Defence Cyber Certification: Certify Before You Bid 

Key Takeaways

  • Defence Cyber Certification (DCC) is an IASME certification, developed in collaboration with MOD, for the UK Defence supply chain, announced in May 2025.
  • DCC provides evidence, in the form of a recognised certificate, your business meets MOD assurance expectations to a pre-approved criteria.
  • DCC is awarded against four risk levels (0 to 3), so you can certify at a level that matches your risk and the contract or collaboration you are pursuing.
  • Cyber Essentials is required to achieve all DCC levels, levels 2 and 3 require Cyber Essentials Plus.

With the demise of the UK MOD accreditation process, the ability to demonstrate a business conformed to MOD assurance requirements, was lost. 

This has had significant ramifications for UK businesses, resulting in an increase in due diligence activities to provide evidence of compliance with MOD requirements for every contract or collaboration activity a business wished to pursue. With the increased compliance requirements, introduced by DefStan 05-138 (issue 4), the due diligence overhead has become an acute resource and cost issue, for many businesses. The requirement to demonstrate or prove compliance to a defined MOD assurance level is necessary for businesses wishing to collaborate on MOD programmes as well as those businesses working directly to MOD contracts. 

The introduction of the Defence Cyber Certificate provides potential for alleviating this situation. The Defence Cyber Certification (DCC) announced in May 2025 and run by IASME, in close partnership with UK Defence, enables a business to demonstrate conformance to a Cyber Security Model (CSM) Cyber Risk Profile Level without the need to separately evidence this for subsequent enquiries or additional contracts they may win.

What DCC Actually Is

Defence Cyber Certification is an organisation wide information security certification, developed by the UK Ministry of Defence and IASME, the MOD’s official certification partner. Rather than assessing one contract or one team, it looks at the security and resilience of your whole organisation, or a similar scope agreed under significant scrutiny from an approved certification body.

It checks your organisation at a set point in time against a particular Cyber Security Model (version 4), DefStan 05-138 (issue 4) Cyber Risk Profile (CRP) Level. The CRP level is dependent on the stated contracted risk level the business is expected to meet or alternatively an arbitrary level (Level 0-3) the business chooses to meet. The advantage is, the certificate itself is proof of conformance and significantly reduces the amount of due diligence effort, that would otherwise be required, to prove conformance for every collaboration enquiry or contract the business may experience over a period of time. A certificate lasts three years, as long as you are able confirm, each year, your security arrangements against the standard, remain conformant. 

The standard behind it is Defence Standard 05-138 Issue 4, the same control framework that underpins the MOD’s Cyber Security Model version 4. 

Prior to May 2025, demonstrating conformance to a defence assurance requirement was something of an obtuse communications exercise with loose references to ‘hardening’, Defence readiness’ etc. Now, DCC provides positive demonstrable proof of a business commitment and conformance through evidence gained from a combination of self-assessment and audit.

For any organisation that wants to work with defence, DCC is a credential worth holding before the tender lands.

Value Delivered By The DCC Organisation

The first benefit is readiness. When a defence opportunity appears, you are already certified and can respond to it without scrambling to meet cyber requirements against a deadline.

The second is credibility with PRIMEs and other buyers. Larger defence contractors are responsible for managing their Defence supply chains and increasingly require assurance their supply chain communities can meet the increasingly stringent Defence assurance needs. A DCC certificate demonstrates immediate and recognisable evidence that this is the case, without the need for additional and extensive due diligence activity (unless a higher risk level commitment is required).

The third is a structured path to maturity. Because the DCC levels build on each other, the standard can identify a clear roadmap to support your strategic aim(s). Achieving certification transforms cyber assurance from a perceived barrier to business into a head start. So how does the certification itself break down?

How DCC Works: The Four Levels

DCC comprises of four risk levels, each requiring more controls as the assessed risk rises. Level 0 covers 3 baseline controls, Level 1 covers an additional 98 controls (101 controls in total), Level 2 covers and additional 38 controls (139 controls in total) and Level 3 covers 144 controls, in total. The controls sets are designed around prevention, detection, response and recovery.

Cyber Essentials  the UK’s foundational information security standard is pre-requisite certification for all levels. Levels 2 and 3 also require Cyber Essentials Plus. If you are unsure which of the two you need, our guide on Cyber Essentials vs Cyber Essentials Plus explains the difference, and getting your scope right at the outset matters more than most people expect.

Pera Prometheus is an approved certifying body for Cyber Essentials, Cyber Essentials Plus and DCC Level 0. This means we can handle both your Cyber Essentials and your DCC Level 0 certification in one place. As an approved certifying body, we know the exact fix for the issues businesses most often run into. We can also give you the right guidance on which level of certification you need, based on how your business operates.

Ready to Take the Next Step?

Working out whether to certify now and which level to aim for is exactly the kind of question that stalls good intentions. At Pera Prometheus, we work with commercial organisations and defence suppliers alike, and we are happy to talk it through with no obligation. Get in touch and let’s work out where you stand.

Frequently Asked Questions

Q: Do we need a defence contract to get DCC?

A: No. You can apply at any level and at any time, before you bid for or win defence work, rather than waiting for a contract to trigger the process.

Q: What is the difference between DCC and Cyber Essentials?

A: Cyber Essentials covers a core set of technical controls, while DCC is a broader, organisation wide assessment that includes Cyber Essentials in its control set. 

Q: Which DCC level should a commercial organisation start at?

A: Most start at Level 0 or Level 1. Pera Prometheus can help you assess the right level for your risk.

Q: How long does DCC certification last?

A: Full recertification required every three years supported by annual attestation, in the interim.

Q: Can Pera Prometheus help if we are new to the defence supply chain?

A: Yes. We support organisations entering the defence supply chain as well as established suppliers, including the Cyber Essentials, Cyber Essentials Plus and DCC Level 0 certification that underpins the scheme.

Stay Safe, Stay Secure.