Defence Cyber Certification
Defence Cyber Certification: Level 0 vs Level 1
Side-by-side comparison so UK MOD suppliers reading a Defence Cyber Certification Cyber Risk Profile clause for the first time can pick the right engagement and avoid the cost of buying the wrong level.
Defence Cyber Certification Level 0
For Very Low CRP contracts
Documentation-led Defence Cyber Certification, foundational controls, flat-priced by organisation size. Cyber Essentials prerequisite included.
Open Defence Cyber Certification Level 0 pageDefence Cyber Certification Level 1
For Low CRP contracts
Consultant-led Defence Cyber Certification against 101 controls. Range-priced because remediation effort scales with organisation complexity. Cyber Essentials prerequisite included.
Open Defence Cyber Certification Level 1 pageSide-by-side comparison
| Field | Defence Cyber Certification Level 0 (Very Low CRP) | Defence Cyber Certification Level 1 (Low CRP) |
|---|---|---|
| MOD Cyber Risk Profile | Very Low | Low |
| Typical contract pattern | Non-sensitive supply, tier-2/3 subcontract, OFFICIAL information | Professional services / tech to DE&S, DIO, DSTL; OFFICIAL-SENSITIVE-adjacent |
| Cyber Essentials prerequisite | Required (included in Fig engagement if not held) | Required (included in Fig engagement if not held) |
| Assessment shape | Documentation-led self-assessment + IASME-licensed assessor review | Consultant-led assessment against 101 controls drawn from Def Stan 05-138 issue 4 |
| MFA enforcement scope | All admin and remote access | All admin, remote, and privileged-data access; Conditional Access required |
| Supply-chain governance | Documented direct-supplier list | Flow-down of security clauses to direct suppliers; Cyber Essentials evidence where contractually required |
| Pricing logic | Flat by organisation size | Range by organisation size (consultant + remediation effort scales materially) |
| Fig price band | £999.99 + VAT (Micro) to £4,999.99 + VAT (Large) | £9,999 + VAT (Micro) to £49,999 + VAT (Large), as ranges |
| Typical timeline (prepared) | 2-3 weeks | 6-10 weeks |
| Certificate validity | 3 years with annual attestation | 3 years with annual attestation |
Decision rules
If the contract names "Very Low" CRP
Buy Defence Cyber Certification Level 0. Do not over-buy L1 - it adds cost and time without changing what the buyer requires.
If the contract names "Low" CRP
Buy Defence Cyber Certification Level 1. L0 will not satisfy the buyer's requirement and you will be asked to upgrade mid-engagement, which is more expensive than starting at Defence Cyber Certification Level 1.
If the contract names "Moderate" or "High" CRP
You need Defence Cyber Certification Level 2 or Level 3. Fig is IASME-licensed at Defence Cyber Certification L0 and L1 only - we refer L2 / L3 work to specialist bodies rather than take an engagement we cannot deliver.
If the contract has no explicit CRP statement
Read the DEFCON 658 clause and any associated security schedule. If still unclear, ask the buying authority. Do not assume Very Low - it is the buyer's call to make.
Still unsure?
Send us the contract clause and we will tell you which level applies before you buy. The Cyber Risk Profile reference is the canonical CRP-to-level mapping; the DCC scoping guide covers the boundary tests Fig assessors apply at L0 and L1. For an end-to-end view of the prerequisite Cyber Essentials route, see /cyberessentials.
Review DCC claims and evidence