[{"data":1,"prerenderedAt":262},["ShallowReactive",2],{"learn-articles":3},[4],{"id":5,"title":6,"author":7,"body":8,"date":252,"description":253,"extension":254,"meta":255,"navigation":256,"path":257,"seo":258,"slug":259,"stem":260,"__hash__":261},"learn/learn/what-is-dcc-certification.md","What is DCC Certification?","Henry Sinclair",{"type":9,"value":10,"toc":234},"minimark",[11,15,20,23,26,29,33,36,43,49,55,61,64,68,71,84,87,90,94,97,119,122,126,129,136,142,148,162,169,172,175,179,184,187,191,194,198,201,205,208,212,215,219,222,225],[12,13,14],"p",{},"If you run IT or operations at a UK SME and a prime contractor has just told you that you need to be \"DCC certified\" before they can award you work, this guide is for you. It explains what DCC actually is, what the four levels cover, and how it fits alongside things you may already know like Cyber Essentials and DefStan 05-138.",[16,17,19],"h2",{"id":18},"what-dcc-is-and-why-it-exists","What DCC is and why it exists",[12,21,22],{},"Defence Cyber Certification (DCC) is the UK Ministry of Defence's scheme for raising the cyber security baseline of the defence supply chain. It exists because modern defence capability is built and supported by thousands of suppliers, most of them SMEs, and every one of them is a potential way in for an adversary. A ship, a radio, or a command system is only as secure as the smallest company that ships a component, a bit of firmware, or a piece of drawing data.",[12,24,25],{},"DCC gives those suppliers a single, defined bar to clear, and gives the MOD and its primes a single, verifiable way to ask for it. Instead of every prime running its own supplier questionnaire and every SME filling in ten different spreadsheets a year, DCC replaces that with one certification tied to the risk level of the work.",[12,27,28],{},"The scheme is built on DefStan 05-138 (Issue 4, May 2024), the MOD standard that sets out what good cyber security actually looks like for a defence supplier. DCC is how you get assessed and certified against that standard.",[16,30,32],{"id":31},"the-four-levels","The four levels",[12,34,35],{},"DCC has four progressive levels. You certify at the level appropriate to the sensitivity of the work you do, not at the highest level you can afford. Each level in DefStan 05-138 is tied to a band of assessed cyber risk.",[12,37,38,42],{},[39,40,41],"strong",{},"Level 0, Basic (3 controls)."," The entry level. Assigned where there is a very low level of assessed cyber risk. Level 0 is narrow on purpose: it is built around three controls. Cyber Essentials (as the pre-objective), UK GDPR compliance, and resilient networks and systems. If you already hold Cyber Essentials, you already have the biggest piece of Level 0.",[12,44,45,48],{},[39,46,47],{},"Level 1, Foundational (101 controls)."," For suppliers with a low to moderate assessed cyber risk. This is where DCC starts to feel meaningfully broader than Cyber Essentials. Level 1 adds the defence-specific control families most people assume Level 0 covers: identity and access control, asset management, supply-chain assurance, physical access controls, personnel security (joiners, movers, leavers, and vetting), incident response, and more.",[12,50,51,54],{},[39,52,53],{},"Level 2, Advanced (139 controls)."," For suppliers with a high assessed cyber risk. Advanced cyber security oversight and planning, driving robust organisational and cyber practices. Expect mature, tested processes rather than a best-effort first pass.",[12,56,57,60],{},[39,58,59],{},"Level 3, Expert (144 controls)."," For suppliers with a substantial assessed cyber risk. Expert cyber security capabilities that fully take advantage of a \"defence in depth\" methodology. Reserved for the most sensitive programmes.",[12,62,63],{},"Most SMEs entering the defence supply chain for the first time are asked for Level 0 or Level 1. Levels 2 and 3 get attached to specific contracts or programmes where the data or the capability justifies it.",[16,65,67],{"id":66},"who-needs-to-certify-and-when","Who needs to certify, and when",[12,69,70],{},"You need DCC if you are a UK supplier (or want to be one) that handles defence information as part of delivering to the MOD, a prime contractor, or a higher-tier supplier. The trigger is usually a contract