Defence Cyber Certification · L1

DCC Level 1, consultant-led and platform-supported.

The Enhanced tier of Defence Cyber Certification for UK MOD suppliers. Range-priced from £9,999.99 + VAT - dedicated consultant, Fig platform access for automated gap analysis, three remediation rounds, three-year certificate validity, Cyber Essentials prerequisite included.

Talk to a DCC assessor Back to DCC hub

£9,999.99

L1 starting range (Micro tier, ex VAT)

Low CRP

Cyber Risk Profile this tier maps to

6-10 weeks

Typical engagement for a prepared organisation

DCC trust evidence

DCC evidence buyers should verify

Defence Cyber Certification buyers usually need four proof points before procurement approval: licence scope, price basis, Cyber Essentials prerequisite handling, and where the claim evidence lives.

Official IASME directory

Licence

IASME licence evidence

Fig Group publishes its IASME licence evidence and DCC Level 0 / Level 1 scope so procurement teams can verify the certification route before they buy.

Verify IASME licence

Pricing

Published DCC price logic

Level 0 is flat-priced by organisation size. Level 1 is range-priced because contract context, evidence maturity, sites, cloud footprint, and remediation need vary.

Review DCC pricing

Prerequisite

Cyber Essentials route included

DCC Level 0 and Level 1 require Cyber Essentials as the prerequisite. Fig can issue that prerequisite inside the DCC engagement where needed.

CE for defence suppliers

Claims

Claims tied to evidence

DCC speed, pricing, licence, and route claims are linked back to public trust pages rather than left as unqualified sales copy.

Review claim evidence

Practical rule: if the contract names Very Low Cyber Risk Profile, start with Level 0. If it names Low Cyber Risk Profile, start with Level 1. If it names Moderate or High, ask for a specialist L2/L3 referral rather than buying the wrong engagement.

DCC Level 0 DCC Level 1 Cheapest DCC support

Pricing

Range-priced by organisation size

L1 scope complexity varies with site count, cloud footprint, legacy systems, supply chain depth, and existing maturity - so we publish ranges and name the drivers openly rather than quoting a single bespoke number.

DCC Level 1

Enhanced · Low CRP

Micro

1-9 employees

£9,999.99 - £14,999.99+ VAT

Scoped quote · 3-year validity

Dedicated consultant + Fig platform
L1 assessment against DEFSTAN 05-138
Three remediation rounds included
3-year validity with annual attestation

Get quote

Consultant-led, platform-supported, no unbundling

L1 is more than a documentation review. Fig delivers it as one coherent engagement rather than a sales-then-audit handoff with surprise line items.

01 · Dedicated consultant

A named expert from scoping to certificate

Every L1 engagement includes a named IASME-licensed consultant. They run scoping, evidence preparation, remediation feedback, and formal assessment. No hand-off between sales, delivery, and audit teams.

02 · Platform-supported

Automated gap analysis before audit

Fig's technology platform runs automated checks across patches, cloud config, identity coverage, endpoint posture, and exposed surface - so issues are surfaced and fixed before the formal assessment, not during.

03 · Three remediation rounds

Findings before the final review

L1 includes three structured remediation rounds before formal assessment. Most engagements pass first time at audit because the platform and consultant have already addressed the findings that would otherwise block certification.

The L1 process

Six stages from scoping to certificate

Most prepared organisations complete L1 inside 6-10 weeks. Three remediation rounds are built into the engagement, so the formal assessment usually passes first time.

01
Step 1
Scoping and quote
We confirm your required DCC level from the contract Cyber Risk Profile, scope the engagement, and issue a fixed price within the published tier band.
02
Step 2
Prerequisite check
Cyber Essentials is required for L1. If you don't hold it, Fig issues it within the engagement at no additional cost.
03
Step 3
Platform onboarding
Read-only access to in-scope systems. The platform runs automated gap analysis across patches, cloud config, identity, endpoint posture, and exposed surface.
04
Step 4
Remediation support
Your dedicated consultant works with you through identified gaps. Three structured rounds of remediation feedback are included before formal assessment.
05
Step 5
Formal assessment
IASME-licensed assessor conducts the formal DCC assessment against DEFSTAN 05-138. Evidence has been validated via the platform, so first-pass rates are high.
06
Step 6
Certification
Certificate issued with three-year validity. Annual attestation support included. Platform stays active across the certificate period for faster recertification.

Variance drivers

What moves a quote within the band

Six drivers determine where in the published range your engagement lands. We name them openly rather than quoting a bespoke number that changes by sales conversation.

Site count

Single-site engagements are faster than multi-site scopes. Hybrid or remote staffing complicates evidence collection.

