Defence Cyber Certification, consultant-led and platform-supported.

Fig Group is an IASME-licensed Certification Body accredited to assess UK defence suppliers against the DCC scheme at Level 0 and Level 1. Every engagement includes a dedicated consultant and Fig’s technology platform that surfaces cyber-defence gaps before they become audit findings.

L0 + L1

IASME-accredited scope

£999.99

L0 starting price + VAT

3 years

Certificate validity

View DCC pricing Talk to a DCC assessor See more

Choose the right DCC route

Fast discovery paths for MOD suppliers comparing level, price, urgency, and procurement evidence.

Published price route

DCC Level 0

Flat-priced from £999.99 + VAT for Very Low Cyber Risk Profile contracts where Level 0 is the requirement.

Open route

Consultant-led route

DCC Level 1

Scoped Level 1 support for Low Cyber Risk Profile contracts, with consultant delivery and Fig platform evidence mapping.

Open route

Tender deadline route

Fastest DCC support

How Fig compresses avoidable delays by confirming the required level, mapping prerequisite evidence, and sequencing remediation.

Open route

Budget route

Cheapest DCC support

Transparent DCC pricing guidance, including when Level 0 is sufficient and why Level 1 is range-priced.

Open route

DCC trust evidence

DCC evidence buyers should verify

Defence Cyber Certification buyers usually need four proof points before procurement approval: licence scope, price basis, Cyber Essentials prerequisite handling, and where the claim evidence lives.

Official IASME directory

Licence

IASME licence evidence

Fig Group publishes its IASME licence evidence and DCC Level 0 / Level 1 scope so procurement teams can verify the certification route before they buy.

Verify IASME licence

Pricing

Published DCC price logic

Level 0 is flat-priced by organisation size. Level 1 is range-priced because contract context, evidence maturity, sites, cloud footprint, and remediation need vary.

Review DCC pricing

Prerequisite

Cyber Essentials route included

DCC Level 0 and Level 1 require Cyber Essentials as the prerequisite. Fig can issue that prerequisite inside the DCC engagement where needed.

CE for defence suppliers

Claims

Claims tied to evidence

DCC speed, pricing, licence, and route claims are linked back to public trust pages rather than left as unqualified sales copy.

Review claim evidence

Practical rule: if the contract names Very Low Cyber Risk Profile, start with Level 0. If it names Low Cyber Risk Profile, start with Level 1. If it names Moderate or High, ask for a specialist L2/L3 referral rather than buying the wrong engagement.

DCC Level 0 DCC Level 1 Cheapest DCC support

Transparent DCC Pricing

Two pricing models, both published openly - one per certification level.

Why Level 0 is flat-priced

One scope, one fee

Level 0 is a documentation-led review against a constrained requirement set. The work fits inside fixed boundaries, so the fee can too.

Why Level 1 is a range

Engagement size varies materially

L1 scope complexity drives the work. We name the drivers openly:

Site count
Cloud footprint
Legacy systems
Supply chain depth
Existing maturity

Every L1 engagement includes a dedicated consultant and Fig’s platform for automated gap identification - bundled into the base fee, never sold as add-ons.

DCC Level 0

Basic · Very Low CRP

Micro

1–9 employees

£999.99+ VAT

One-off · 3-year validity

Cyber Essentials prerequisite included
L0 assessment against MOD CSM v4
3-year certificate validity
Annual attestation support

Buy now

DCC Level 1

Enhanced · Low CRP

Micro

1–9 employees

£9,999.99 – £14,999.99+ VAT

Scoped quote · 3-year validity

Dedicated consultant + Fig platform
L1 assessment against DEFSTAN 05-138
Three remediation rounds included
3-year validity with annual attestation

Get quote

What is Defence Cyber Certification?

The UK MOD's independent cybersecurity certification for its supply chain.

Defence Cyber Certification, defined

The UK MOD’s framework for independently certifying the cybersecurity posture of its supply chain.

