The Defence Cyber Certification (DCC) scheme was developed by IASME and the UK Ministry of Defence (MOD) to enhance the cyber resilience of the UK’s defence supply chain. The scheme is being launched in stages with Level 0 now live for Applicants.
A Phased Approach to Certification
The certification involves a point-in-time assessment against the uplifted UK Defence standard. Compliance with this UK Defence standard for cyber resilience in organisations will soon become a requirement in all Defence procurement and contract activities.
The DCC scheme introduces a four-level certification framework (L0–L3), with each level corresponding to the degree of cyber risk associated with a supplier’s role in the MOD supply chain. All levels start with Cyber Essentials certification, with Levels 2 and 3 requiring Cyber Essentials Plus.
Applicants can apply for certification at any level, even if they are not currently engaged in an MOD contract. This flexibility allows organisations to demonstrate their commitment to cyber resilience, prepare for future opportunities, and avoid the need for repeated assessments on a contract-by-contract basis.
The phased rollout ensures that organisations have the time and resources to prepare for certification at the appropriate level, while also allowing IASME to expand its network of Assessors to meet growing demand.
Level 0 Certification: Now live, this foundational level is designed for organisations with very low assessed cyber risk. It requires compliance with just three basic controls, forming the groundwork for higher levels of certification.
Level 1 Certification: Live for applicants at the end of August, this level is aimed at organisations with low to moderate cyber risk and requires compliance with 101 controls.
Levels 2 and 3 Certification: Live for applicants from the end of July, these levels are designed for organisations with high or substantial cyber risk. They require advanced and expert cyber security capabilities, including a “defence in depth” approach to mitigate evolving threats.
Explaining the jargon
The Cyber Security Model: A Risk-Based Approach
At the heart of the DCC scheme is the Cyber Security Model (CSM), which provides a structured, risk-based, and proportionate approach to embedding cyber security into the defence supply chain. The CSM is essentially the “how” of building cyber resilience, ensuring that suppliers implement the appropriate level of controls based on their assessed cyber risk.
The Process:
Risk Assessment by Delivery Teams: MOD delivery teams conduct a risk assessment using six key questions to evaluate the cyber risks associated with a supplier’s role in the supply chain.
Cyber Risk Profile Generation: Based on the risk assessment, a supplier is assigned a Cyber Risk Profile (CRP) ranging from Level 0 to Level 3.
Control Requirements: Each Cyber Risk Profile corresponds to a specific set of controls outlined in Defence Standard 05-138 (Def Stan 05-138). This standard specifies the cyber security controls that suppliers must achieve at each level.
The Supplier Assurance Questionnaire (SAQ)
A critical component of the CSM is the Supplier Assurance Questionnaire (SAQ). This is a self-assessment tool that suppliers use to evaluate their compliance with the requirements of Def Stan 05-138. The SAQ helps suppliers identify what “good” looks like by asking them to select the statement that most accurately describes their current practices.
The SAQ serves as a self-attestation mechanism, forming the foundation for the DCC certification process. It ensures that suppliers are aware of the controls they need to implement and provides a clear pathway for achieving compliance.
Defence Standard 05-138: The Cyber Security Standard
Defence Standard 05-138 (Def Stan 05-138) is the cornerstone of the DCC scheme. It defines the specific cyber security controls required for each Cyber Risk Profile. The uplifted standard aligns to national and international standards, including the CAF framework and the NIST and ISO standards.
The Defence Cyber Certification scheme was developed to help suppliers understand the requirements and undergo assessment.
Investing in Assessor Capacity
To support the rollout of the DCC scheme, IASME is expanding its network of Assessors. While the current pool of Assessors is focused on higher-level certifications (Levels 2 and 3), IASME is also developing a new training programme to onboard additional Assessors for Level 1 certifications. This ensures that certification remains accessible and affordable for all applicants.
Why Certify to the DCC Scheme?
The DCC scheme offers defence suppliers a proactive way to enhance their cyber security posture, meet MOD requirements, and gain a competitive edge. Certification demonstrates a commitment to cyber resilience, streamlines procurement processes, and reduces the need for repeated assessments. It also strengthens organisational resilience by helping suppliers identify and address vulnerabilities, ensuring they are prepared to respond to cyber threats.
How to Get Started
Organisations interested in certifying to the DCC scheme can begin the process by contacting IASME or one of its assured DCC Certification Bodies.