Cloud footprint

Single-tenant Microsoft 365 estates are quick. Multi-cloud with custom IaC, hybrid identity, or significant PaaS surface adds engagement time.

Legacy systems

In-scope legacy platforms (Windows Server 2012, unsupported network kit, bespoke applications with limited patching) require additional control evidence.

Supply chain

L1 requires evidence of flow-down controls to your own suppliers. Simple chains are quick; tier-two chains with multiple subcontractors add engagement time.

Staff population

Small staff populations with clear role definitions move quickly. Organisations with large contractor or temp populations need more identity and access evidence.

Existing maturity

Suppliers with current ISO 27001 or NCSC CAF alignment will land in the lower half of each band. Organisations starting from a lower baseline will land higher.

Who needs Level 1

Three buyer profiles

L1 is the right tier when the contract specifies a Low Cyber Risk Profile. Three supplier types most often need this engagement.

Defence primes and tier-1 subcontractors

Suppliers bidding on DE&S, DIO, or DSTL contracts where the Cyber Risk Profile specifies Low rather than Very Low. L1 is the minimum bar for direct prime engagements.

Technology suppliers to MOD

Software, cloud, managed services, and hardware vendors handling MOD-relevant data. L1 satisfies the assurance bar for sensitive but non-classified workloads.

Professional services with sensitive data

Consultancies, legal, accountancy, and recruitment firms contracted into MOD work where data sensitivity exceeds Very Low CRP. L1 covers controls beyond what L0 documentation review reaches.

Bundled into the L1 fee

One price, every component included

Some CBs publish a low L1 headline price that excludes consultancy, platform access, and remediation rounds - then add them as line items mid-engagement. Our fee bundles every component so the published range is the all-in price you pay.

Dedicated IASME-licensed consultant

Fig platform access for automated gap analysis

L1 assessment against DEFSTAN 05-138

Three structured remediation rounds

Cyber Essentials prerequisite (if needed)

Three-year certificate validity + annual attestation

L1 vs L0

How Level 1 differs from Level 0

L1 is required when the contract specifies Low CRP. L0 covers Very Low CRP only. The right tier is decided by the contract, not the supplier.

Level 0

Documentation-led review

Maps to Very Low Cyber Risk Profile
Flat per-tier pricing (£999.99 - £4,999.99)
2-3 week typical engagement
CE prerequisite, no L1 consultant
No on-site or technical testing

Level 1

Consultant + platform engagement

Maps to Low Cyber Risk Profile
Range pricing (£9,999.99 - £49,999)
6-10 week typical engagement
Dedicated consultant + Fig platform
Three remediation rounds before assessment

See DCC Level 0 in detail

FAQ

Level 1 questions answered

How do I know I need DCC Level 1 specifically?

The contract or prime contractor specifies the required level based on the Cyber Risk Profile (CRP). L1 maps to Low CRP. If the contract requires Very Low CRP you need L0; Moderate or High requires L2 or L3. Suppliers do not choose their own level - if uncertain, ask the contracting authority.

Why is L1 priced as a range and L0 is flat?

L0 scope is a constrained documentation review, so the fee can be flat. L1 scope complexity varies materially with site count, cloud footprint, legacy systems, supply chain depth, staff population, and existing maturity. Pricing as a range and naming the variance drivers openly is more honest than quoting a single number that bears no relation to the work.

What's included in the L1 fee?

A dedicated consultant from scoping to certificate, Fig platform access for automated gap analysis, the L1 assessment itself, three remediation rounds before formal assessment, certificate issuance, three years of certificate validity, and annual attestation. Cyber Essentials prerequisite is included if you don't already hold it.

How long does Level 1 take?

Typically 6-10 weeks for a prepared organisation. The longest variable is remediation - if the platform identifies high or critical findings, the timeline depends on how quickly your team can close them. Three structured remediation rounds are built into the engagement.

Is the consultant really included in the L1 price?

Yes. No upcharge, no separate retainer, no per-hour billing on top. Platform access is also included for the full 3-year certificate period - so annual attestations and recertification are substantially faster than the initial engagement.

Why bundle consultant and platform rather than sell them separately?

It produces a more honest price comparison. Some CBs publish a low headline L1 fee that excludes consultancy, platform access, and remediation rounds - then add them as line items mid-engagement. Bundling means the price you see is the price you pay, and that price compares apples-to-apples against full-scope quotes.

Ready to start an L1 engagement?

Talk to an IASME-licensed DCC assessor. We confirm your required level from your contract Cyber Risk Profile, scope the engagement, and issue a fixed price within the published tier band - all in one conversation.