Shift Key Cyber Logo
Defence Cyber Certification2025-11-26T15:45:56+01:00

Defence Cyber Certification

The Defence Cyber Certification (DCC) Scheme has been developed by the UK Ministry of Defence (MOD) and IASME and is part of a broader initiative to strengthen the cyber resilience of the UK's defence sector supply chain.

As an IASME-assured Certification Body (CB), Shift Key Cyber are licensed to offer assessment and certification for Cyber Essentials and the DCC Scheme on behalf of government bodies. 

The DCC is aimed at any suppliers wishing to work with the Ministry of Defence, but there is an obligation for suppliers to meet the requirements of (DEFSTAN) 05-138 i4 to enrol on the scheme. This new version of the standard expands on the previous scope which only considered a per-contract assessment approach – and now focuses on an organisation’s overall security and resilience.

What does the DCC framework consist of?

There are four levels available each with a corresponding level of risk associated with a supplier’s role in the MOD supply chain. The MOD will inform suppliers of the level required and this is determined by the risk profile of the contract. All levels start with Cyber Essentials certification, with levels 2 and 3 requiring Cyber Essentials Plus.

  • Level 0 Certification – 3 Controls: This level requires supplier organisations to demonstrate basic cyber security practices and is normally assigned where there is a low level of risk. This can form a foundational level for future assessments at higher levels.

  • Level 1 Certification – 101 controls: This requires supplier organisations to demonstrate a comprehensive cyber security program with good practices, and is normally assigned where there is a low-to-moderate level of assessed cyber risk.

  • Level 2 Certification – 139 controls: This requires Supplier organisations to demonstrate advanced cyber security oversight and planning which drives robust organisational and cyber practices. This is normally assigned where there is a high level of assessed cyber risk and is conducted on customer site.

  • Level 3 Certification – 144 Controls: This requires Supplier organisations to demonstrate expert cyber security capabilities which take full advantage of the ‘defence in depth’ methodology to appropriately protect the organisation against new and evolving threats. This is normally assigned where there is a substantial level of risk and is conducted on customer site.

Why certify to the scheme?

Any Suppliers working with the MOD on contracts must now meet the new requirements for international standards set out in the DCC, making this a baseline requirement for current Suppliers of these contracts. 

However, it is important to note organisations can apply to achieve certification at any level even if they are not engaged in an MOD contract. The DCC Scheme provides a proactive approach for anyone wishing to supply to the MOD in future, giving organisations the opportunity to improve their own security posture and resilience for better competitive advantage. The scheme also provides opportunity for any organisation looking to showcase credibility and dedication to cyber resilience and security practices, offering assurance to stakeholders and unlocking future opportunities in the defence sector. 

How do I know what level I need?2025-11-26T12:10:51+01:00

This will be decided by the MOD and details provided for each contract offered.

What needs to be included in the scope?2025-11-26T12:09:18+01:00

The scope of the certification concerns the cyber resilience of the critical business operations of your organisation. All parts of your business that are essential for you to operate must be included within the scope.

How long does certification take?2025-11-26T12:12:41+01:00

There is no defined timescale for how long it may take. This depends on:

  • The preparedness of the applicant.
  • Whether the applicant needs to remediate any gaps before applying.
  • The availability of the CB to carry out the assessment.
How long does the certificate last?2025-11-26T12:13:46+01:00

The certification lasts three years, but an annual attestation will be needed to maintain the certificate, along with annual recertification to Cyber Essentials or Cyber Essentials Plus.

Book a free consultation to see how our Defence Cyber Certification Services can benefit you and your organisation.

Shift Key Cyber Logo Mark

Experts in audit, risk, governance and compliance

Services

spacer title

Company

Privacy Policy / Cookie Policy

© 2025 Shift Key Cyber LTD. Registered in England and Wales: 13676908.
Shift Key Cyber Logo is the Registered Trademark of Shift Key Cyber Limited.

Go to Top