Official DCC Certification Body
(Levels 0 to 3)
(Levels 0 to 3)
RightCue has been appointed by the UK Ministry of Defence (MOD) and IASME as an official Certification Body for the Defence Cyber Certification (DCC), authorised to deliver Levels 0, 1, 2 and 3. This guide explains what the DCC scheme is, who needs it, how the four levels work, what the assessment involves, and how to prepare. It is written for business owners, bid teams and security leads in the UK defence supply chain who want a clear, practical reference.
Understanding the DCC scheme
What is the Defence Cyber Certification (DCC)?
The Defence Cyber Certification (DCC) is a cyber security certification framework for UK defence suppliers. It was developed by the UK Ministry of Defence (MOD) and is delivered through IASME, the MOD's official cyber certification partner. The scheme is part of a wider national effort to strengthen the cyber resilience of the UK's defence sector and its supply chain.
In simple terms, DCC gives your organisation a single, recognised way to demonstrate that you take cyber security seriously. It provides a visible badge of assurance that you can present in support of UK defence procurements, and that gives buyers confidence in how you protect your business.
Who created and runs the DCC scheme?
The MOD owns the requirement and IASME delivers the scheme on its behalf. IASME manages the framework through a network of approved Certification Bodies. RightCue is one of those Certification Bodies, authorised across all four levels. As your Certification Body, we assess your submission and award the certificate when the requirements are met.
What problem does DCC solve?
Previously, cyber security for defence suppliers was assessed contract by contract. Every new contract could mean another round of separate, often duplicated, cyber checks. That approach was slow, repetitive and focused narrowly on protecting MOD Identifiable Information rather than the health of the supplier as a whole.
DCC changes the focus. Instead of assessing a single contract, it looks at the overall security and resilience of your organisation. You achieve one organisation-level certification that you can use in support of multiple defence procurements. This removes duplicated auditing and makes bidding for several contracts far more efficient.
What standards is DCC based on?
DCC brings together several established defence and cyber security standards into one assessable scheme. It is built on the uplifted UK Defence Standard DefStan 05-138 issue 4, which sets out the cyber controls suppliers must achieve at each level. It aligns with the National Cyber Security Centre’s Cyber Assessment Framework (CAF) and the MOD’s Cyber Security Model, and the question set is drawn from the MOD Supplier Assurance Questionnaire (SAQ). Cyber Essentials sits at the core of every level.
It is worth noting the shift from DefStan 05-138 issue 3 to issue 4. Issue 3 was built around protecting MOD Identifiable Information. Issue 4 focuses on whole organisation security and resilience, which means more of your business is likely to be considered than under the old approach.


Who needs DCC and why?
DCC is aimed at organisations in the UK defence supply chain. This includes current defence contractors who already bid for and deliver MOD work, and potential defence contractors who want to start bidding for MOD contracts. If your organisation supplies, or wants to supply, goods or services into the defence sector, DCC is relevant to you.
Is DCC mandatory? Do I need it to bid for MOD contracts?
DCC is not yet a formal contractual requirement to bid for MOD contracts. However, this is changing. In May 2026 the MOD’s Director of Cyber Defence & Risk asked all defence industry partners to achieve DCC Level 0 by 31 December 2026 – a requirement that includes holding Cyber Essentials for all applicable business-critical systems within scope.
Higher levels (1–3) are not mandated for this deadline. The level you need for a given piece of work continues to be assigned by the MOD or your Prime based on cyber risk, and where higher levels are required lower in the supply chain, these are expected to follow after 31 December 2026.
In short: Level 0 should now be treated as a near-term baseline expectation across the MOD supply chain, even where it is not yet written into an individual contract. Certifying early demonstrates maturity, reduces friction in future bids and puts you ahead of defence partners who have not yet acted, so we strongly recommend starting now rather than waiting.
Why should my organisation get certified?
Certification delivers several practical benefits
A single organisation-wide certification that supports multiple contracts, replacing repeated per-contract assessments.
Demonstrates compliance with MOD cyber security expectations in a structured, government-recognised way.
Stand out from uncertified defence suppliers and achieve greater efficiency across multiple bids.
Removes the repeated, contract-by-contract cyber checks that the old per-contract approach required.
Builds stronger, more resilient security practices across your entire organisation, not just the parts touching one contract.
The MOD has asked all defence partners to reach DCC Level 0 by 31 December 2026. Certifying now keeps you ahead of that timeline and any further regulation to follow.
The four DCC levels
What are the DCC certification levels?