clause or a supplier onboarding requirement. In practice that means:",[72,73,74,78,81],"ul",{},[75,76,77],"li",{},"A prime has told you \"we need you certified before we can place the next PO\".",[75,79,80],{},"A tender pack lists DCC as a mandatory supplier requirement.",[75,82,83],{},"Your existing customer is updating its supplier assurance programme and is rolling DCC through its tier two and tier three suppliers.",[12,85,86],{},"Timing-wise, the sensible assumption for the next couple of years is this: if you sell into UK defence in any form, DCC will eventually land on you. Starting with Level 0 voluntarily, before a prime asks, is a lot less painful than starting it the week before a contract is due to be awarded.",[12,88,89],{},"Level 0 is achievable in weeks, not months, once you know what evidence is required and you have a sensible way to collect it. Holding Cyber Essentials in advance covers the pre-objective, which is the bulk of Level 0.",[16,91,93],{"id":92},"how-dcc-relates-to-defstan-05-138","How DCC relates to DefStan 05-138",[12,95,96],{},"DCC and DefStan 05-138 are often used as if they are the same thing. They are not, but they are tightly linked.",[72,98,99,110],{},[75,100,101,104,105,109],{},[39,102,103],{},"DefStan 05-138"," is the ",[106,107,108],"em",{},"standard",". It defines the controls and the maturity levels, the rules of the game.",[75,111,112,104,115,118],{},[39,113,114],{},"DCC",[106,116,117],{},"certification scheme",". It is how a supplier is assessed against that standard and awarded a certificate at a specific level.",[12,120,121],{},"In other words, DefStan 05-138 is what you are held to. DCC is the process that proves you meet it. If you are reading the standard directly, the four DCC levels map onto the four risk levels in the standard (Basic, Foundational, Advanced, Expert).",[16,123,125],{"id":124},"how-dcc-relates-to-and-differs-from-cyber-essentials","How DCC relates to (and differs from) Cyber Essentials",[12,127,128],{},"Most UK SMEs have heard of Cyber Essentials. Many already hold it. A common question is whether Cyber Essentials is \"enough\", or whether DCC just duplicates it.",[12,130,131,132,135],{},"The short answer at Level 0: Cyber Essentials ",[106,133,134],{},"is"," the pre-objective. It is baked directly into DCC Level 0 as control 0001. Holding CE (or CE Plus) covers most of what Level 0 asks for.",[12,137,138,141],{},[39,139,140],{},"Cyber Essentials"," is a UK government-backed scheme focused on five technical control areas: firewalls, secure configuration, user access control, malware protection, and patch management. It is designed to be a general-purpose baseline for any UK organisation. It is assessed via self-assessment (Cyber Essentials) or a hands-on audit (Cyber Essentials Plus). It is useful, it is relatively quick, and it is cheap.",[12,143,144,147],{},[39,145,146],{},"DCC Level 0"," takes Cyber Essentials as its starting point and adds two further DefStan 05-138 controls on top:",[72,149,150,156],{},[75,151,152,155],{},[39,153,154],{},"UK GDPR compliance (control 2314)."," Demonstrate that the personal data you hold is protected by appropriate UK GDPR processes and controls.",[75,157,158,161],{},[39,159,160],{},"Resilient networks and systems (control 2500)."," Show that your networks and systems are designed and maintained to keep running when something goes wrong.",[12,163,164,165,168],{},"Level 0 is therefore close to Cyber Essentials in scope, with a light defence-specific top-up. It is ",[39,166,167],{},"not"," yet the point where DCC becomes meaningfully broader than CE.",[12,170,171],{},"That happens at Level 1, which introduces the defence-specific control families that people often assume are in Level 0: physical access controls (site access, visitor management), personnel security (vetting, joiners/movers/leavers), incident response, asset management, supply-chain assurance, and a proper identity and access control regime. If a prime is asking for DCC because they need those controls in place, they are asking for Level 1, not Level 0.",[12,173,174],{},"This matters when you are planning. If you already hold Cyber Essentials, Level 0 is a short hop. Level 1 is a real programme of work, and the sooner you understand which level the contract actually requires, the