DCC Compliance Guide

Defence Cyber Certification: A Guide for UK Defence Suppliers

The UK defence supply chain runs on trust, and trust increasingly depends on demonstrable cyber security. Defence Cyber Certification (DCC) is the scheme the Ministry of Defence introduced to make that trust measurable. giving suppliers a structured, evidence-based path to proving their cyber posture meets MoD requirements.

This guide covers what DCC is, how it's structured, and what getting certified actually involves.

What is DCC?

DCC is a UK government cyber security certification scheme for organisations working in the defence sector. Administered by IASME on behalf of the MoD, it's built on Defence Standard 05-138 (Def Stan 05-138), which sets out the controls defence suppliers are expected to have in place.

The scheme launched in 2025, and the MoD has asked all industry partners to reach Level 0 by the end of 2026. Certification is valid for three years, with annual attestation in between.

One thing worth understanding early: DCC takes a whole-organisation view. You can't carve out just the team that handles MoD contracts. Every business-critical system across the organisation is in scope.

The four levels

DCC is structured as four levels of increasing depth. Your required level depends on the cyber risk classification of your contract.

Level 0 is the entry point: three controls, six questions, plus a Cyber Essentials certification. It applies to contracts with very low assessed cyber risk.

Level 1 covers: 101 controls across 236 questions. Cyber Essentials is required here too. This level is for organisations with low to moderate risk work.

Level 2 steps up to: 139 controls and 328 questions, with Cyber Essentials Plus as the baseline. It's for higher-risk contracts and requires more evidence of governance and technical oversight.

Level 3 is the most demanding: 144 controls, 337 questions, and Cyber Essentials Plus. It applies to mission-critical work: weapons systems components, command and control infrastructure, classified cloud environments. At this level, the MoD needs comprehensive assurance.

What certification involves

Assessment under DCC is evidence-driven. For each control, organisations need to produce policies, configuration records, training logs, access records, or other documentation showing the control is actually in place — not just intended.

The process broadly follows this path:

Identify your contract's risk classification and required DCC level. Work through the Def Stan 05-138 controls for that level and document your current position against each. Remediate any gaps, then engage a certification body to carry out the assessment. Maintain your certification through annual attestation, with full reassessment at the three-year mark.

Cyber Essentials (and Cyber Essentials Plus at Levels 2 and 3) is a prerequisite, so if you don't have that in place, it's the logical starting point.

Common sticking points

Most organisations find that the whole-organisation scope causes the biggest headache at the start. Systems or subsidiaries that weren't part of previous compliance programmes have to be brought into scope, which can mean significant IT discovery work before you've answered a single DCC question.

Ownership is the other recurring issue. Def Stan 05-138 controls span IT, HR, legal, and operational teams, and without clear accountability mapped to each control, the evidence collection process tends to stall.

Organisations that have previously worked to ISO 27001 or Cyber Essentials often find meaningful overlap, though DCC isn't simply a repackaging of either.