Gareth Shaw, MD Pera Prometheus
Key Takeaways
- Defence Cyber Certification (DCC) certification is now formally accepted by MOD as proof of DEFCON 658 conformance. Industry Security Notice (ISN) 2026/02 puts this on the record for the first time.
- ISN 2026/01 confirms that CSM scope means “whole of organisation” as applied to business-critical operations.
- Where a specific control may not obviously apply, suppliers discuss and agree this with the DCC Certifying Body, they do not self-determine scope.
- DCC Level 0 is anticipated to become the baseline requirement for all defence suppliers.
- DCC certification at a higher level is deemed to satisfy all lower-level requirements.
- Additional requirements e.g. Secure by Design controls are additive and do not reduce the scope of controls for Cyber Security Model (CSM) or DCC.
- ISN 2026/01 does not replace any additional Defence or Government requirements, e.g. Protection of Classified Information etc. Where such requirements exist, they will be covered separately.
Defence Cyber Certification (DCC) launched in May 2025, but its validity as proof of conformance with the Cyber Security Model (CSM) was not formally acknowledged by MOD until now (30 Mar 2026).
In addition, there has been a degree of confusion as to the scope and breadth of applicability with the CSM and the differing requirements between CSM and DCC.
On 30 March 2026, MOD issued ISN 2026/01 and ISN 2026/02, the former clarifying what the standard covers in terms of scope, the latter instructing MOD buyers to accept DCC certification as evidence of conformance to the CSM.. This post explains both, and what they mean for your organisation.
The Compliance Chain: A Quick Reminder
DEFCON 658 is the contractual condition requiring defence suppliers to demonstrate cyber resilience throughout their supply chain within an assigned Cyber Risk Profile Level (CRP), the controls for which are described in DefStan 05-138 issue 4.
DEFSTAN 05-138 Issue 4, underpins the Cyber Security Model version 4 (CSM v4).
The Defence Cyber Certification (DCC) scheme is the independent certification route that allows suppliers to prove they meet those controls, assessed by an approved, independent, certifying body at one of four levels (0 to 3), corresponding to their Cyber Risk Profile Level (CRP).
Until the release of ISN 2026/01 and 2026/02, the formal relationship between DCC certification and DEFCON 658 was unclear. That changed on 30 March 2026.
For a full breakdown of how CSM v4 works and what changed from earlier versions, see our CSM Version 4 guide for defence suppliers.
ISN 2026/01: What “Whole of Organisation” Actually Means
One of the persistent areas of uncertainty around DEFSTAN 05-138 Issue 4 has been scope. ISN 2026/01, issued in response to industry requests for clarification, provides an interim update to the standard’s covering narrative. It confirms four principles that define how the standard applies.
- The whole organisation — applied to business-critical operations. Requirements apply across the supplier as a single legal entity, but only in relation to business-critical operations: those activities, systems, assets and processes whose unavailability or compromise would materially affect the supplier’s ability to operate and, in turn, to support UK Defence. Non-business-critical operations fall outside the scope of CSM and DCC.
- Proportionate and risk based. The minimum controls required are determined by the CRP level assigned through the CSM not by the supplier’s own internal risk assessment. What matters is the level MOD assigns, not the level an organisation believes it sits at.
- Infrastructure-agnostic. Controls apply irrespective of whether systems are on-premises, cloud-hosted, or reliant on third-party services. Where business-critical operations depend on third parties, suppliers must implement appropriate contractual or assurance measures to evidence that controls are flowed down and met.
- Applicable to any organisation. Any supplier, of any size or structure, can comply. Where a specific control may not reasonably apply, this should be discussed with the DCC certifying body which can determine a proportionate interpretation without weakening the intent of the standard. Suppliers do not self-determine these exceptions.
ISN 2026/01 also makes clear that DCC certification applies only to the legal entity assessed. It does not automatically extend across wider corporate groups unless a group-level arrangement is explicitly approved, via the DCC certification body. This matters for prime contractors and large enterprises with complex group structures, and for SMEs operating through holding companies alike.
For more on how DEFSTAN 05-138 Issue 4 sits within the wider compliance picture, see our post on Understanding DEFSTAN 05-138 Issue 4.
ISN 2026/02: DCC Is Now Formally Accepted Under DEFCON 658
ISN 2026/02 is the more significant of the two notices. It formally confirms that a supplier holding valid DCC certification at the appropriate level may submit that certificate as assured evidence of conformance with DEFSTAN 05-138 under DEFCON 658. Critically, it also formally instructs MOD buyers managing their supply chains to accept that certification as satisfaction of the compliance requirement.
