// MOD Supply Chain

DCC
LEVEL 0

Defence Cyber Certification (DCC) Level 0 — the entry-level certification for UK defence supply chain organisations assessed at Very Low cyber risk. Assessed against Def Stan 05-138 (Issue 4) by Vincent Cyber Defence, an IASME Approved Certification Body.

Get DCC Certified → Cyber Essentials
⚡ December 2026 Deadline

All MOD defence industry partners must achieve DCC Level 0 by 31 December 2026 — mandated by Eleanor Fairford, Director of Cyber Defence & Risk. Read the full breakdown →

3yr
Certificate Validity
05-138
Def Stan Assessed
i4
Def Stan Issue 4
IASME Approved Body
// What Is DCC Level 0

DEFENCE CYBER CERTIFICATION EXPLAINED

The Defence Cyber Certification (DCC) is a comprehensive cyber security certification framework for UK defence suppliers, developed jointly by the Ministry of Defence (MOD). It strengthens the cyber resilience of the UK's defence supply chain, with Cyber Essentials at its core.

DCC Level 0 is the entry-level certification, designed for organisations with a Very Low assessed cyber risk profile. It is suitable for suppliers providing low-risk goods or services — requiring compliance with three basic controls.

As an IASME Approved Certification Body, Vincent Cyber Defence is authorised to deliver DCC Level 0 assessments and issue DCC certificates directly. Once certified, your organisation is published on the IASME public registry and receives a digital certificate and verifiable digital badge.

Who Is DCC Level 0 For?

  • Any organisation can apply — you do not need to be a current defence contractor
  • Suppliers whose MOD contract carries a Very Low Cyber Risk Profile (CRP)
  • Organisations certifying proactively ahead of future MOD opportunities
  • Businesses in the wider defence supply chain looking to strengthen their cyber posture

Is DCC Level 0 Currently Mandatory?

DCC is currently not mandatory. Applicants may still tender for MOD contracts via the normal process at this stage. However, Eleanor Fairford, Director of Cyber Defence & Risk at the MOD, has mandated that all defence industry partners achieve at least DCC Level 0 by 31 December 2026 — so early certification is strongly advised. Read our full breakdown of the December 2026 deadline →

CERTIFY BEFORE YOU NEED IT

DCC certification is expected to become mandatory across all Defence procurement. Certifying now means you're ready when the requirement lands — not scrambling to catch up.

With the Cyber Security Model (CSM) in place, a DCC certificate also replaces the ad-hoc supplier questionnaires that MOD and prime contractors previously used — proving your cyber posture once, to a recognised standard, rather than answering bespoke requests for every contract.

Start Your Assessment →
  • 📐

    ASSESSED AGAINST DEF STAN 05-138

    The cornerstone of the DCC scheme. Issue 4 expands scope to enhancing overall organisational resilience, aligned to the CAF framework and NIST and ISO standards.

  • 🔑

    CYBER ESSENTIALS IS MANDATORY

    A valid Cyber Essentials certificate — with scope aligned to your DCC scope — is a prerequisite. Misalignment between scopes will result in certification failure. CE Plus is not required at Level 0.

  • 🔒

    3-YEAR CERTIFICATE VALIDITY

    Valid for three years with annual Cyber Essentials recertification and an annual attestation confirming controls are maintained and scope is unchanged.

  • 🌐

    LISTED ON THE MOD WEBSITE

    Once certified, your organisation is published on the IASME public registry and you receive a digital certificate and verifiable digital badge for use on your website or email footer.

// The Process

HOW DCC LEVEL 0 WORKS

1

CONFIRM CE SCOPE

Ensure you hold a valid Cyber Essentials certificate with a scope that aligns with your intended DCC assessment scope — misalignment will cause certification failure.

2

DEFINE DCC SCOPE

We review your scoping statement — covering what is included, excluded, and your rationale — and challenge it to ensure it is logical and clearly documented.

3

ASSESSMENT

We assess your organisation against the Def Stan 05-138 (Issue 4) controls, reviewing evidence and confirming compliance as an IASME Approved Body.

4

CERTIFIED ✓

Your DCC Level 0 certificate is issued. You receive a digital certificate and verifiable badge. Your organisation is published on the IASME public registry. Valid for 3 years.

// The Controls

WHAT YOU'RE ASSESSED AGAINST

Level 0 covers three controls drawn from Def Stan 05-138 (Issue 4). All three must be met — there is no partial pass.

Control 0001

CYBER ESSENTIALS

You must hold a current Cyber Essentials certificate issued to your organisation, with a scope that aligns to your DCC assessment scope. If CE is not in place or the scopes do not align, certification fails automatically — no further controls are assessed.

  • Valid CE certificate in your organisation's name
  • CE scope aligns to your DCC scope
  • Certificate current and not expired
Control 2314

UK GDPR COMPLIANCE

You must demonstrate that personal data is processed lawfully — with a named DPO, a clear privacy notice, consent records, and DPIA evidence where processing carries risk. You do not need to be perfectly GDPR-compliant, but no clear non-compliance should be evident.

  • Named DPO & privacy policy
  • Consent records & DPIA evidence
  • Data processing documentation
Control 2500

RESILIENT NETWORKS AND SYSTEMS

Resilience must be built into how your systems are designed, operated, and managed across their full lifecycle. Backup is central to this — you must back up critical data regularly, store copies offsite or in the cloud, and be able to demonstrate a successful restore.