There are four levels, from Level 0 to Level 3. The level you need depends on the cyber risk associated with the work you do. As the assessed risk increases, so does the number of controls, the depth of evidence required and the seniority of the assessor. The number of controls rises from 3 at Level 0 to 144 at Level 3. Every level begins with Cyber Essentials.
| Level | Who it is for | Controls | Foundation required |
|---|---|---|---|
| Level 0 |
Low assessed cyber risk
Entry point, focused on the broad goal of resilience.
|
3 controls | Cyber Essentials |
| Level 1 |
Low to moderate assessed cyber risk
A comprehensive programme of good practice.
|
101 controls | Cyber Essentials |
| Level 2 |
High assessed cyber risk
Advanced oversight and planning, with a physical site visit.
|
139 controls | Cyber Essentials Plus |
| Level 3 |
Substantial assessed cyber risk
Expert capability, automation and security maturity.
|
144 controls | Cyber Essentials Plus |
Each Level 0 certification covers Cyber Essentials plus a small number of additional controls. The higher levels add progressively more controls on top of Cyber Essentials or Cyber Essentials Plus. Levels 2 and 3 require Cyber Essentials Plus and include a likely site visit with greater emphasis on automation and security maturity.
What level do I need?
The level is driven by the cyber risk of the defence work you deliver. Each defence project carries a cyber risk assessment that defines the security measures required of its suppliers. Lower-risk work points to Level 0 or 1, while higher-risk work calls for Level 2 or 3. If you are unsure, we can help you interpret the requirement and identify the right level before you commit.
Do I have to start at Level 0 and work up?
No. The scheme is flexible. You can jump straight to the level you need, upgrade later, or progress through the levels over time. You do not need Level 0 before pursuing Levels 1 to 3. We will recommend the most sensible route based on your situation.
Note that a certificate is only valid for the level it is awarded at, a Level 0 certificate does not satisfy a contract that requires Level 2, for example.
Level 0 is the baseline the MOD has asked all defence partners to reach, while the specific level for a given contract is assigned by the MOD or your Prime.
DCC and Cyber Essentials
Do I need Cyber Essentials before I can get DCC?
Yes. Cyber Essentials is the first requirement for every DCC level, and it sits at the core of the scheme. Levels 0 and 1 require Cyber Essentials, while Levels 2 and 3 require Cyber Essentials Plus. You do not have to complete Cyber Essentials at exactly the same time as DCC, but you must hold a valid certificate that covers the right scope, and you must commit to maintaining it.
How does my DCC scope relate to my Cyber Essentials scope?
These are two separate schemes with different objectives, and their scopes must line up. Cyber Essentials focuses on the internet-connected IT that supports your business. DCC is broader and includes systems that Cyber Essentials does not reach, such as air-gapped devices, entry control systems and HVAC systems.
The rule to remember is that your DCC scope must either contain or overlap with your Cyber Essentials scope. Any internet-connected component inside your DCC scope is automatically part of your Cyber Essentials scope. If the two scopes do not align, the assessment will fail, so it is worth planning your Cyber Essentials scope with DCC in mind. If you hold multiple Cyber Essentials certificates, they can be considered together.
Scoping your certification
What should be included in my DCC scope?
Determining the correct scope is the first and most important step of certification. DCC scope is based on your whole organisation, meaning the company or legal entity responsible for delivering the service to the MOD. That does not mean every single part of the business, but it does mean every essential service and function needed to keep the organisation running.
In practice, systems such as HR, IT and stock management are usually in scope, because the business depends on them. Non-essential areas, such as a staff cafeteria or vending machines, are usually out of scope, unless your organisation genuinely relies on them to function. A useful test is to ask what would happen if a system were unavailable for a day, a week or a month, and whether the business could continue to operate effectively without it.
Five key elements when defining your DCC scope
Every essential part of your organisation that keeps it running must be considered
All systems and devices — whether internet-connected or not, including OT and air-gapped equipment.
Processes and systems that directly support the delivery of your services and products.
Internal management and operational support functions such as HR, finance and procurement.
All physical sites your organisation works from, including offices, facilities and remote locations.
All staff, visitors and third parties who have access to your systems, data or physical sites.
What about Operational Technology (OT)?
Operational Technology should be in scope when it is essential to your operations. For example, if you run CNC machines continuously as a core service, those systems belong in scope. If a machine is only used occasionally for non-essential tasks, it may be excluded. The deciding factor is always how important the system is to your ability to function.
Where OT is in scope, not every control may be technically possible. If anti-malware software cannot be installed on a particular machine, for example, the assessor can take that limitation into account. You would then need to explain why the control cannot be applied and show the alternative or compensating measures you have put in place.
What is a scoping attestation?
Once you have determined your scope, you must document it in a formal attestation. This is a signed statement, made by an authorised person such as the CEO or CISO, confirming that all essential services and functions are within scope and that the information provided is accurate and complete. It should list your sites and their functions, your IT and OT networks and systems, your devices and data storage, and include scoping diagrams showing what is inside and outside the DCC scope, along with Cyber Essentials coverage.
What happens if I get my scope wrong?
Scoping mistakes are the most common reason certification fails. If you under-scope, leaving out something essential, you will fail even if every required control has been met. Your scope will be reviewed and discussed with your assessor, who may challenge it to make sure it is appropriate and sufficient. This is exactly why it pays to get scoping right at the start, and why we discuss and agree scope with you before you submit. Your scope should also stay consistent across all levels.