DefStan 05-138 (issue 4) and DCC level mapping, is as follows:
| DCC Level | CRP Level 0 | CRP Level 1 | CRP Level 2 | CRP Level 3 |
|---|---|---|---|---|
| DCC Level 0 | Fully Compliant | Not compliant | Not compliant | Not compliant |
| DCC Level 1 | Fully Compliant | Fully Compliant | Not compliant | Not compliant |
| DCC Level 2 | Fully Compliant | Fully Compliant | Fully Compliant | Not compliant |
| DCC Level 3 | Fully Compliant | Fully Compliant | Fully Compliant | Fully Compliant |
Certification at a higher level is accepted as full satisfaction of all lower levels. A supplier certified at DCC Level 3 meets every CRP level requirement. Where suppliers are not yet certified, the Cyber Improvement Plan (CIP) mechanism remains available to manage compliance under contract while remediation is underway.
For a detailed explanation of the DCC scheme, what each level requires, and how to prepare, read our Defence Cyber Certification guide.
What the ISNs Don’t Say: A Scoping Gap SROs Should Note
ISN 2026/01 confirms that where specific controls may not reasonably apply, the supplier and the DCC certifying body can agree a proportionate interpretation of scope. ISN 2026/02 then instructs Senior Responsible Owners (SRO) and buyers to accept the resulting certificate as full compliance evidence. What neither ISN addresses is transparency.
There is no requirement in the current framework for the certifying body to notify the SRO or the MOD project team that the assessed scope was altered from the full CSM scope requirement. An SRO receiving a valid DCC certificate is instructed to accept it but has no mechanism to understand what business-critical operations were included in the assessment and what may have been agreed upon; unless the scope, and more importantly any exclusions, are to be detailed on the certificate.
In practical terms: a supplier’s CSM scope and their DCC certified scope could be materially different, and the SRO would be none the wiser. This is not a flaw in how the DCC scheme operates; certifying bodies apply appropriate professional rigour to scope decisions. It is a gap in how that assurance connects back to MOD’s own risk ownership chain.
The ISNs do remind SROs to take additional notice of organisational resilience requirements but that instruction concerns remediation timescales, not scoping visibility.
It is worth MOD considering whether a light-touch disclosure mechanism, making agreed scope boundaries visible to the SRO, would strengthen rather than complicate the framework. Until then, SROs would be well advised to ask the question directly.
What This Means in Practice
For prime contractors, ISN 2026/02 is a direct instruction. If a supply chain company holds valid DCC certification at the appropriate level, you are required to accept it as compliance evidence under DEFCON 658. You cannot reasonably request additional assurance at the same level. The ISN also reinforces that group-level certification does not cascade to subsidiaries or subcontractors. Each entity in your supply chain must hold its own certification at the required level.
For SMEs and Tier 2 suppliers, your DCC certificate is now potentially your formal compliance passport. Obtain it at the level matching your highest CRP requirement across all active contracts, maintain it as current and valid, and submit it as your DEFCON 658 evidence. ISN 2026/01 also signals that Level 0 certification is expected to become the baseline requirement for all defence suppliers making it the minimum starting point for any organisation engaged on UK Defence contracts, regardless of contract type.
For all suppliers, where you hold contracts at different CRP levels, your DCC certification must meet the highest level required across all of them. Certification at a higher-level covers everything below it.
If you are not yet certified, now is the time to begin the readiness process. Our step-by-step DCC readiness roadmap sets out exactly where to start.
Ready to Take the Next Step?
These two ISNs bring a degree of clarity, but for many organisations they will also prompt hard questions about where current DCC readiness actually sits. At Pera Prometheus, we work with defence suppliers at every tier from SMEs preparing for Level 0 through to large enterprises managing complex supply chain assurance requirements. Get in touch and let’s talk through where you are.
Frequently Asked Questions
Q: Does holding DCC certification mean I no longer need any other compliance paperwork under DEFCON 658?
A: For DEFSTAN 05-138 controls, yes. Your DCC certificate is the accepted evidence. Additional requirements may still apply under contract-specific Security Aspects Letters (SAL), or for system security, classified data, or operational technology.
Q: My organisation holds several defence contracts at different CRP levels. Which DCC level do I need?
A: You must certify at the highest CRP level required across all your contracts. That level satisfies all lower requirements automatically.
Q: What does “business-critical operations” mean for scope purposes?
A: Activities, systems, and processes whose compromise or unavailability would materially affect your ability to operate. Each organisation determines this for itself but must be able to justify it to the DCC certifying body.
Q: Can a parent company’s DCC certification cover its subsidiaries?
A: No. DCC certification applies only to the legal entity assessed. Group-level coverage requires explicit approval from the DCC certification authority.
Q: What if some DEFSTAN 05-138 controls genuinely don’t apply to how we operate?
A: Raise it with your DCC certifying body. They are authorised by MOD, to determine a proportionate interpretation.
Stay Safe, Stay Secure
