The Defence Cyber Certification (DCC) is a comprehensive security framework, alongside a formal and independently assessed certification process, to ensure cyber security compliance within the UK’s defence supply chain. Developed by the Ministry of Defence (MoD) and IASME to align with national and international standards (including NCSC CAF, NIST CSF and ISO 27001), DCC aims to strengthen cyber resilience and enhance security within UK defence procurement.
​
​DCC may replace the current system, whereby suppliers have to complete a Supplier Assurance Questionnaire (SAQ) on a contract-by-contract basis, with a single and standardised, organisation-wide assessment. The new scheme removes the requirement for multiple assessments and simplifies assurance across the defence supply chain, with certification valid for three years conditional upon an annual attestation.
Defence Cyber Certification
HOW IT WORKS
Based on Defence Standard 05-138, every defence contract is assigned a cyber risk level from DCC Level 0 (lowest) to Level 3 (highest), with each level subject to a number of controls contained within the Standard that organisations must implement and evidence.
​
Importantly, DCC also requires current Cyber Essentials and/or Cyber Essentials Plus certification depending on the Level.
DCC Level | Number of Controls | CE Requirement |
|---|---|---|
0 | 3 Controls | Cyber Essentials |
1 | 101 Controls | Cyber Essentials |
2 | 139 Controls | Cyber Essentials Plus |
3 | 144 Controls | Cyber Essentials Plus |
The certification process involves a single, point-in-time assessment to determine the applicant’s cyber security posture.
Verify their compliance with the applicable controls
Describe the measures in place to achieve them
Provide supporting documentary evidence to the assessor
WHAT ARE THE BENEFITS?
Delivers verifiable, independent assurance of robust security controls
Strengthens competitiveness in securing & retaining defence contracts
Hardens your organisation against real cyber threats
Provides access to MoD tenders that require certification
Simplifies assurance with one certification valid for 3 years
Readiness Assessment and Gap Analysis:
-
Assessing current security posture
-
Identifying gaps against the framework and providing prioritised recommendations to meet compliance requirements
-
This is the theoretical scoring element
Technical Security Implementation:
-
Hardening systems and networks to meet secure configuration requirements
-
Cyber Essentials and Cyber Essentials Plus certification (mandatory for all DCC Levels)
Training and Awareness:
-
Workshops in preparation for evidence collection and audits
-
Staff cyber awareness training
Policy, Process and Documentation:
-
Developing or refining cyber policies and processes to ensure clear and auditable documentation
-
This is part of the assist/consult and implement stage to prepare the applicant for DCC
Security Testing and Assurance:
-
Secure configuration reviews and CREST-accredited Vulnerability Assessments
-
Automated Pen Testing as a Service
-
Penetration Testing
Information Security Officer as a Service:
-
Ongoing support with governance, security strategy and continuous improvement
-
Maintaining DCC compliance and managing annual attestations
HOW WE CAN SUPPORT
As well as being a Certifying Body for DCC Level 0 and Level 1, Fortis Cyber® also provides a range of consultancy services to support you on your journey to Defence Cyber Certification:
Whether you are preparing for your first assessment or looking to harden existing controls, Fortis Cyber® will ensure cyber security is embedded across your organisation, so you are in a strong position to meet the requirements of Defence Cyber Certification.
​
Get in touch for more information and let our experts support you with clear, actionable guidance on DCC compliance.
