendors. Consulting, legal, financial, training, software, cloud, and managed services into the MOD supply chain. These suppliers often hold lower CRPs (Very Low or Low) and certify at DCC Level 0 or Level 1. The mandate removes the option of operating without certification.

Direct MOD procurements. Suppliers responding to MOD procurements directly, including small-value contracts under departmental thresholds. The 2026 mandate does not exempt small contracts.

MOD-adjacent supply chains. Suppliers into defence-aligned regulated programmes - defence-aligned NHS contracts, defence-aligned critical national infrastructure work, defence research consortia - inherit DCC obligations where the parent contract flows down Def Stan 05-138 requirements.

The only suppliers outside scope are those with no relationship to MOD procurement. Holding DCC is a feature of being an MOD supplier, not a feature of being in the defence sector. A defence-sector business that does not supply MOD is not required to certify; an out-of-sector business that does supply MOD is.

The end-of-2026 deadline applies against a finite UK certification capacity. IASME-licensed Certification Bodies number in the dozens, not the hundreds. The supplier base brought into scope by the mandate numbers in the thousands. The maths is straightforward: suppliers who book DCC scoping in 2026 H1 receive prepared, well-paced engagements. Suppliers who leave scoping until 2026 H2 face queued engagements, late assessor scheduling, and rising prices as CB capacity becomes the binding constraint.

Three patterns Fig is seeing already.

Suppliers without current Cyber Essentials are behind. Cyber Essentials is a prerequisite at every DCC level. Suppliers who do not hold CE today need to start the CE engagement before DCC scoping can begin. Fig issues CE in six working hours from £299.99 + VAT, but suppliers using other Certification Bodies for CE face longer lead times.

Suppliers with vague contract clauses are over-scoping defensively. Contract clauses that say "cyber security in line with defence standards" without naming a CRP push suppliers toward certifying at higher levels than their actual CRP requires. The correct action is to ask the contracting authority in writing for the CRP before incurring assessment cost. The DCC scoping guide covers the contract-clause patterns.

Suppliers across multiple MOD contracts are running fragmented CE engagements rather than consolidating. DCC is organisation-wide. A single certificate at the supplier's certified level covers multiple MOD procurements at or below that CRP. Suppliers running CE separately per contract are doing work the 2026 mandate makes redundant.

Six concrete actions, in order.

One: confirm your Cyber Essentials status today. If you do not hold a current CE certificate, get one. Fig issues CE in six working hours of a compliant submission from £299.99 + VAT for Micro organisations. See Cyber Essentials.

Two: read your existing MOD contracts and prime flow-downs for a CRP. Three patterns appear: the clause names the CRP explicitly, the clause names a DCC level explicitly, or the clause uses vague language without naming the level. If your clause is vague, ask the contracting authority in writing before incurring assessment cost.

Three: book DCC scoping in 2026 H1, not H2. The capacity squeeze is predictable. Suppliers who book before the rush get prepared engagements. Suppliers who book in Q3 or Q4 2026 risk being unable to certify in time.

Four: build the three-year DCC renewal cycle into your calendar. DCC certificates are valid for three years with annual attestation at the end of years one and two. The end-of-2026 deadline is the first deadline, not the only one. Build the annual cadence into the same calendar that holds your CE renewal.

Five: decide whether L0 is enough. Once L0 is universal across the MOD supplier base, L0 stops being a tender differentiator. L1 becomes the meaningful signal of supplier maturity for buyers comparing bids. If your 24-month pipeline includes a Low-CRP contract, certify at L1 once rather than L0 now and L1 later. See DCC Level 0 vs Level 1: which do you need? for the strategic decision.

Six: read the standard. The substantive requirements are in Defence Standard (Def Stan) 05-138 issue 4. The DEFSTAN 05-138 supplier guide covers what the standard requires, what evidence the assessor wants, and how the four control sets map onto the four DCC levels.

Fig publishes DCC pricing openly so suppliers can budget before scoping. Pricing structure does not change with the mandate; what changes is the size of the population in scope.

DCC Level 0 is flat-priced by organisation size, delivered in 2-3 weeks for prepared organisations:

• Micro (1-9 employees): £999.99 + VAT
• Small (10-49 employees): £1,499.99 + VAT
• Medium (50-249 employees): £2,499.99 + VAT
• Large (250+ employees): £4,999.99 + VAT

Cyber Essentials is bundled into the L0 fee where the supplier does not already hold a current certificate. Suppliers holding CE from another IASME-licensed Certification Body keep that work - Fig does not require re-certification of CE.

DCC Level 1 is range-priced from £9,999 + VAT (Micro, simple scope) to £49,999 + VAT (Large, complex scope), delivered in 6-10 weeks for prepared organisations. Variance drivers: site count, cloud footprint, legacy system presence, supply-chain depth, staff population, existing maturity.

For the full pricing detail and variance breakdown, see the DCC pricing detail on the hub.

Is DCC Level 0 actually mandatory for all MOD suppliers by end of 2026?

Yes. The MOD CISO has confirmed DCC Level 0 will be mandatory for every supplier to the UK MOD by the end of 2026. Higher DCC levels remain triggered by individual contract Cyber Risk Profiles.

What happens if I do not hold DCC Level 0 by end of 2026?

Suppliers without DCC Level 0 by the deadline are not eligible to bid for, or hold, MOD contracts. Prime contractors are required to verify DCC certification on subcontractors as a condition of bid eligibility.

Does the mandate apply to subcontractors as well as prime contractors?

Yes. The mandate applies to every supplier in the MOD supply chain - direct, subcontracted at any tier, framework, and call-off. There are no exemptions by tier, size, or contract value.

Can I be certified at a higher level instead of Level 0?

Yes. A DCC certificate at any level (L1, L2, L3) satisfies the L0 mandate. Suppliers with a Low, Moderate or High CRP on any of their MOD contracts must hold the corresponding higher level anyway.

How long does DCC Level 0 take?

Fig's published Level 0 delivery is 2-3 weeks for prepared organisations. The variance lives in the Cyber Essentials prerequisite - suppliers without current CE need to add the CE engagement time.

What does DCC Level 0 cost?

Fig publishes Level 0 from £999.99 + VAT (Micro, 1-9 employees) to £4,999.99 + VAT (Large, 250+ employees). Cyber Essentials is bundled where the supplier does not already hold a current certificate. See the DCC pricing detail.

What is the difference between DCC and Cyber Essentials?

Cyber Essentials is the UK foundational cyber certification, required as a prerequisite at every DCC level. DCC is the MOD-specific organisation-wide certification built on top of CE, governed by Def Stan 05-138 issue 4. CE proves endpoint and network baseline; DCC adds organisation-level governance, supply-chain, and resilience controls.

What if my contract does not name a Cyber Risk Profile?

Read the contract clause carefully. If the CRP is genuinely not named and the clause refers to "defence standards" or "industry cyber security", ask the contracting authority in writing before incurring assessment cost. The 2026 mandate establishes Level 0 as the universal floor regardless; higher levels apply only when a CRP is assigned.

The three practical entry points for suppliers facing the 2026 mandate are the same regardless of where the trigger came from.

1. Read the DCC scoping guide for the scope boundaries and the IASME-published scoping principles.

2. Read the Cyber Risk Profile reference for the contract-clause language that determines your level.

3. Book a 15-minute scoping call with an IASME-licensed assessor. We will confirm your CRP, review your existing Cyber Essentials evidence, and give you a realistic deadline-aware timeline before any fee is incurred.

The earlier in 2026 you start, the more options you have. The closer to end of 2026 you leave it, the fewer.