Frequently Asked Questions

It was first published as an advance, informational publication in May 2024, although the standard was shared with some suppliers for consultation purposes as early as 2023.

The MOD worked with IASME to create an assessment and certification against the DefStan 05-138 i4.

You can use other schemes to support or provide evidence required for DCC, but there are currently no certifications that give direct compliance with DefStan controls.

https://www.gov.uk/government/publications/mapping-document-cyber-security-for-defence-suppliers-def-stan-05-138-issue-4

SbD and DCC are two different schemes with different scopes and objectives.

Applicants may still tender for MOD contracts via the normal MOD process, DCC is not mandatory at this stage.

This will be decided by the MOD. However, any organisation can apply for certification, whether they are a current defence contractor or not.

DCC is currently not mandatory.

This certificate will cover all of your contracts to the certified level, streamlining the process by requiring only one assessment to cover multiple contracts, rather than conducting separate assessments for each contract.

Other than Cyber Essentials or Cyber Essentials Plus, there are not.

DCC Levels 0 to 3 are available.

Each level (0-3) of the DCC’s framework corresponds to the degree of cyber risk associated with a supplier’s role in the MOD supply chain. All levels start with Cyber Essentials certification, with Levels 2 and 3 requiring Cyber Essentials Plus.

Applicants can apply for certification at any level, even if they are not currently engaged in an MOD contract.

Level 0 – 3 controls

Level 0 is normally assigned where there is a very low level of assessed cyber risk to a supplier delivering an output. It requires supplier organisations to demonstrate basic cyber security practices and forms the foundation level for all future assessments higher than level 0.

Level 1 – 101 controls

Level 1 is normally assigned where there is a low to moderate level of assessed cyber risk to a Supplier delivering an output. It requires supplier organisations to demonstrate a comprehensive cyber security programme with good practices.

Level 2 – 139 controls

Level 2 is normally assigned where there is a high level of assessed cyber risk to a supplier delivering a contracted output. It requires supplier organisations to demonstrate advanced cyber security oversight and planning which drives robust organisational and cyber practices.

Level 3 – 144 controls

Level 3 is normally assigned where there is a substantial level of assessed cyber risk from a supplier delivering a contracted output. It requires supplier organisations to demonstrate expert cyber security capabilities that fully take advantage of the ‘defence in depth’ methodology to appropriately protect the organisation against new and evolving threats.

This will be decided by the MOD or your Prime.

Applicants can download the Applicant Guide and Scoping Guide for the DCC level they’d like to achieve. They may wish to approach a DCC Certification Body for advice.

Once the Applicant has determined their certification level they can begin preparing for the assessment by:

• Downloading the Applicant Guide and Scoping Guide from the IASME website.
• Reviewing their organisation’s scope and completing a Statement of Scope.
• Choosing a DCC Certification Body (CB) to conduct the assessment.

Download the DCC Process Guide for a comprehensive breakdown of the entire process.

You must re-certify annually to Cyber Essentials/Cyber Essentials Plus and every three years to DCC. You must also complete an annual attestation that you are meeting and maintaining the controls and your scope has not significantly changed.

Normal organisational or network changes are considered part of routine business operations and do not typically require recertification. However, significant changes should be reviewed with the assessing Certification Body (CB) to determine if the scope of certification has been substantially impacted.

DefStan 05-138 Issue 4 no longer addresses data classification, as its primary focus is now on whole organisation security and resilience. DCC holders may be subject to further requirements, such as a Security Aspects Letter, depending on the specific needs of the MOD contract.

Yes.

Yes.

No.

Yes, although there may be small differences due to the syncing of different updates and versions.

DCC consists of two scoring phases: Theoretical and Practical. The Theoretical phase does not contribute to the final score but provides the Applicant with an opportunity to supply context (explaining what they do and how they do it) and submit evidence to demonstrate how they meet each control. This phase allows the Assessor to identify any areas requiring clarification and assess whether the Applicant is likely to meet the requirements of the Practical phase. During this phase, the Assessor may grant a Clarification Round, giving the Applicant the chance to update their responses or address any identified gaps.

The Practical phase is the critical component of the assessment. During this phase, the Assessor verifies that the Applicant is implementing the controls as described and evaluates whether the measures in place are sufficient to meet the required standards.

Our Applicant Guides offer detailed support on the controls and questions, including example answers to help you better understand the requirements. Additional support is available from our Certification Bodies (CBs), who are trained to assist Applicants throughout the process.

TThe scheme is also designed to identify any misunderstood or incorrectly answered questions during the Theoretical Scoring phase. This provides Applicants with an opportunity to clarify or resubmit their responses before progressing to the final Practical Scoring phase.

Yes, the controls outlined represent the minimum standards required for each level. Your organisation may already meet or exceed some of these requirements within the controls.

