Skip to contentAbout Fig Group

Cyber Risk Profile (CRP), explained for UK MOD suppliers.

Your contract clause references a Cyber Risk Profile. The CRP is the MOD’s contractual risk classification, and it determines which Defence Cyber Certification level you must hold at award. This page maps the four CRPs onto the four DCC levels, with what each tier expects, what it costs, and how long it typically takes - so you can read the next clause you receive and know exactly which engagement you need.

What a CRP is

Defined in Def Stan 05-138 issue 4 - the underlying specification for all four DCC levels.

Cyber Risk Profile (CRP) is the UK Ministry of Defence’s classification of the cyber risk associated with a specific contract. It considers two axes: the sensitivity of the information the supplier will handle, and the operational consequence to MOD if a supplier-side compromise occurs. Together those axes place each contract in one of four CRPs: Very Low, Low, Moderate, or High.

Each CRP corresponds to one of the four DCC certification levels - L0, L1, L2, L3 - drawn from Def Stan 05-138 issue 4. The mapping is contractual: when the contracting authority assigns a CRP, the required DCC level is implied, and the contract clause names it explicitly. You do not pick your level. The clause does.

Because CRP is contractual, the practical question for a supplier reading a new contract is short: which of the four CRPs am I being held to, and what does that level expect of me? The four cards below answer both questions.

The four CRPs and their DCC levels

Same standard, four severities. CRP is the dial that points to which control set applies.

Very Low CRPL0

Very Low → DCC Level 0

Contracts that handle limited MOD information with low sensitivity. The risk to MOD operations from a supplier-side compromise is bounded; a documentation-led review of foundational controls is sufficient.

When this applies

  • Routine non-sensitive supply contracts (consumables, basic services)
  • Contracts with no access to sensitive MOD data or operational systems
  • Tier-2 / tier-3 subcontractor positions in low-sensitivity programmes

What this level expects

  • A foundational governance and identity baseline
  • Cyber Essentials as a prerequisite (Fig issues this within the engagement if you do not already hold one)
  • A documented direct-supplier list, not a full third-party risk programme

Fig fee band: From £999.99 + VAT (Micro) to £4,999.99 + VAT (Large)

Typical timeline: 2-3 weeks for prepared organisations

Open DCC Level 0 details
Low CRPL1

Low → DCC Level 1

Contracts that handle MOD information of sufficient sensitivity that a supplier-side compromise would have a direct, contained impact on MOD operations. A consultant-led assessment against 101 controls drawn from Def Stan 05-138 issue 4 is the right depth.

When this applies

  • Most professional services and technology contracts to DE&S, DIO, DSTL
  • Contracts handling personal data of MOD personnel or operational data of moderate sensitivity
  • Tier-1 supplier positions where the prime requires named DCC L1 evidence at award

What this level expects

  • Documented governance with RACI and risk-treatment evidence
  • Multi-factor authentication enforced across admin and remote access
  • Documented baseline configuration for OS, cloud and network
  • Flow-down of security clauses to direct suppliers, with CE evidence where contractually required

Fig fee band: From £9,999 + VAT (Micro) to £49,999 + VAT (Large), priced as a range

Typical timeline: 6-10 weeks for prepared organisations

Open DCC Level 1 details
Moderate CRPL2

Moderate → DCC Level 2

Contracts where a supplier-side compromise would have material impact on MOD operations or expose substantial sensitive information. Cyber Essentials Plus is required as a prerequisite (not standard Cyber Essentials) and the assessment is consultant-led against 139 controls including technical verification.

When this applies

  • Contracts handling OFFICIAL-SENSITIVE data or significant personal data populations
  • Operational technology suppliers with material consequence on MOD systems
  • Software vendors with privileged access to MOD environments

What this level expects

  • A mature ISMS comparable to ISO 27001-style governance
  • Cyber Essentials Plus as prerequisite (independent technical audit, not self-assessed)
  • Documented operational security with sustained evidence (logging, monitoring, change control)
  • Active third-party risk management programme covering tier-2 suppliers

Fig fee band: Not published by Fig - referred to L2-licensed bodies. Industry guidance places L2 in the £40,000-£90,000 range subject to scope.

Typical timeline: Multi-month engagement (typically 12-20 weeks)

Fig is IASME-licensed at L0 and L1. For L2/L3, see the IASME directory at iasme.co.uk for licensed bodies.

High CRPL3

High → DCC Level 3

Contracts where a supplier-side compromise would have severe operational impact on MOD or compromise highly sensitive information. The most demanding tier - comparable to a full ISMS audit with defence-specific technical depth. Cyber Essentials Plus is required and 144 controls are in scope.

When this applies

  • Contracts handling SECRET-tier information or critical operational systems
  • Major prime contractors operating sustained MOD programmes
  • Suppliers whose compromise would expose national-security-relevant data

What this level expects

  • A fully mature ISMS with continuous internal-audit evidence
  • Cyber Essentials Plus prerequisite plus substantial supplementary technical evidence
  • End-to-end supply chain assurance, including tier-2 and tier-3 evidence
  • Sustained operational security maturity over multi-year engagements

Fig fee band: Not published by Fig - referred to L3-licensed bodies. L3 engagements are typically priced bespoke, often six figures.