DCC replaces the old DCPP self-attestation model. The shift from supplier-claimed compliance to independent third-party verification is the headline change - see what that means in practice below.

Before - DCPP

Self-attested by the supplier

Suppliers claimed compliance by completing the Supplier Assurance Questionnaire (SAQ). Buyers had to take the form on trust - no independent verification.

Now - DCC

Independently audited

Suppliers must be assessed by an IASME-licensed Certification Body and pass a formal audit. Buyers can verify the certificate, not just trust the form.

Key facts

Administered by: IASME (also administers Cyber Essentials on behalf of the NCSC).
Delivered by: IASME-licensed Certification Bodies, including Fig Group.
Replaces: The DCPP Supplier Assurance Questionnaire (self-attested).
Underlying specifications: DEFSTAN 05-138 and the MOD Cyber Security Model (CSM v4), updated December 2025.
Levels: Four - L0 (Basic), L1 (Enhanced), L2 (Advanced), L3 (Expert).
Level selection: Dictated by the contract's Cyber Risk Profile (CRP), not a supplier choice.
Certificate validity: Three years, with annual attestation.
Fig Group accreditation: Level 0 and Level 1. Verify the IASME licence from the Fig trust evidence page before procurement approval.

Procurement teams can verify Fig Group's IASME status before approval on the IASME licence evidence page.

Bidding tip - mixed CRP pipelines

Certify at the highest level your pipeline requires.

A higher-tier DCC certificate covers tenders at lower tiers - the reverse is not true. If you bid on contracts spanning multiple Cyber Risk Profiles, target the top of your range and let it cascade down.

The four DCC levels

Mapped to the MOD's four Cyber Risk Profile tiers.

Level 0

Basic

Very Low CRP

Foundational tier. Documentation-led review of governance, identity, device, and supply-chain controls against the MOD Cyber Security Model v4. Cyber Essentials is a prerequisite.

Fig offers this level

Level 1

Enhanced

Low CRP

Formal engagement. Scoping, evidence preparation, remediation support, and third-party assessment. Cyber Essentials is a prerequisite. Fig bundles consultant and platform into the base fee.

Fig offers this level

Level 2

Advanced

Moderate CRP

Requires Cyber Essentials Plus plus substantial operational security maturity. Typically a multi-month engagement including technical verification against DEFSTAN 05-138.

Fig refers to NCC Group, Bridewell, or C3IA

Level 3

Expert

High CRP

The most demanding tier. Comparable to a full ISMS audit with defence-specific technical depth. Requires Cyber Essentials Plus and sustained control maturity across the supply chain.

Fig refers to NCC Group, Bridewell, or C3IA

Consultant + platform, not audit-only

How Fig delivers DCC differently from audit-only Certification Bodies.

Dedicated consultant from day one

Every L1 engagement includes a named consultant through scoping, evidence preparation, remediation, and formal assessment. No hand-off between sales, delivery, and audit. L0 engagements include scoping-level consultant support.

Gaps found before assessment

Fig’s platform runs automated gap analysis across in-scope systems - unpatched CVEs, cloud misconfiguration, identity coverage, endpoint posture, exposed surface - so issues are fixed before the assessor arrives, not during audit.

Published prices, not bespoke quotes

L0 pricing is flat. L1 pricing is a published range with the variance drivers named openly. You can compare Fig’s pricing against competitors without a sales conversation.

What moves an L1 quote within its tier band

We name the variance drivers openly rather than quoting bespoke numbers that change by sales conversation.

Site count

Single-site engagements are faster than multi-site scopes. Hybrid or remote staffing complicates evidence collection.

Cloud footprint

Single-tenant Microsoft 365 estates are quick. Multi-cloud with custom IaC, hybrid identity, or significant PaaS surface adds engagement time.

Legacy systems

In-scope legacy platforms (Windows Server 2012, unsupported network kit, bespoke applications with limited patching) require additional control evidence.

