- Gareth Shaw, Founder of Pera Prometheus Consulting Ltd
What is DCC?
The complexity of cyber security threats are particularly affecting critical sectors like the defence industry. Consequently the UK Ministry of Defence has partnered with Information Assurance for Small and Medium Enterprise (IASME) and launched the new comprehensive, cyber security certification framework for UK defence suppliers; the Defence Cyber Certification (DCC).
The DCC is an integral component of the UK Ministry of Defence’s (MOD) Cyber Security Framework for Defence Suppliers. Full details regarding DCC are still being sought from IASME, as is formal direction form MOD in the form of an Industry Security Notice.
From what we understand at this stage, the DCC serves as the mechanism through which suppliers can demonstrate they meet similar requirements to DEFSTAN 05-138 issue 4, based on their assigned risk level which will still be dictated to them by the MOD for MOD contracts, although an Organisation may choose to exceed this requirement. The DCC Level you require will be determined by the Cyber Security Model which is described in this interim notice ISN 2025/01.
Pera Prometheus is currently engaging with our network to understand more, in the interim I would advise that anyone involved in a current MOD contract seek direction from their Contracting Authority or Industry Prime. Those considering obtaining DCC should make sure that fully understand what the certification provides and pay particular attention to the IASME statement:
“Applicants may still tender for MOD contracts via the normal MOD process, DCC is not mandatory at this stage”
Organisations should not also assume that DCC automatically enables them to store, process or transmit MOD information without MOD approval. The likely hood is that the DCC will be recognised by Defence but risks will still be judged on a case by case basis depending on perceived risks.
There is a lot of useful information in the DCC FAQ.
What is new on DCC?
DCC offers the opportunity for defence suppliers to demonstrate to each other their conformance, assessed by an independent third party, to a particular CSM risk level, clearly demonstrated through the issue of a certificate.
Its foundational standards remain based on the established principles of Def Stan 05–138 and it is relevant to all defence contracts up to the certified level.
DCC is NOT a demonstration of a business’ ability to handle or process classified information. The requirements and controls for this are outlined in the respective Defence Condition (DEFCON). DEFCON 660 for OFFICIAL-SENSITIVE information and DEFCON 659A for SECRET.
While holding a DCC certificate is not a mandatory requirement to bid for a defence industry contract, it may be viewed as a sign of preparedness and maturity on the part of a defence contractor planning on working with defence. Time will tell.
Read more: Cyber Security Model & DEF STAN 05-138 in Defence Industry
What do the different DCC levels mean?
DCC has four levels, from Level 0 to Level 3, each defined by a specific number of controls. Controls refer to specific security practices, measures, or procedures that organisations must implement to protect their digital infrastructure and sensitive data against cyber threats, essentially demonstrating their organisational security and resilience.
All levels require certification to Cyber Essentials, while Levels 2 and 3 also require Cyber Essentials Plus as part of the controls which need to be implemented.
Below is a snapshot description of different levels.
| Level | Controls | Description | Security Measures |
|---|---|---|---|
| 0 | 3 | Very low level of assessed risk, to a supplier delivering an output. | Basic security practices (cyber hygiene) required to protect minimal-risk information: ● Cyber Essentials; ● Ensure GDPR compliance; ● Operating a resilient network. |
| 1 | 101 | Low to moderate level of assessed risk, to a supplier delivering an output. | Additional controls are not limited to technical means of security. They extend to Governance, establishing defined roles and responsibilities etc. |
| 2 | 139 | A high level of assessed risk, to a supplier delivering an output. | Suppliers are required to demonstrate advanced cybersecurity oversight and planning to drive robust organisational and cyber practices. This builds on the controls required for Levels 0 and 1, as well as Cyber Essentials Plus and additional controls. |
| 3 | 144 | There is a substantial level of assessed risk, to a supplier delivering an output. | Suppliers are required to demonstrate expert cyber security capabilities that leverage a ‘defence in depth’ approach. This level builds upon the controls required from levels 1 and 2, introducing an additional 5 complex controls needed to appropriately protect the business against new and evolving threats instigated by mature and innovative threat actors. |
What is the process to achieve the certification?
To begin, defence suppliers need to understand which DCC level applies to or, in the absence of an assigned risk level by MOD, is appropriate to their organisations. Businesses are free to adopt a Cyber Risk Level of their own volition, should they wish to.
Where there is an MOD contract, a determination is made by the MOD to establish what the risk level for the project or programme should be. This risk level is then communicated to industry suppliers in the commercial documentation MOD issue. The risk level applies to all members of the supply chain for a specific contract and is ‘flowed down’ through commercial arrangements.
Once achieved, DCC certification is valid for three years and is reviewed annually. Cyber Essentials and Cyber Essentials Plus certificates are renewed annually.
Following is the current process to achieve certification:
- Initial Contact: The applicant contacts IASME to express interest in DCC assessment and certification. In the future, the applicant will be able to consult the IASME website for a list of Certification Bodies (CBs) and guidance for each level.
- Information and Guidance: IASME provides further information, including a list of authorised CBs.
- Selecting a CB: The applicant selects and contacts a CB to oversee their assessment.
- Assessment Explanation: The selected CB outlines the assessment process and provides indicative costs.
- Agreement and Assessment: If the applicant agrees to proceed, they sign a contract with the CB and begin the assessment.
- Advisory Support: The assessor identifies compliance gaps and advises accordingly but does not resolve issues directly.
- Certification Achievement: Upon successful completion, the applicant receives their certification and a digital badge.
Where Pera Prometheus can add value
Pera Prometheus can bring value to the DCC certification process by:
- Help organisations understand if DCC is the correct approach for them
- Helping clients to prepare for an external assessment by a IASME CB;
- Supporting clients post IASME CB assessment by helping to complete mitigation activities for any points identified during the external assessment in readiness for a re-assessment should the client not pass the initial inspection.
Preparation and mitigation activities can be complex, due to the rigorous documentation and evidence requirements and specialist knowledge required (in some circumstances).
Pera Prometheus is also able to deliver wider SQEP support, i.e. penetration testing, vulnerability assessments, security architecture expertise, business continuity planning, incident management for cyber-attacks, cyber security risk assessments etc.
Read more: Business Impact Analysis, Penetration testing
Pera Prometheus brings unrivalled expertise in UK Defence sector security. Our consultants, each with many years of MOD services experience, are ideally positioned to support your business throughout the DCC certification journey.
We offer comprehensive services including:
- Information and Cyber Security Frameworks management system development;
- Virtual CISO and Security Manager Services;
- Business Continuity and Incident Management;
- Governance, Risk & Compliance (GRC) advice and support;
- Penetration Testing (ethical hacking);
- Information Security Training for your workforce and your Board;
Read more: Virtual CISO and Security Manager, GRC, ISMS
Partnering with Pera Prometheus gives your organisation the edge, to achieve and sustain DCC compliance, strengthening your position in winning and retaining MOD contracts.
Take the first step towards securing your defence industry future. Contact Pera Prometheus to begin your Defence Cyber Certification journey with expert guidance and support.
