WHAT IS DEFENCE CYBER CERTIFICATION?

Defence Cyber Certification (DCC) is the Ministry of Defence's framework for managing cyber security across its supply chain. Introduced under the Cyber Security Model (CSM) v4, it creates a tiered system of certification requirements aligned to the cyber risk profile of each supplier engagement. DCC replaces earlier ad hoc approaches and makes cyber security compliance a formal, contractual requirement for MOD suppliers at every tier.

WHAT IS DCC LEVEL 0?

DCC Level 0 is the entry-level certification within the DCC scheme, designed for organisations with a Very Low assessed cyber risk profile — suitable for suppliers providing low-risk goods or services such as non-technical goods or facilities management. It is assessed against Def Stan 05-138 (Issue 4). Cyber Essentials is a mandatory prerequisite: your CE certificate scope must align with your DCC scope before you can begin.

As an IASME Approved Certification Body, Vincent Cyber Defence is authorised to assess and issue DCC Level 0 certificates directly.

WHAT IS DEFCON 658?

DEFCON 658 is the MOD standard contractual condition that references the DCC certification requirement. When it appears in a contract, it signals that DCC certification is expected. For Very Low risk organisations, that means DCC Level 0. DCC is not currently mandatory across all MOD contracts, but compliance is expected to become a universal requirement — organisations should certify proactively.

WHAT IS THE CYBER SECURITY MODEL (CSM) V4?

The Cyber Security Model v4 is the MOD's framework for assessing and managing cyber risk across its supply chain. It assigns a risk profile to each supplier engagement — Very Low, Low, Medium, High, or Very High — and maps a required DCC certification level to each profile. The profile is determined by the MOD based on the nature of your contract, the data you handle, and the systems you access.

HOW IS DCC LEVEL 0 DIFFERENT FROM CYBER ESSENTIALS?

  • Purpose — Cyber Essentials is a general UK Government-backed scheme; DCC Level 0 is specifically for the MOD supply chain
  • Prerequisite — Cyber Essentials is a mandatory prerequisite for DCC Level 0. Your CE scope must align with your DCC scope — misalignment results in certification failure. CE Plus is not required at Level 0.
  • Validity — DCC Level 0 certificates are valid for three years, with annual Cyber Essentials recertification and an annual attestation confirming ongoing compliance required during that period
  • Recognition — DCC Level 0 is specifically recognised by the MOD under DEFCON 658; standard Cyber Essentials alone is not sufficient for MOD contracts requiring DCC

WHO NEEDS DCC LEVEL 0 IN 2026?

  • SMEs and new entrants to the MOD supply chain assessed as Very Low risk
  • Organisations bidding for MOD contracts that reference DEFCON 658
  • Sub-contractors to prime MOD contractors where supply chain flow-down requirements apply
  • Businesses planning to tender for defence work and wanting to be ready in advance

Key point: DCC Level 0 must be held at the time of contract award — not after. If you are planning to bid for MOD work, get certified before the tender closes, not after you win. Contact us to start the process today.

HOW TO GET DCC LEVEL 0 CERTIFIED

DCC Level 0 assessments can only be delivered by IASME Approved Certification Bodies. The process covers scoping your organisation against the DCC requirements, a gap analysis to identify any areas needing attention, a guided assessment, and issuance of your three-year DCC Level 0 certificate. We can deliver Cyber Essentials and DCC Level 0 together in one integrated process — the most efficient approach for MOD suppliers.

Need help getting certified? Vincent Cyber Defence is an IASME Approved Certification Body. We guide UK businesses through Cyber Essentials, Cyber Essentials Plus, and DCC Level 0 — plain-English support throughout. Get in touch today →