  • Resilience policy or documentation
  • Offsite or cloud backups of critical data
  • Tested and evidenced restore capability

Automatic Failure Conditions

A missing or expired Cyber Essentials certificate, or a CE scope that does not adequately cover your DCC scope, results in immediate failure — no further controls are assessed.

// FAQ

DCC LEVEL 0 QUESTIONS

The Defence Cyber Certification (DCC) is a comprehensive cyber security certification framework for UK defence suppliers, developed jointly by the Ministry of Defence (MOD). It aims to strengthen the cyber resilience of the UK's defence supply chain, with Cyber Essentials at its core.
Level 0 is the entry-level certification, designed for organisations with a Very Low assessed cyber risk profile. It requires compliance with three basic controls and is suitable for suppliers providing low-risk goods or services — for example, non-technical goods, facilities management, or similar.
DCC is currently not mandatory. Applicants may still tender for MOD contracts via the normal process at this stage. However, compliance with the UK Defence standard is expected to become a requirement in all Defence procurement and contract activities — so early certification is strongly encouraged.
Yes. Cyber Essentials is a mandatory baseline requirement for DCC Level 0. Your Cyber Essentials certification scope must align with or overlap the scope of your intended DCC assessment — misalignment will result in certification failure. Note: Level 0 requires standard Cyber Essentials only — Cyber Essentials Plus is not required at this level.
DCC Level 0 is assessed against the Cyber Security Defence Standard — Def Stan 05-138. Its latest iteration, Issue 4, expands scope beyond protecting MOD-identifiable information to enhancing the overall resilience of an organisation against threats. It aligns to national and international standards, including the CAF framework and NIST and ISO standards.
Your DCC scope should include all essential functions and services necessary for your organisation to operate securely and resiliently. Non-essential parts of your organisation do not need to be included. You must provide a clear scoping statement outlining what is included and excluded, how it aligns with your Cyber Essentials scope, and the rationale behind your decisions. We will review and challenge your scope to ensure it is logical and clearly documented.
Yes — the DCC Level 0 certificate covers all of your contracts at or below the certified level. This streamlines the process by requiring only one assessment rather than separate assessments for each individual contract.
Your DCC certificate is valid for three years. You must re-certify annually to Cyber Essentials and complete an annual attestation confirming you are meeting and maintaining the controls and that your scope has not significantly changed. Normal organisational changes are considered routine and do not typically require recertification — however, significant changes should be reviewed with us to determine whether the scope has been substantially impacted.
The MOD determines the required certification level based on the nature and sensitivity of the contracted work — its Cyber Risk Profile (CRP). This will be decided by the MOD or your Prime contractor. If you are unsure of your required level, speak to us and we can help clarify this before you start the process.
Control 2314 requires you to demonstrate that personal data is processed lawfully under UK GDPR. This means having a named Data Protection Officer, a clear privacy notice, consent records, and DPIA evidence where processing carries risk. You do not need to be perfectly GDPR-compliant — the assessor is looking for suitable policies and processes and no clear evidence of non-compliance. If you already have a basic data protection framework in place, this control is unlikely to present a significant challenge.
Control 2500 (Resilient Networks and Systems) requires you to demonstrate that cyber resilience is built into your systems across their full lifecycle. Backup is a core part of this — you must show that critical data is backed up regularly, stored offsite or in the cloud (separate from your live environment), and that restores have been tested and work. Untested backups are not accepted as evidence of resilience. If you cannot demonstrate a successful restore, you cannot demonstrate you would recover from an incident.
We specialise in DCC Level 0 assessments. If your MOD contract requires Level 1, 2, or 3, you will need to work with a Certification Body accredited for those higher levels. We are happy to advise you on this and help point you in the right direction.

START YOUR DCC LEVEL 0 ASSESSMENT

Before reaching out, confirm you hold a valid Cyber Essentials certificate with a scope that covers your intended DCC scope. Then contact our UK team — no jargon, no hard sell.

Get DCC Certified → Cyber Essentials
// Blog & Guides

LATEST INSIGHTS

View All Articles →
New Cyber Essentials · 8 min

CYBER ESSENTIALS DANZELL 2026: WHAT HAS CHANGED

New auto-fail MFA rules and cloud scoping changes are now live. Complete guide from an IASME Approved Body.

 Cyber Essentials · 5 min

WHAT IS CYBER ESSENTIALS? A PLAIN-ENGLISH GUIDE

Everything UK businesses need to know about the Government-backed Cyber Essentials scheme.

 DCC Level 0 · 7 min

DCC LEVEL 0 EXPLAINED: WHAT MOD SUPPLIERS NEED TO KNOW

A clear breakdown of Defence Cyber Certification Level 0 and how to get certified.

 DCC Level 0 · 8 min

DEFENCE CYBER CERTIFICATION: WHAT MOD SUPPLIERS NEED TO KNOW IN 2026

DEFCON 658, CSM v4, and DCC Level 0 explained — everything MOD suppliers need to stay tender-ready.
// Get In Touch

GET CERTIFIED TODAY

Fill in the form and we'll be in touch shortly. No jargon, no hard sell.