DCC scoping guide, written by Fig assessors.

Treating "everything we own" as in-scope for DCC. Fig sees this most often from organisations with mature ISO 27001 or NIS2 muscle memory. DCC scope is the set of systems, sites, people, and suppliers that touch the MOD contract - not the whole organisation. Over-scoping inflates evidence cost, lengthens remediation, and pushes the engagement to the upper end of the L1 range without changing the certificate outcome.

The mirror image. Drawing the scope boundary so tightly that systems that genuinely touch MOD information are excluded - e.g. excluding the corporate identity provider when MOD-handling staff authenticate via it, or excluding the corporate file-share when MOD-derived documents traverse it. This is the failure mode that gets caught at formal assessment, not at scoping, and it triggers expensive late-stage rescoping.

Holding a current Cyber Essentials certificate is a prerequisite for DCC L0 and L1, but it is not a substitute for the DCC control set. Fig regularly sees suppliers assume that because CE evidence is in place, DCC evidence is essentially done. The L1 control set covers 101 controls; CE covers five. The overlap on technical controls is partial, and the governance, supply-chain, and risk-management evidence required for L1 is not in the CE evidence pack at all.

L0 and L1 both require evidence of direct-supplier security controls in proportion to risk. Suppliers who treat the supply chain as "we have a list of names somewhere" find that the formal assessment expects flow-down clauses, CE evidence from contractually-bound suppliers, and (at L1) a documented supplier readiness review. The supply-chain section is where Fig sees engagements lose two to three weeks to chasing supplier responses that should have been gathered at week one.

A retained Windows Server 2012, an unsupported network device, or a bespoke application without a documented patch path will not be excluded from scope by being uncomfortable. If it touches MOD information, it is in scope and it requires either a documented migration plan or a documented compensating-controls case. Legacy systems are the variance driver that pushes L1 engagements to the upper half of the published range.

Treating evidence collection as something that happens after scoping is the single most common reason DCC engagements run long. Fig's consultant + platform model is designed to run evidence collection in parallel with remediation - if the supplier waits to collect evidence until remediation is "done", the formal assessment slips by two to four weeks.

Governance and risk

• Information security policy or policy framework, dated within the last 12 months
• Documented RACI or named ownership for cyber security responsibilities
• Risk register with named risks, owners, and treatment status (L1; lighter for L0)
• Incident response plan and contact tree, including notification routes for MOD-handling incidents

Identity and access

• Joiner / mover / leaver process documentation with example evidence (tickets, IdP audit logs)
• Privileged access list, with review cadence
• Multi-factor authentication enforced across all admin and remote access (L1 mandatory)
• Service-account inventory with documented isolation where MFA cannot apply

Device and configuration

• Device inventory aligned to the in-scope estate (a maintained list is acceptable; real-time tooling not required at L0)
• Patch management cadence: SLA for high / critical updates, with evidence of last cycle
• Endpoint protection coverage report across in-scope devices
• Documented baseline configuration for OS, cloud, and network components (L1)

Supply chain

• Direct-supplier list filtered to those handling MOD information or its derivatives
• Standard supplier security clauses or DPA template, with signed copies where applicable
• Cyber Essentials evidence from suppliers where contractually required
• Fig supplier readiness review responses (L1; sent week one of evidence collection)