Understanding Defence Cyber Certification (DCC)

Developed by the MoD and IASME, and aligned with international leading practices, the aim of DCC is to provide independent, verifiable assurance based on pre-defined levels of compliance.  The scheme defines four different compliance levels, which correspond to the identified risk of the supplier.  As part of certification, Cyber Essentials or Cyber Essentials Plus (depending on compliance level) needs to be achieved, and a specific set of controls from the MoD Standard (Def Stan 05-138, issue 4) need to be implemented.  The controls an organisation must implement depend on its compliance level.  Certification for DCC lasts three years, subject to annual check-ins.

As mentioned earlier, the scheme has four levels of compliance.  These are:

Level 0

The most basic level, for organisations with very low risk assessed cyber risk.  It requires compliance with three basic controls, in addition to Cyber Essentials.

Level 1

Aimed at organisations with low to moderate assessed cyber risk.  It requires compliance with 101 basic controls, in addition to Cyber Essentials.

Level 2

Aimed at organisations with a high assessed cyber risk.  It requires compliance with 139 controls, in addition to Cyber Essentials Plus.

Level 3

Aimed at organisations with the highest level of assessed cyber risk.  It requires compliance with 144 controls, in addition to Cyber Essentials Plus.

‍

One of the first steps is to identify what level of compliance you need to achieve, or would be looking to achieve.  Based on this, you can then decide whether to certify against (if you are not already certified) Cyber Essentials or Cyber Essentials Plus.  It may be that previous MoD contracts held by your organisation identify its level.

Unlike Cyber Essentials, where you can exclude parts of your organisation from your certification scope, DCC requires you to certify all parts of your organisation that are essential to its operation, ideally your entire organisation.  As such, policies, procedures and controls must be applied across your organisation as a whole, not just parts of it.

Once your organisation has determined the level required, and the relevant Cyber Essentials certification has been achieved, you can then begin to assess your current cyber security posture, identify any gaps and subsequently align your controls to the latest version of the Def Stan 05-138.

Once you are satisfied that your organisation meets the necessary control requirements,  the certification process for all four levels is as follows:

1. Contact IASME and obtain a list of authorised certification bodies
2. Select a certification body from the list to conduct your assessment
3. The selected certification body will outline the process and provide costs
4. Once a contract has been signed, the assessment will begin
5. The assessor will identify gaps and provide advice, but will not implement solutions
6. You will receive certification or a report of failure (confidential)

One of the most significant benefits of achieving DCC is that it opens the door to MoD contracts not available to uncertified competitors, with many MoD tenders requiring DCC at a certain level.  Without it, bids may not even be considered.  Even for contracts that do not explicitly require certification to the scheme, DCC may provide you with a competitive edge over organisations that do not hold certification, as it can act as an independent and verifiable differentiator.  

In addition, DCC expands upon Cyber Essentials and Cyber Essentials Plus certification, and further enhances your security posture.  Depending on the level of compliance, the measures required for DCC include detection facilities, supplier management, incident handling and business continuity risk assessments. The controls outlined within Def Stan 05-138 are also closely aligned with those found in other established cyber security frameworks, such as ISO 27001 and the National Institute of Standards and Technology Cyber Security Framework (NIST CSF) 2.0.  This reduces duplication of effort when achieving further certifications, allowing your organisation to build on existing practices, rather than from the ground up.