Supply chain

L1 requires evidence of flow-down controls to your own suppliers. Simple chains are quick; tier-two chains with multiple subcontractors add engagement time.

Staff population

Small staff populations with clear role definitions move quickly. Organisations with large contractor or temp populations need more identity and access evidence.

Existing maturity

Suppliers with current ISO 27001 or NCSC CAF alignment will land in the lower half of each band. Organisations starting from a lower baseline will land higher.

How Fig's DCC pricing compares

Honest context on where Fig sits in the IASME-licensed CB market.

L0 market range

£800 – £7,000 + VAT

Across the UK’s IASME-licensed DCC bodies, L0 pricing ranges from roughly £800 + VAT for micro to £7,000 + VAT for large. Fig’s £999.99 – £4,999.99 pricing sits at the competitive end of the range.

L1 market range

£8,000 – £60,000+ + VAT

L1 market pricing is genuinely wide because engagement models differ. Audit-only at the low end. Full consultancy with platform support at the high end. Fig sits in the middle because we bundle consultant and platform into the base fee rather than unbundling them.

Procurement note

Compare scope, not sticker.

A cheaper headline L1 fee that excludes consultancy, platform access, and remediation rounds typically lands similar or higher all-in once those are added back in.

The assessment process

What happens from quote to certificate - L0 takes 2–3 weeks, L1 takes 6–10 weeks for a prepared organisation.

Scoping & quote

We confirm your required DCC level from your contract Cyber Risk Profile, scope the engagement, and issue a fixed price within the published tier band.

Prerequisite check

Cyber Essentials (L0/L1) or Cyber Essentials Plus (L2/L3) is required. If you do not hold it, Fig issues it within the DCC engagement at no additional cost.

Platform onboarding

Read-only access to in-scope systems. The platform runs automated gap analysis across patches, cloud config, identity, endpoint posture, and exposed surface.

Remediation support

Your dedicated consultant works with you through identified gaps. Three rounds of remediation feedback are included before formal assessment.

Formal assessment

IASME-licensed assessor conducts the formal DCC assessment. Evidence has already been validated via the platform, so first-pass rates are high.

Certification

Certificate issued with three-year validity. Annual attestation support included. Platform continues running across the certificate period.

Who DCC applies to

If you want to bid on MOD contracts, DCC is now the baseline - at the level matched to the contract's Cyber Risk Profile.

Defence primes and tier-1 subcontractors bidding on DE&S, DIO, or DSTL contracts.

Technology suppliers to the MOD - software, cloud, managed services, hardware.

Professional services suppliers with MOD contracts handling sensitive or personal information.

Construction and facilities contractors working on MOD sites and DIO programmes.

Research and academic partners under MOD-funded research contracts.

Legal, accountancy, and consultancy firms holding MOD or prime-contractor engagements.

Frequently asked questions - DCC

Answers on scope, pricing, prerequisites, timelines, and the consultant + platform model.

What is Defence Cyber Certification?

DCC is the UK Ministry of Defence's independent cybersecurity certification framework for its supply chain, administered by IASME and delivered through a network of IASME-licensed Certification Bodies. Four levels - L0, L1, L2, L3 - cover the four Cyber Risk Profile tiers that MOD contracts are assessed against. It replaces the self-assessed Supplier Assurance Questionnaire (SAQ) approach under DCPP.

Does DCC replace the DCPP Supplier Assurance Questionnaire?

Effectively yes. Under DCPP the SAQ was self-assessed. DCC replaces that self-declaration with formal independent certification. DCC uses DEFSTAN 05-138 and the MOD Cyber Security Model (CSM v4) as its underlying specifications.

Is DCC mandatory?

If you want to bid on MOD contracts, yes - at the level matched to the contract's Cyber Risk Profile. Transition arrangements remain for existing contracts with prior SAQ attestation, but the direction of travel is that all MOD supplier contracts will require DCC certification.

How do I know which DCC level I need?

