WHAT IS DCC LEVEL 0?

Defence Cyber Certification (DCC) is the Ministry of Defence's framework for managing cyber security across its supply chain. DCC Level 0 is the entry-level certification within the scheme, designed for organisations with a Very Low assessed cyber risk profile. It is assessed against Def Stan 05-138 (Issue 4). DCC is not currently mandatory, but is expected to become a requirement across all MOD procurement — certifying now is strongly recommended.

Cyber Essentials is a mandatory prerequisite for DCC Level 0 — you must hold a valid CE certificate with a scope that aligns to your DCC scope before applying. DCC Level 0 is then assessed against Def Stan 05-138 (Issue 4), with MOD-specific requirements and context for the defence supply chain. It is delivered and certified by IASME Approved Certification Bodies — including Vincent Cyber Defence.

WHY WAS DCC INTRODUCED?

The MOD recognised that its supply chain represented a significant cyber risk. Many cyber attacks on defence organisations target smaller suppliers with weaker security rather than attacking the MOD directly. DCC was introduced to raise the baseline of cyber security across all organisations that work with the MOD, regardless of size.

WHAT IS DEFCON 658?

DEFCON 658 is a MOD standard contractual condition that references the Cyber Security Model. When DEFCON 658 appears in a contract, it means you are required to hold and maintain an appropriate DCC certification. For organisations with a "Very Low" risk profile, that means DCC Level 0.

DEFCON 658 references the DCC certification requirement in MOD contracts. DCC is not currently mandatory, but is expected to become a requirement across all Defence procurement — early certification is strongly encouraged.

WHAT IS THE CYBER SECURITY MODEL (CSM) V4?

The Cyber Security Model is the MOD's framework for assessing and managing cyber risk in its supply chain. Version 4 updated the requirements and introduced the DCC certification scheme. Under CSM v4, all MOD suppliers are assessed for cyber risk and assigned a profile — Very Low, Low, Medium, High, or Very High. The required DCC certification level corresponds to this risk profile.

  • Very Low risk: DCC Level 0 (Cyber Essentials-based)
  • Low risk: DCC Level 1 (additional controls)
  • Medium and above: Higher DCC levels with more rigorous requirements

HOW IS DCC LEVEL 0 DIFFERENT FROM CYBER ESSENTIALS?

As noted above, Cyber Essentials is a mandatory prerequisite — not incorporated within the DCC process itself. Key differences between CE and DCC Level 0:

  • MOD supply chain-specific context and requirements
  • Additional questions relevant to the defence environment
  • A 3-year certificate validity (versus 1 year for standard CE)
  • Formal recognition within the DEFCON 658 / CSM framework

In practice, many of the technical controls are the same — but the certification is specifically recognised by the MOD for defence supply chain purposes.

WHO NEEDS DCC LEVEL 0?

  • SMEs and new entrants to the MOD supply chain
  • Organisations bidding for MOD contracts that reference DEFCON 658
  • Suppliers assessed as "Very Low" cyber risk under CSM v4
  • Businesses working toward prime contractor requirements in defence

Important: DCC is not currently mandatory, but is expected to become a requirement across all MOD procurement. Certifying now means you are ready when the requirement is confirmed — not scrambling to catch up at tender time.

HOW LONG IS THE CERTIFICATE VALID?

DCC Level 0 certificates are valid for three years — significantly longer than the 12-month validity of standard Cyber Essentials. This means less frequent renewal overhead for defence suppliers, while still maintaining a meaningful assurance standard.

There is an important annual obligation, however. You must re-certify to Cyber Essentials every year and complete an annual attestation confirming that your controls are still in place and your scope has not significantly changed. The three-year DCC certificate does not remove the need for annual CE renewal — it runs alongside it. If your CE certificate lapses, your DCC certification is at risk.

HOW DO I GET DCC LEVEL 0 CERTIFIED?

DCC Level 0 assessments can only be delivered by IASME Approved Certification Bodies. Vincent Cyber Defence is approved to deliver DCC assessments and issue DCC Level 0 certificates directly. Our process covers scoping, gap analysis, guided assessment, and certification — with a focus on first-time pass and minimal disruption to your team.

Need help getting certified? Vincent Cyber Defence is an IASME Approved Certification Body. We guide UK businesses through Cyber Essentials, Cyber Essentials Plus, and DCC Level 0 with a first-time pass focus. Get in touch today →