Why DCC exists
The MOD’s previous approach to cyber security across its supply chain relied heavily on self-assessment. Suppliers would confirm they met certain standards, sign a declaration, and that was broadly it. The problem is obvious in hindsight: self-assessment creates a compliance culture rather than a security culture. Organisations tick boxes rather than fix problems.
Defence Cyber Certification changes that. Under DCC, an independent Certification Body assesses your organisation against a defined set of controls and issues the certificate. You can’t certify yourself. The assessment has to be done by a body authorised by IASME, which operates the scheme on behalf of the MOD.
Idela is one of those bodies, authorised at Level 0 and Level 1.
The four levels
DCC has four levels. Each one covers more controls and applies to organisations with greater cyber risk in their contracts. The MOD assigns each supplier a Cyber Risk Profile based on the nature of their work; that profile determines which level you need.
Level 0 covers three controls and applies to organisations with the lowest cyber risk profile. It’s designed for suppliers whose work doesn’t involve sensitive data or systems but who are still in the MOD supply chain. Cyber Essentials is a prerequisite.
Level 1 covers 101 controls across governance, risk management, access control, incident response, personnel security, and supplier management. It’s the standard most organisations working on MOD contracts will need. Also requires Cyber Essentials as the baseline.
Level 2 covers 139 controls and applies to organisations handling significant cyber risk, including access to MOD systems or classified data. Requires CE Plus rather than standard Cyber Essentials.
Level 3 is the highest tier, at 144 controls, for the most sensitive defence work. Also requires CE Plus.
Idela certifies at Level 0 and Level 1. If you need Level 2 or 3, we’ll tell you that on the readiness call and point you toward the right CB.
Self-assessment is gone. DCC certificates are issued by authorised Certification Bodies only. If a contract specifies DCC, you can’t meet that requirement by filling in a form yourself.
Does your organisation need it?
The answer is almost certainly yes if any of these apply:
- You have a direct contract with the MOD, DE&S, DIO, or DSTL
- You supply to a prime contractor: BAE Systems, Babcock, QinetiQ, Leonardo, Rolls-Royce
- Your contract contains references to DCC, DefStan 05-138, or a Cyber Risk Profile
- You’re bidding for MOD contracts and want to meet the standard before it’s mandated
If none of those apply and you’re purely in the commercial sector, DCC probably isn’t relevant to you right now. Cyber Essentials likely is though.
The role of Cyber Essentials
Cyber Essentials is a prerequisite for DCC at every level. You can’t hold a DCC certificate without a valid CE certificate. That’s not a formality; it’s built into the scheme structure.
The practical upside is that if you already hold CE, you’ve completed the first step toward DCC. We can often fast-track Level 0 for CE-certified organisations. For Level 1, CE is still required but the substantive work is in the 101 DCC controls themselves.
What the process looks like
A DCC assessment isn’t a questionnaire you fill in and submit. It’s evidence-based. For Level 1 you’ll complete an Assessment Submission Record covering every control, supported by documentation: policies, access reviews, patch records, firewall configurations, incident response procedures, training records.
At Idela we do a readiness review before formal assessment begins. We want to see your evidence pack before we open the assessment on the portal, because the IASME fee is charged per assessment opened, not per certificate issued. If there are gaps, we’d rather find them in the readiness review than mid-assessment.
Level 0 is typically straightforward for a prepared organisation. Level 1 usually takes six to ten weeks depending on how much documentation already exists.
What to do next
If you’re not sure which level applies to your organisation, the fastest way to find out is the free readiness call. Bring whatever contract language you have; we’ll confirm your Cyber Risk Profile and give you a clear picture of what’s required.
You can also take the free DCC Readiness Assessment first, which covers 12 questions and produces a shareable report.