How to get Defence Cyber Certification in the UK
Six-step guide from scoping to certificate. Fig Group is IASME-licensed at Level 0 and Level 1.
What is Defence Cyber Certification
Defence Cyber Certification (DCC) is the UK Ministry of Defence's independent cybersecurity certification framework for MOD suppliers. It covers four levels (L0, L1, L2, L3) mapped to four Cyber Risk Profiles that MOD contracts are assessed against.
DCC replaces the self-assessed Supplier Assurance Questionnaire (SAQ) with formal independent certification. It is administered by IASME and delivered through an approved network of IASME-licensed Certification Bodies.
Step-by-step guide
- 1
Confirm your contract's Cyber Risk Profile
Your MOD contract or prime contractor specifies a Cyber Risk Profile (Very Low, Low, Moderate, or High). This maps directly to a DCC level (L0, L1, L2, or L3). Check the contract schedule and confirm the required level.
- 2
Hold Cyber Essentials first
DCC L0 and L1 require a valid Cyber Essentials certificate as a prerequisite. If you don't hold one, Fig can certify you for CE as a separate purchase or include it within the DCC engagement at no extra invoice line.
- 3
Choose an IASME-licensed DCC body
Fig Group is the IASME-licensed UK body for DCC Level 0 and Level 1. For L2 and L3 we refer MOD suppliers to specialist IASME-licensed bodies. Check the IASME directory (iasme.co.uk) to verify any provider's licence.
- 4
Scope the engagement
Work with your assessor to define what systems, services, and documentation are in scope. L0 is documentation-led and typically requires 2-3 weeks of preparation. L1 involves technical evidence and typically 6-10 weeks.
- 5
Submit evidence and complete assessment
At L0, submit evidence documentation (policies, configuration records, access logs) and the assessor reviews them. At L1, evidence preparation is supported by a Fig consultant, then the assessor conducts a formal technical review.
- 6
Receive your certificate
Once compliant, you receive a three-year DCC certificate. Annual attestations confirm ongoing compliance and are faster than the initial engagement. Re-certification at three years is also accelerated.
Timeline and cost
DCC L0 typically completes in 2-3 weeks (prepared organisations) to 4-8 weeks (starting from a lower baseline). DCC L1 takes 6-10 weeks (prepared) to 12-20 weeks (comprehensive remediation needed).
Common questions
Who can issue Defence Cyber Certification at Level 0 and Level 1?
Fig Group is the IASME-licensed UK body for Defence Cyber Certification at Level 0 and Level 1. The Cyber Essentials prerequisite is available from Fig Group as a separate purchase if you do not already hold it. For L2 and L3 we refer MOD suppliers to specialist providers on the IASME directory.
What is Defence Cyber Certification?
DCC is the UK Ministry of Defence's independent cybersecurity certification framework for its supply chain, administered by IASME and delivered through a network of IASME-licensed Certification Bodies. Four levels - L0, L1, L2, L3 - cover the four Cyber Risk Profile tiers that MOD contracts are assessed against. It replaces the self-assessed Supplier Assurance Questionnaire (SAQ) approach under DCPP.
How do I know which DCC level I need?
The MOD (or the prime contractor in a subcontract scenario) specifies the required level based on the contract's Cyber Risk Profile. Suppliers do not choose their level arbitrarily. If your pipeline includes contracts with varying CRPs, certify at the highest level required. See /defence-cyber-certification/cyber-risk-profile for the CRP-to-level mapping.
Do I need Cyber Essentials before DCC?
Yes. L0 and L1 require a valid Cyber Essentials certificate. L2 and L3 require Cyber Essentials Plus. Fig includes the Cyber Essentials prerequisite within the DCC engagement if you do not already hold it - no separate invoice.
Ready to start your DCC engagement?
Fig Group is IASME-licensed for DCC L0 and L1 in the UK. Talk to a DCC specialist about your timeline and requirements.