The MOD (or the prime contractor in a subcontract scenario) specifies the required level based on the contract's Cyber Risk Profile. Suppliers do not choose their level arbitrarily. If your pipeline includes contracts with varying CRPs, certify at the highest level required.

Does Fig offer L2 and L3 assessment?

Fig is accredited at Level 0 and Level 1. For L2 and L3 engagements we refer suppliers to IASME-accredited bodies operating at those higher levels, typically NCC Group, Bridewell, or C3IA. We are honest about this rather than trying to take engagements we are not accredited to deliver.

Do I need Cyber Essentials before DCC?

Yes. L0 and L1 require a valid Cyber Essentials certificate. L2 and L3 require Cyber Essentials Plus. Fig includes the Cyber Essentials prerequisite within the DCC engagement if you do not already hold it - no separate invoice.

How much does DCC cost with Fig?

Level 0 is flat-priced from £999.99 + VAT (micro) to £4,999.99 + VAT (large). Level 1 is priced as ranges from £9,999.99 – £14,999.99 + VAT (micro) up to £25,000 – £49,999 + VAT (large). Both include the Cyber Essentials prerequisite, three years of certificate validity, and annual attestation support.

Why is L1 priced as a range and L0 is flat?

L0 is a documentation-led review of a constrained requirement set; the work is predictable. L1 involves scoping, evidence preparation, consultant engagement, platform gap analysis, formal assessment, and remediation support - and the last four scale materially with organisation complexity. We publish the ranges and name the drivers openly rather than quoting bespoke numbers.

Is the consultant really included in L1 pricing?

Yes. Every L1 engagement includes a dedicated consultant throughout scoping, evidence preparation, remediation, and formal assessment. Consultancy is not a separate line item after engagement begins.

Is the technology platform extra?

No. Platform access is included in L1 pricing. The platform also remains active across the three-year certificate period so annual attestations are faster and re-certification at three years is substantially quicker than the initial engagement.

How long does L0 take?

Two to three weeks end-to-end for a prepared organisation (already holds Cyber Essentials, governance documentation in place, clear scope). Four to eight weeks for organisations starting from a lower baseline.

How long does L1 take?

Six to ten weeks end-to-end for a prepared organisation. Twelve to twenty weeks for organisations starting from a lower baseline. Most of the variance is driven by supplier preparation, not by the Certification Body.

Are there annual fees during the three-year certificate period?

Annual attestation is included within the original engagement fee. We do not charge separately for each year's attestation.

Can I accelerate the timeline for a specific MOD tender deadline?

Somewhat. Having a dedicated internal lead, engaging a consultant early, already holding Cyber Essentials, and being able to provide evidence quickly all compress the timeline. Tell us about your tender deadline at quote stage and we will prioritise engagement sequencing where possible, though DCC is not a same-day product like Cyber Essentials.

What does the platform actually do?

Automated gap analysis across your in-scope systems. It identifies unpatched CVEs, cloud misconfigurations, identity gaps (MFA coverage, dormant privileged accounts), endpoint posture issues, public-facing attack surface, and credential exposure. You fix issues before the assessor arrives rather than during audit.

Can my existing SAQ evidence be reused for DCC?

Much of it, yes. Documentation you produced for SAQ attestation is reusable for DCC - governance policies, access control evidence, technical attestations. A Fig consultant can work through your existing pack with you and identify what maps across versus what needs updating.

Is Fig IASME-accredited for DCC?

Yes. Fig Group is an IASME-licensed Certification Body accredited to assess Defence Cyber Certification at Level 0 and Level 1, and to assess Cyber Essentials and Cyber Essentials Plus as prerequisites. Our assessors hold the relevant IASME and defence-sector credentials.

Ready to start your DCC engagement?

Talk to an IASME-licensed DCC assessor. We will confirm your required level from your contract Cyber Risk Profile, scope the engagement, and issue a fixed price within the published tier band - L0 flat, L1 within range.

Talk to a DCC assessor Review the pricing Cyber Essentials for defence Review trust claims