fewer surprises you get at assessment.",[16,176,178],{"id":177},"frequently-asked-questions","Frequently asked questions",[180,181,183],"h3",{"id":182},"what-is-dcc-level-0-certification","What is DCC Level 0 certification?",[12,185,186],{},"DCC Level 0 is the entry-level certification under DefStan 05-138, the UK Ministry of Defence standard for cyber security in the defence supply chain. It is designed for suppliers with a very low assessed cyber risk and is built around three controls: Cyber Essentials as the pre-objective, UK GDPR compliance, and resilient networks and systems.",[180,188,190],{"id":189},"who-needs-dcc-level-0-certification","Who needs DCC Level 0 certification?",[12,192,193],{},"UK defence suppliers whose work carries a very low assessed cyber risk, where a prime contractor or the MOD asks for Level 0 certification under DefStan 05-138. It is the starting point for SMEs entering the defence supply chain and is often where suppliers begin their DCC journey before moving to Level 1 as contracts grow in sensitivity.",[180,195,197],{"id":196},"what-does-dcc-level-0-cover","What does DCC Level 0 cover?",[12,199,200],{},"Level 0 is built on three DefStan 05-138 controls: Cyber Essentials (as the pre-objective), UK GDPR compliance, and resilient networks and systems. It focuses on basic cyber hygiene and is narrower than Level 1, which adds controls covering identity and access, asset management, physical security, personnel vetting, and incident response.",[180,202,204],{"id":203},"how-long-does-dcc-level-0-certification-take","How long does DCC Level 0 certification take?",[12,206,207],{},"Most organisations complete Level 0 in four to eight weeks once they begin gathering evidence, although it depends on the state of your existing controls. Holding Cyber Essentials in advance covers the pre-objective for Level 0, so CE-certified suppliers tend to move faster. A guided workflow and good evidence tooling can shorten this significantly.",[180,209,211],{"id":210},"what-is-defstan-05-138","What is DefStan 05-138?",[12,213,214],{},"DefStan 05-138 (Issue 4, May 2024) is the UK Ministry of Defence standard that defines cyber security requirements for the defence supply chain. It sets out the control framework DCC is assessed against, structured into four progressive levels (0 to 3) of increasing security maturity so that suppliers can match their certification to the sensitivity of the work they do.",[180,216,218],{"id":217},"how-does-dcc-level-0-differ-from-cyber-essentials","How does DCC Level 0 differ from Cyber Essentials?",[12,220,221],{},"Cyber Essentials is itself the pre-objective for DCC Level 0, so holding CE covers the largest piece of Level 0. What DCC Level 0 adds on top are two further DefStan 05-138 controls: UK GDPR compliance and resilient networks and systems. Level 0 is closely aligned with Cyber Essentials in scope. It is Level 1 and above that introduce the broader defence-specific requirements around identity and access, asset management, physical security, and personnel vetting.",[223,224],"hr",{},[12,226,227,228,233],{},"Ready to start? Snubnose gives you a guided, self-paced path to DCC Level 0 certification, with AI-assisted evidence validation and a workspace built around DefStan 05-138. ",[229,230,232],"a",{"href":231},"/dcc-level-0","Begin your Level 0 certification",".",{"title":235,"searchDepth":236,"depth":236,"links":237},"",2,[238,239,240,241,242,243],{"id":18,"depth":236,"text":19},{"id":31,"depth":236,"text":32},{"id":66,"depth":236,"text":67},{"id":92,"depth":236,"text":93},{"id":124,"depth":236,"text":125},{"id":177,"depth":236,"text":178,"children":244},[245,247,248,249,250,251],{"id":182,"depth":246,"text":183},3,{"id":189,"depth":246,"text":190},{"id":196,"depth":246,"text":197},{"id":203,"depth":246,"text":204},{"id":210,"depth":246,"text":211},{"id":217,"depth":246,"text":218},"2026-04-24","A plain-English guide to Defence Cyber Certification (DCC) for UK defence suppliers. What it is, the four levels, how it relates to DefStan 05-138 and Cyber Essentials, and when you actually need it.","md",{},true,"/learn/what-is-dcc-certification",{"title":6,"description":253},"what-is-dcc-certification","learn/what-is-dcc-certification","3vgCRUVYN823j_z-cpRCOeCyA0FJUjicDh3kHPCAdLU",1777063947783]