There is no defined timescale for how long it may take, this depends on:

• The preparedness of the Applicant
• Whether the Applicant needs to remediate any gaps before the Practical Scoring phase
• The availability of the Certification Body to carry out the assessment

You can find downloadable scheme documentation here: Help & Resources: Defence Cyber Certification

Including:

• An overview of the scheme
• Scoping guidance
• Process guidance
• Applicant guidance

Sample sizes will follow GovAssure processes, however, the Assessor may request to see additional samples. Sample elements are to be randomly selected by the Certification Body during the practical assessment.

No, you can apply for any level without completing lower levels first.

No.

DefStan 05-138 Issue 3 and CSMv3 primarily focused on the protection of MOD Identifiable Information. In contrast, CSMv4 and DefStan 05-138 Issue 4 take a broader approach, emphasising overall organisational security and resilience. This shift results in a wider scope compared to previous versions, addressing the security of the entire organisation rather than just specific types of information.

Your DCC scope should include all essential functions and services necessary for your organisation to operate securely and resiliently. Non-essential parts of your organisation do not need to be included in the scope. As part of the process, you must provide a clear scoping statement that outlines what is included and excluded from the scope, how it aligns with your Cyber Essentials (CE/CE+) scope, and the rationale behind your scoping decisions. The DCC Assessor will review and challenge your scope to ensure it is logical, clearly documented, and easy to understand for future reference. For full guidance, please refer to the IASME Scoping Guide, which is available to all Applicants.

Yes, there is a scoping guide available for DCC on the IASME website here.

No, the scope must remain the same across all levels. What is considered essential for your organisation’s secure and resilient operation does not change based on the level being assessed.

No, the scope is your whole organisation and the services/functions essential for it to operate, whether these functions are for MOD or non-MOD contracts.

This depends upon your organisation. It is possible to certify the whole entity or a smaller legal entity e.g. the UK arm of the business. For large complex organisations we recommend discussing your scope with a DCC Certification Body prior to starting your assessment.

Cyber Essentials/Cyber Essentials Plus focuses specifically on internet-connected networks and systems, while DCC encompasses a much broader scope, addressing overall organisational security and resilience.

Any internet connected devices/networks that are within the DCC scope must be covered by Cyber Essentials/Cyber Essentials Plus (within Cyber Essentials/Cyber Essentials Plus guidelines).

The DCC Assessor will review and verify both scopes as part of the assessment process to check they align adequately.

The scope must encompass your organisation’s internal operations, including the policies and processes you use to manage and oversee your suppliers.

Yes. There are two approaches: either the larger organisation can be included within your scope, or the service they provide can be treated as an external supplier service. In either case, any control fulfilled by a third-party service must still be demonstrated as met, and supporting evidence from the third party may be required.

Any control that is met by a service provided by a third party must still be shown as met and evidence may be required from the third party.

Yes, the scope of DCC includes all services/functions essential for your organisation to continue to function. If a cloud service is essential to your organisation, then it must be in scope.

Yes, multiple entities can be included in the same certification, provided the entities and the overall scope are clearly defined. A common example is a global organisation certifying both its parent company and some of its smaller subsidiaries, or a group of companies collaborating to share infrastructure and services. If multiple legal entities wish to certify separately but operate on a shared network, they can work with a Certification Body (CB) to conduct multiple assessments using shared evidence where applicable. This approach can help reduce the overall resources required for the group.

If operational technology (OT) is essential to your business operations, it must be included in the scope. However, it is understood that not all controls can be directly applied to OT systems. In such cases, alternative compensating controls may be considered by the Assessor. Your DCC Assessor can provide further guidance on how to address OT within your scope.

You can find a Certification Body by using our search function, which can be found here.

You can apply here.

Your CB can assist with identifying gaps in your compliance; however, if they are also acting as your DCC Assessor, they cannot be involved in implementing or managing your security defences. DCC CBs are trained to support Applicants in two distinct roles: providing implementation consultancy or assessing your DCC submission. CBs are fully aware of the boundaries between these roles to maintain impartiality and ensure the integrity of the assessment process.

Yes, we already have CBs trained and available to offer all levels. We continue to train new Assessors to ensure there is an adequate supply.

Some DCC Certification Bodies (CBs) have Assessors with security clearance, but not all. In most cases, Applicants are not expected to share sensitive material with Assessors, as DefStan 05-138 Issue 4 focuses on overall security and resilience rather than data classification. However, if there is a need to review sensitive information, Applicants can request an Assessor with the appropriate level of clearance.

The DCC scheme does not provide standardised costs for assessments or consultancy, as the level of support required varies significantly between applicants. Factors include the size and complexity of your organisation, your current security posture, your proposed scope, your preparedness for assessment and the level (0, 1, 2, 3) you wish/need to attain. CBs must work closely with applicants to determine appropriate pricing.