The Ministry of Defence (MOD), in collaboration with IASME, has introduced the Defence Cyber Certification (DCC) scheme. The scheme is a formal framework designed to assess and assure the cyber security posture of defence suppliers.
While Defence Standard 05-138 (DefStan 05-138) has long been the benchmark for cyber security in the defence supply chain, the DCC scheme enhances this by providing a structured certification process that aligns with the cyber risk profile associated with specific contracts.
This blog explains what the introduction of DCC means for defence suppliers, what technical and organisational controls are expected at each level, and how organisations can take practical steps to prepare.
Introduction to the Defence Cyber Certification (DCC)
With the recent launch of the Defence Cyber Certification (DCC) scheme, the Ministry of Defence (MOD) is formalising how cyber security compliance is assessed across its supply chain. The DCC provides a structured certification framework that builds confidence in a supplier’s cyber resilience and aligns with international best practices.
Developed in collaboration with IASME, DCC builds on the long-standing requirements of DefStan 05-138 (the MOD’s core cyber security standard for defence suppliers). While DefStan 05-138 sets out what controls are needed, DCC introduces a consistent, evidence-based method of assessing whether those controls are actually in place and working.
A Quick Recap: What's Behind This Change?
Let’s be clear - the DCC scheme doesn’t introduce entirely new controls. If you’re already aligned with DefStan 05-138, you’re likely already on the right track. What it does change is how compliance is assessed.
In the past, you might have completed a Supplier Assurance Questionnaire (SAQ) or submitted a Cyber Implementation Plan (CIP) to show how you were managing risk. These were often self-assessed and, while helpful, varied in quality and interpretation.
With DCC, that’s no longer the case. Now, you’ll need to demonstrate your compliance through a formal certification process that’s independently assessed. And once certified, you’ll need to maintain that assurance through annual check-ins and ongoing evidence throughout the length of your contract.
How DCC Relates to Other Standards and Frameworks
To help make sense of it all, here’s how the pieces fit together:
- Cyber Security Model (CSM): The MOD’s framework for assessing cyber risk on each contract
- Cyber Risk Profile (CRP): The level of cyber risk your contract presents
- DefStan 05-138: The standard that defines what controls you need based on your CRP
- Defence Cyber Certification (DCC): The new process that verifies whether you’re actually doing what DefStan 05-138 requires
What Are the Main Changes Under DCC?
In short: self-assessment is being replaced by formal certification. Under the DCC scheme, you can be assessed at one of four levels of cyber maturity - from Level 0 (Basic) to Level 3 (Expert).
Certification could become a requirement for MOD contracts, and although it may not yet be mandatory, it’s wise to get ahead of the curve.
Once you’re certified, the certification is valid for three years, but you’ll need to complete an annual attestation and maintain valid Cyber Essentials or Cyber Essentials Plus certification, depending on your level.
CRP and DCC Levels: What You Need to Know
Here’s a simplified view of how Cyber Risk Profiles (CRPs) could map to DCC levels and what each level involves:
| DCC Level | DCC Controls Required | Cyber Essentials Requirement |
| Level 0 | 3 controls | Cyber Essentials |
| Level 1 | 101 controls | Cyber Essentials |
| Level 2 | 139 controls | Cyber Essentials Plus |
| Level 3 | 144 controls | Cyber Essentials Plus |
Each level builds on the last. So, if you’re aiming for Level 2 or 3, you’ll need to show more detailed governance, monitoring, technical assurance, and third-party oversight.
Preparing for DCC: A Practical Checklist
The scheme is managed by IASME, and Bridewell are a key partner alongside four other organisations that supported development of the certification.
At Bridewell, we’re pleased to share that we’ve already implemented DCC requirements in our own organisation and will be joining you on this certification journey. From our experience, we’ve compiled a set of practical set of steps you can follow:
- Understand Your Cyber Risk Profile (CRP)
Start by confirming the CRP associated with your MOD contracts. This will help determine the DCC level you should be prepared for. - Conduct a Gap Analysis
Look at your current controls, policies, and processes. Do they meet the requirements for your assigned DCC level? Are they actually in place and effective, or just written down? - Get Your Evidence in Order
DCC is about proving what you do. This means collecting and maintaining evidence, for example training records, access logs, patching reports, and documented procedures. - Train Your People
Cyber resilience isn’t just a technology issue - your staff play a critical role. Make sure they’re aware of their responsibilities and know how to respond to incidents. - Review Your Suppliers
If you work with third parties, you’ll need to show that they’re also aligned with the right level of cyber assurance. This means doing your own supplier due diligence and keeping records. - Don’t Leave It Too Late
Even if certification isn’t mandatory for your current contracts, it possibly will be in the future. Starting early gives you time to address any gaps calmly and confidently.
What Are the Challenges with DCC?
At Bridewell, we know that getting certified isn’t always straightforward - especially if you’re a smaller supplier or working with legacy systems. Here are a few common challenges we can help organisations work through:
Interpreting the Controls
Some of the requirements, especially at Levels 2 and 3, can feel technical or unclear. Athough a helpful Jargon buster section has been provided, it’s not always obvious what “good” looks like - or how much evidence is enough.
Time and Resources
Preparing for certification takes time. Whether it’s reviewing policies or improving your logging and patching processes, it can be a stretch alongside business as usual.
Evidence Gaps
Many suppliers already do the right things - they just don’t document it. DCC expects evidence. Without it, you may find yourself repeating work that’s already been done.
Supply Chain Assurance
It can be difficult to validate the security of your subcontractors - particularly if they’re not used to working with MOD contracts. But it’s now part of your responsibility.
Key Takeaways
- DefStan 05-138 still defines what’s required - that hasn’t changed.
- DCC changes how that’s verified, replacing self-assessment with formal, independent certification.
- CRP = the level of DCC certification you’ll need.
- Cyber Essentials (or Plus) is your entry point.
- Documentation and evidence are essential.
- Start now - even if your contracts haven’t asked for DCC yet.
Let’s Work Together
At Bridewell, we’re helping organisations across the UK assess their readiness, close the gaps, and prepare for certifications with confidence. Whether you need a full gap analysis, help interpreting the control requirements, or support getting your documentation in shape - we’re here to help.