Typical timeline: Multi-month engagement (often 6+ months)

Fig is IASME-licensed at L0 and L1. For L2/L3, see the IASME directory at iasme.co.uk for licensed bodies.

How CRPs are decided in practice

Fig assessor commentary on what the four-tier mapping looks like once a contract clause lands on your desk.

In Fig’s scoping conversations the same pattern recurs: a supplier reads a contract clause, sees a phrase like “DCC Level 1 against Def Stan 05-138 issue 4”, and asks what the “Low Cyber Risk Profile” underneath that clause actually means in operational terms. The mapping above gives the definitional answer. The paragraphs below give the practical one.

Very Low CRP / L0 contracts are typically routine supply or services arrangements where the supplier touches no sensitive MOD information and has no privileged access to MOD systems. The control set is foundational: governance policies, identity hygiene, basic device and supply-chain evidence. Cyber Essentials is a prerequisite. The assessment is documentation-led - no on-site visit, no technical audit. Most organisations that already hold Cyber Essentials and have a small policy framework can reach a compliant evidence pack in days rather than weeks.

Low CRP / L1 contracts are where most defence supply-chain certifications cluster. The information is not classified, but the operational consequence of a supplier-side breach is direct enough that 101 controls drawn from Def Stan 05-138 issue 4 are tested. This is the consultant-led tier: scoping, evidence preparation, platform-driven gap analysis, three remediation rounds, and formal assessment. Fig publishes ranges (not a single price) for L1 because the work scales materially with site count, cloud footprint, retained legacy, and supply-chain depth - the variance drivers.

Moderate CRP / L2 contracts require Cyber Essentials Plus (the independent technical audit variant) as a prerequisite, plus substantial operational security maturity. 139 controls are in scope, with technical verification on top of documented evidence. Most suppliers landing in L2 have either a formal ISMS already or are running ISO 27001 alongside DCC. Fig refers L2 engagements to IASME-licensed certification bodies that hold the L2 scope - we do not attempt engagements outside our licence.

High CRP / L3 contracts are the most demanding tier and typically appear at the prime-contractor level. 144 controls are tested and the assessment is comparable in depth to a full ISMS audit with defence-specific technical requirements. Tier-2 and tier-3 supply-chain assurance is in scope. Like L2, Fig refers L3 engagements to L3-licensed bodies, which buyers can verify on the IASME directory.

The honest framing is this: the CRP your contract carries is not negotiable, but it is readable. If you can identify the CRP and read the four-card summary above, you know which DCC level you are being asked to hold and what the next 6-10 weeks of preparation should look like.

Frequently asked - Cyber Risk Profile

The questions Fig assessors hear most often when a supplier first reads a CRP-bearing contract clause.

Where is the CRP for my contract specified?

The contracting authority (the MOD or the prime contractor in a subcontract scenario) assigns a CRP at contract scoping. The required DCC level is then derived from the CRP and named in the contract clause or Defence Cyber Protection Partnership (DCPP) requirements section. Suppliers do not choose their CRP - and an attempt to certify at a lower level than the contract requires will not satisfy the procurement evidence test.

My pipeline includes contracts at different CRPs. How do I certify?

Certify at the highest level your pipeline requires. A DCC L1 certificate is sufficient evidence for an L1, Very-Low-CRP-or-equivalent contract; an L0 certificate is not sufficient for an L1-required contract. Fig recommends honest scoping at the highest pipeline level rather than re-certifying upward later.

Can I downgrade my CRP to reduce the required DCC level?

No. The CRP is set by the contracting authority based on the information and operational risk profile of the contract. It is a procurement-side classification, not a supplier-side election. If you believe the CRP is misaligned with the actual risk profile, raise it through the contracting authority before contract award - not after.

What is the relationship between CRP and Def Stan 05-138 issue 4?

Def Stan 05-138 issue 4 defines the four DCC control sets (L0-L3). The CRP is the classification that maps a contract's information and operational risk profile to one of those control sets. Same standard, four severities; CRP is the dial that points to which control set applies.

Does CRP map cleanly onto the OFFICIAL information classifications?

Approximately, not exactly. OFFICIAL and OFFICIAL-SENSITIVE are HMG information-handling classifications; CRP is a contract-level cyber risk classification that considers information sensitivity *and* operational impact. A contract handling OFFICIAL data with minor operational coupling can be Very Low CRP; a contract handling OFFICIAL data with material operational coupling can be Low or Moderate. Look at both axes when reading a CRP assignment.

More buyer questions on DCC scope, prerequisites, timelines and pricing:

Open the full DCC FAQ

Read your contract clause, then talk to Fig.

If you can name the CRP, you can quote the engagement. If you cannot, send Fig the clause and we will tell you the CRP, the required DCC level, and a fixed price (L0) or a range within the published bands (L1).

Talk to a DCC assessorRead the scoping guideDCC overview