The certification process – How does DCC certification work, step by step?
The Level 0 journey follows four clear stages:
Stage 1: Initial enquiry
You get in touch with RightCue and we help you understand the scope for your assessment. A valid Cyber Essentials certificate that covers the right scope needs to be in place.
Stage 2: Self-assessment and evidence collection.
You complete your answers on the assessment platform and gather supporting evidence covering your Cyber Essentials scope, data security basics, GDPR practices, and network and system resilience.
Stage 3: Documentation review and video call
Our assessor holds a video session with you to discuss the evidence, clarify any scope differences and review your documentation.
Stage 4: Certification decision.
Based on your evidence, we determine the outcome. A successful Level 0 assessment results in a certificate valid for 36 months.
Levels 1 to 3 follow a similar path but in more depth. You and your Certification Body discuss and agree the scope first, then you complete a larger set of answers and evidence appropriate to the level, with Levels 2 and 3 including a likely physical site visit.
What is assessed at Level 0?
Level 0 concentrates on the broad goal of resilience. The assessment looks at four areas: your Cyber Essentials certification and scope, your UK GDPR and data governance practices, your data security basics, and the resilience of your networks and systems. Level 0 carries a 100 percent pass mark, so every required control must be met.
What evidence will I need to provide?
You are responsible for demonstrating that you meet each control, describing how you meet it and providing supporting evidence. Evidence can include policy and process documents, screenshots, asset registers and similar records. Most of it should come from documents you already have, which keeps the workload down. The amount of detail expected scales with the size of your organisation and the level you are seeking.
How much help can my Certification Body give me?
Your Certification Body can guide you, but cannot do the work for you, because we later assess that same work. We may explain the scheme and its levels, explain the controls and how to meet them, clarify questions, describe the evidence needed and verify your scope. We may not implement policies for you, answer questions on your behalf, prepare your answers or evidence, or supply completed documentation. This separation keeps the certification credible and independent.
Validity, renewal and classified data
How long does DCC certification last?
DCC certification is valid for three years, or 36 months. To keep it valid you must complete an annual check-in and attestation, and maintain your underlying Cyber Essentials or Cyber Essentials Plus certification. You then recertify every three years.
Does DCC cover classified data or specific projects?
No. DCC is not intended to address classified data, individual products or specific projects. Its purpose is to confirm that your organisation is resilient enough to keep functioning effectively in the event of a cyber incident. You may receive a Security Aspects Letter (SAL) setting out additional requirements that go beyond DCC. If a highly classified system falls within your scope, the assessor will not evaluate the classified data itself, but will expect to see proportionate controls and evidence of how the supporting network is managed and secured.
FAQs
No. DCC does not replace Secure by Design, ISO 27001 or other standards. It sits alongside them as the MOD’s structured way of assessing cyber resilience across the defence supply chain.
No. The MOD is not notified of failed assessment attempts. A failed assessment is handled between you and your Certification Body, and you can address the gaps and try again.
For now, suppliers can choose to continue using the MOD Supplier Assurance Questionnaire (SAQ). DCC is based on that same question set, so much of your work is transferable. Over time, DCC provides a more consistent and reusable route to demonstrating cyber resilience.
The cost depends on the level you pursue and the size of your organisation, since both affect the depth of assessment involved. We will give you a clear, fixed picture of the investment once we understand your scope and target level. Please get in touch and we will talk you through it.


Defence Cyber Certification: common questions
Quick answers to the questions defence suppliers ask us most
Who needs Defence Cyber Certification?
What is the difference between Defence Cyber Certification and Cyber Essentials?
Who certifies organisations for Defence Cyber Certification?
How long does Defence Cyber Certification take to achieve?
How RightCue can help
RightCue is an official DCC Certification Body across Levels 0 to 3, and we believe cyber security should enhance your business rather than obstruct it. We help suppliers across regulated industries put in place meaningful security programmes that meet evolving standards like the DCC.
Whether you are bidding for your first MOD contract or strengthening your position for larger work, we can help you choose the right level, get your scope right the first time, and move through assessment smoothly. The biggest hurdle for most applicants is scoping, and that is exactly where our early guidance saves you time and avoids a failed submission.
If you would like to understand which DCC level is right for you, or to begin the certification process, we are happy to have a quick conversation. Please get in touch and we will help you plan the most sensible route.
RightCue is an expert in cyber security compliance – with over 15 years’ experience helping organisations achieve certifications, increase cyber resilience and mitigate risk. With that experience comes an intricate understanding of business and what organisations need to succeed when it comes to cyber security. As a cyber security consultancy and Cyber Essentials Certification Body, RightCue is ideally positioned to help you with your compliance journey.
RightCue Consulting Services
The Square, Basing View, Basingstoke, Hampshire, RG21 4EB
Telephone: +44 (0)1256 744 780
Email: [email protected]
Web: www.rightcue.com



