From DCC to FSC: Navigating Defence Cyber Compliance Frameworks

From DCC to FSC: Navigating Defence Cyber Compliance Frameworks

Gareth Shaw, MD Pera Prometheus

For many small and medium sized businesses, working with the UK Ministry of Defence (MOD) can open valuable opportunities. Supplying goods or services to defence contracts can raise your profile, strengthen partnerships, and increase credibility. However, it also means that businesses will need to meet the security standard set by MOD.

For non-technical businesses, terms like DCC, FSC, and DEFCON 658 can sound daunting. In reality, these frameworks exist to protect both suppliers and the MOD from cyber and security threats by enhancing cyber resilience. This blog explains what they mean in simple terms and shows how to navigate the journey.

What is Defence Cyber Certification? 

Let’s start with the cyber side of things. Defence Cyber Certification (DCC) is a comprehensive, organisation-wide cyber security certification scheme for businesses in the UK defence supply chain. It was developed by IASME with support from MOD, and its aim is to strengthen the cyber resilience of the defence sector’s suppliers. DCC provides a single certification that an organisation can present in support of MOD procurement activities, subject to annual check-ins and full re-certification every three years. 

Rather than focusing on just one system or project, DCC looks at how the whole business handles cyber security, policies, processes, technical controls, staff practices, and more. It is structured into four levels (Level 0, Level 1, Level 2, Level 3), each with increasing numbers of controls that need to be met and aligns closely with the new Cyber Security Model (DefStan 05-138) issue 4. 

  • All levels start with Cyber Essentials certification.
  • For Levels Two and Three, Cyber Essentials Plus is required.
  • Each level demands more evidence, more controls, and greater scrutiny.

DCC draws its inspiration form the NIST 800-171 standard and is intended to align with MOD’s cyber security requirements (such as Def Stan 05-138 issue 4 ) and with best practices widely accepted in the cyber security field. 

To gain and maintain DCC, businesses must demonstrate how they meet each control, provide evidence, and undergo independent assessments for levels 1, 2 and 3. 

Why does DCC matter?

  • Contractual compliance: DCC can help satisfy MOD procurement requirements (for example, in contract clauses like DEFCON 658), showing you meet required cyber standards.
  • Competitive edge: Having DCC can make your bid more attractive, especially when others lack comparable certification.
  • Risk management: It helps identify and reduce cyber weaknesses in your organisation, protecting your business and your reputation.
  • Assurance to partners: Partners and other contractors can trust that a certified supplier is meeting a recognised standard of cyber resilience.

It must be noted that DCC is not an MOD requirement and, so far, MOD have not passed comment on whether they will accept DCC certification in lieu of undergoing independent MOD assessment and meeting MOD DEFCONs.

MOD contracts are driven by DEFCONs (Defence Conditions). DEFCONs are the standard contractual clauses used by the UK MOD in its agreements with suppliers. Each DEFCON sets out specific terms that contractors must follow. They are MOD’s primary mechanism to achieve a set of consistent and legally clear standard conditions in the contracts with industry. It enables the MOD to legally enact, or enforce, government or MOD policy.

It is likely that DCC requests will start to flow down from Defence Primes, rather than being demanded by MOD.  Make sure that you understand what DCC will do for your business before making a financial commitment.  If you aren’t sure, get in touch with us via our Website Contact Form and we can advise you further.

Facility Security Clearance (FSC): Physical and Personnel Security

While Defence Cyber Certification (DCC) and DEFCON 658 focus on protecting digital systems and data, FSC covers the other half of the security picture, safeguarding the physical spaces and items that store, handle or process classified information.

According to the Ministry of Defence’s Facility Security Clearance Policy and Guidance (v1.4, March 2024), FSC is the formal accreditation confirming that a supplier’s premises, staff, and procedures are secure enough to store or work with information classified above OFFICIAL. It ensures that every organisation involved in defence projects can protect sensitive assets from physical and insider  threats.  FSC does not concern itself with Cyber issues, with the exception of ensuring that only authorised electronic devices are permitted within them. IT and Cyber related issues are dealt with through Secure by Design and the Cyber Security Model.

Companies cannot directly apply for FSC; they must be sponsored by a Contracting Authority (CA), which could be:

  • A UK Government department or agency
  • An existing FSC company
  • An overseas government or defence contractor
  • An international organisation such as NATO

Your sponsoring CA will specify the classified information you must secure and the reasons for this requirement, typically via a Security Aspects Letter (SAL). The SAL acts as the detailed security instruction for the specific project. It identifies which elements of the work are classified, the level of classification applied, and the protective measures required. For the majority of UK FSC sites, the MOD acts as the CA, with the MOD Industry Security Assurance Centre (ISAC) managing all related processes.

Other Important Standards and Certifications

While DEFCON 658, DefStan 05-138 and FSC are central to MOD compliance, several related frameworks support your overall readiness. Below are some of the many:

  • ISO/IEC 27001:  This is the standard for information security management systems (ISMS). It is designed to safeguard Confidentiality, Integrity, and Availability of data.
  • GDPR and Data Protection Act 2018: Defence contracts often involve personal data, such as staff details. These laws demand you keep it safe and report breaches fast. 
  • DEFCON 528 (Edition 10/24): It covers the requirement for import and export licences relating to goods, technology, or software supplied under MOD contracts. 
  • ISO 22301: Business continuity planning which ensures you bounce back from disruptions, like floods or strikes, vital for time-critical defence supplies.

Don’t overwhelm yourself. Start with what is contract-specific. These standards overlap, so one effort often ticks multiple boxes. You do not need to be certified in all these areas, but being aware of them helps you prepare for future contract requirements.

The SME Compliance Journey

Here is what the typical journey looks like for an SME aiming to become a trusted defence supplier:

  1. Identify an opportunity: Review MOD tenders or prime contractor requests.
  2. Check the contract requirements: Look for related DEFCONs and DefStans.
  1. Preparations: Consider whether obtaining a various commercial certificates or aligning to particular Cyber Security Frameworks will prepare you to meet Defence requirements.
  2. Apply for FSC if needed: Work with your sponsor to begin the clearance process.
  3. Implement personnel vetting: Make sure key staff hold the correct clearances through UKSV, if these are required for the contract you are supporting.  You may need, or wish, to undergo Industry Personnel Security Assurance (IPSA) accreditation (this is a mandatory requirement for FSC).
  4. Maintain compliance: Keep your certifications up to date and review your policies regularly.

Be aware that MOD accreditation or assurance activities can take time, MOD Assessors are hard pressed and your application will be just one of many in their portfolio.  Help yourselves, and them, by allowing appropriate time frames to realise your aims and presenting Assessors with clearly defined, well ordered documentation and evidence.

Closing Thoughts

Defence compliance can seem complex, but it is built on clear, logical foundations that protect both suppliers and the MOD. By understanding how frameworks like DCC, FSC, and the DEFCON clauses connect, small and medium-sized businesses can approach defence contracts with confidence. Compliance is not just a contractual requirement, it is a statement of professionalism, resilience, and trustworthiness that strengthens your place in the UK MOD’s supply chain.

Stay Safe, Stay Secure

Related Posts