Trustpilot Score 4.5

Speak to an expert 03333 233 981

Speak to an expert 03333 233 981

What is Defence Cyber Certification (DCC)?

Defence Cyber Certification (DCC) is a formal, organisation-wide cyber security certification for businesses working in or supplying the defence sector. It was created by the Ministry of Defence (MoD) and IASME.

The DCC scheme sets our cyber security requirements for MoD suppliers, defined in Defence Standard (DEFSTAN) 05-138. If a contract requires DCC, you must hold the relevant certification level before you can bid for it.

DCC replaces the previous Supplier Assurance Questionnaire (SAQ), with formal, third-party verified certification. That gives defence buyers trusted assurance that your cyber security meets the standard the contract requires.
Certification is valid for three years, with annual attestation to confirm you still meet the requirements.

A man in a dark shirt is using a tablet, focused on the screen, with a shield icon in the corner.

Defence Cyber Certification levels

There are four DCC levels. The level you need depends on the cyber risk profile assigned to the contract you want to bid for. 

Level 0

Three controls, six questions, and Cyber Essentials

Level 1

coming soon

101 controls, 236 questions, and Cyber Essentials

Level 2

coming soon

139 controls, 328 questions, and Cyber Essentials Plus

Level 3

coming soon

of UK businesses experienced a breach/attack in the last 12 months

Which DCC level does your business need?

Every MoD contract is given a cyber risk profile, based on the four levels in Defence Standard 05-138. The level on your contract sets the minimum certification you need before you can bid.  If you’re not sure which level you need, we’ll help you work it out. 

Level 0

What it’s for
Basic verification of your security posture

Controls
3 controls, 6 questions

Certification required
Cyber Essentials

Gap analysis included
No

From £1,195

Level 1

Coming Soon

What it’s for
Higher assurance requirements

Controls
101 controls, 236 questions

Certification required
Cyber Essentials

Gap analysis included
Yes

From £3,995

How to get Defence Cyber Certification

The certification process has six stages. We’ll be with you at every one. 

A young woman wearing headphones looks at a computer screen, while a young man stands beside her, smiling and engaged.

Assessment preparation 
We help you understand the DCC level you need, what the process involves, and how ready your business is right now.

Onboarding 
You get access to our platform, a clear picture of next steps, and the support level that fits your business.

Submission preparation 
We work through the questions with you, gather evidence, and close any gaps before your submission goes in.

Assessment 
Your submission is reviewed against the requirements for your DCC level.

Certification 
Once you meet the requirements, you’ll receive your Defence Cyber Certification.

Annual attestation 
Your DCC lasts for three years. Each year, you’ll complete an attestation to confirm you still meet the requirements.

Why choose Citation Cyber for DCC support

DCC can feel like a lot to take on, especially if it’s new for you. Here’s what you get when you work with us: 

Headset icon in gradient shades of orange and pink, representing customer support or communication services.

Consultants who know the process.

Guidance from UK-based cyber security consultants who know MoD supplier requirements and what assessors are looking for. You won’t be working it out as you go.

Two stylised hands shaking, one in pink and the other in orange, symbolising partnership or agreement.

Support at the level you need.

Choose self-managed, assisted, or fully managed depending on how much involvement you want from us. There’s no single fixed route.

Download icon featuring a downward arrow inside a square, with a gradient transitioning from pink to orange.

One platform for everything.

Your questions, evidence, remediation actions and progress all sit in one place. Nothing gets lost and you always know where you stand.

A stylised orange and pink icon of a running person with motion lines depicting speed.

A process built to keep you moving.

We structure your preparation to avoid the most common causes of delay – incomplete evidence, missed requirements, late gaps.

A stylised document icon with a ribbon or badge, featuring a gradient from pink to orange.

Cyber Essentials covered too. 

Both DCC Level 0 and Level 1 require Cyber Essentials certification. As an established Cyber Essentials certifier, we can take care of both so it’s one provider, no handoffs.

A gradient badge icon featuring a circular center with a ribbon at the bottom, coloured in pink and orange.

Credentials that matter.

Citation Cyber is CREST approved and NCSC CHECK-assured. When you work with us, you’re working with a team that’s been independently verified to the standards your assessors recognise.

What are the benefits of Defence Cyber Certification?

DCC can feel like a lot to take on, especially if it’s new for you. Here’s what you get when you work with us: 

A stylised gavel icon featuring a gradient colour scheme of pink, orange, and yellow against a black background.

Bid for MoD contracts 

Some MoD contracts require DCC. Without the right level of certification, you can’t bid. With it, you can.

A stylised graphic featuring a pink document icon alongside an orange shield, symbolising protection or security of information.

Prove your cyber resilience

DCC shows defence buyers you’ve had your cyber security independently assessed and verified.

A gradient star shape, transitioning from pink at the top to orange at the bottom, set against a black background.

Strengthen your credibility

Prime contractors and buyers want assurance from their suppliers. DCC certification gives them that.

A graphic featuring a stylised letter

Protect sensitive data

Defence suppliers handle sensitive information. The DCC process identifies gaps in your security controls and gives you a clear path to close them.

Frequently Asked Questions

Which DCC level does my business need?

The level you need is determined by the cyber risk profile assigned to the MoD contract you want to bid for. If the contract is assessed at Level 1, you need DCC Level 1 certification as a minimum. If you’re unsure what level applies to your situation, speak to one of our consultants and we’ll help you work it out before you start the process.

Who is DCC for?

DCC is for any business that supplies, or wants to supply, the Ministry of Defence. That includes businesses at any tier of the defence supply chain, not just prime contractors. If you’re bidding for an MoD contract that carries a DCC requirement, it applies to you.

Is Defence Cyber Certification mandatory?

DCC is mandatory for MoD contracts that carry a DCC requirement. If the contract specifies a DCC level, you must hold that certification before you can bid. Not all MoD contracts require DCC, the requirement depends on the cyber risk profile of the specific contract.

Why was Defence Cyber Certification launched?

The MoD introduced DCC to raise and standardise cyber security across its supply chain. Previous self-assessment routes, including the Supplier Assurance Questionnaire, didn’t provide buyers with independently verified assurance of a supplier’s cyber resilience. DCC replaces them with formal certification to give the MoD and prime contractors a consistent, trusted standard to work to.

How long does the Defence Cyber Certification process take?

The time it takes depends on your DCC level, how complex your organisation is, and how ready your cyber security controls are when you start. At Level 0, the process is relatively straightforward. Level 1 involves 101 controls and a gap analysis, so typically takes longer. We’ll give you a realistic picture of the timeline during your initial assessment preparation.

Do I need Cyber Essentials certification to complete the DCC?

Yes. Both DCC Level 0 and DCC Level 1 require Cyber Essentials certification. If you don’t already hold it, you’ll need to achieve it as part of your DCC process. Citation Cyber is an established Cyber Essentials certifier, so we can support both certifications together.

What is the Supplier Assurance Questionnaire?

The Supplier Assurance Questionnaire (SAQ) was a previous self-assessment tool used by MoD suppliers to demonstrate their cyber security posture. It has been replaced by DCC, which requires formal third-party certification rather than self-declaration. If you’ve previously completed an SAQ, you’ll need to move to DCC to continue bidding for contracts that carry a cyber security requirement.