Defence Cyber Certification

Supplying to the MOD? You'll need this.

If you're part of the UK defence supply chain, or want to be, the Ministry of Defence now requires suppliers to hold Defence Cyber Certification. No certification, no contract. It's that simple.

The good news? DCC Level 0 is the foundation level, designed for suppliers with a very low cyber risk profile. And as an authorised DCC Certification Body, Cool Waters Cyber offers a complete "Done For You" service that takes you from where you are now to a certified DCC Level 0 organisation, including the Cyber Essentials certification you'll need as a prerequisite.

We hold DCC Level 0 certification ourselves, so we don't just assess it. We've been through it.

What is Defence Cyber Certification?

Defence Cyber Certification (DCC) is a cyber security certification framework developed by the Ministry of Defence and IASME. It replaces the old approach of assessing suppliers on a contract-by-contract basis with a single, organisation-level certification that you can present in support of multiple defence procurements.

The scheme is built on Defence Standard 05-138 (Issue 4) and represents a significant shift in how the MOD manages cyber risk across its supply chain. Rather than focusing narrowly on protecting MOD-identifiable information, DCC assesses the overall cyber resilience of your organisation.

There are four certification levels (0 to 3), each matched to the cyber risk profile assigned to a defence contract. The MOD or your prime contractor will tell you which level you need.

What does DCC Level 0 involve?

Level 0 is assigned where there is a very low level of assessed cyber risk. It's the foundation level, and for many organisations in the wider defence supply chain, particularly those in construction, facilities management, and non-technical support roles, it's the level you'll be asked to achieve.

DCC Level 0 covers three control areas:

1. Cyber Essentials certification You must hold a current Cyber Essentials certificate that covers the scope of your DCC assessment. This is a prerequisite, and if your CE scope doesn't align with your DCC scope, it's an automatic fail. Cool Waters Cyber is also an IASME-accredited Cyber Essentials Certification Body, so we can handle both under one roof.

2. UK GDPR compliance You need documented policies and procedures demonstrating how your organisation complies with the UK Data Protection Act 2018. This doesn't require a full GDPR audit, but you do need to show that you have the right documentation in place.

3. Resilient networks and systems You need to demonstrate that you've built resilience against cyber attack and system failure into how you design, implement, operate, and manage the systems that support your business. This covers the full lifecycle of your systems, not just how you respond when something goes wrong.

If the second and third areas sound familiar, that's because they are. Data protection and business resilience are already core components of the IASME Cyber Assurance framework, which Cool Waters Cyber delivers every day. DCC Level 0 builds on Cyber Essentials in much the same way that IASME Cyber Assurance does, adding governance, resilience, and data protection on top of the five technical controls. That means we're not learning this as we go. These are areas where we already have deep, practical expertise.

How our Done For You service works

We handle the heavy lifting so you can focus on running your business. Here's what to expect:

Scoping and planning - We assess your organisation, determine the right scope for your DCC assessment, and identify any gaps. If your existing Cyber Essentials certificate needs updating or you don't yet have one, we sort that out first as part of the service.

Documentation and evidence - We work with you to prepare the documentation and evidence you'll need across all three control areas: Cyber Essentials alignment, GDPR compliance, and system resilience. We'll build the policies, prepare the answers, and make sure everything meets the standard before it goes anywhere near an assessment.

Platform submission - We handle onboarding to the IASME platform and manage the submission process, making sure nothing is missed and no critical requirements are overlooked.

Assessment and certification - We assess your submission, work through any areas that need strengthening, and submit the results. If you pass, your certificate is issued automatically through the BlockMark system.

Your DCC certificate is valid for three years, with an annual check-in to confirm nothing has materially changed.

Who needs DCC Level 0?

You're likely to need DCC Level 0 if:

• You supply goods or services to the MOD, directly or through a prime contractor

• Your contract has been assigned a Cyber Risk Profile of Level 0

• Your prime contractor requires DCC certification as a condition of working on a defence programme

• You're a construction, facilities management, or professional services firm working on MOD projects

• You're looking to enter the defence supply chain and want to get certified ahead of a specific contract

If you're not sure which level you need, we can help you work that out.

Already hold Cyber Essentials or IASME Cyber Assurance?

If you already hold Cyber Essentials certification, you're partway there. DCC Level 0 builds on your existing CE certificate, adding the GDPR compliance and resilience controls on top. The key thing to check is that your current Cyber Essentials scope aligns with the scope of your DCC assessment. If it doesn't, we may need to adjust it first.

If you hold IASME Cyber Assurance, you're in an even stronger position. You'll already have much of the governance, data protection, and resilience groundwork in place. For many IASME Cyber Assurance holders, DCC Level 0 is a relatively short step rather than a major project.

If you don't yet have Cyber Essentials, don't worry. We'll get you certified as part of the process.

Ready to get started?

Whether you've been told you need DCC by a prime contractor, or you're planning ahead to position your business for defence work, we're here to help.

Book a free, no-obligation consultation and we'll walk you through exactly what's involved, assess where you are now, and give you a clear plan to get certified.

Why choose Cool Waters Cyber?

Genuine Done For You. Unlike higher DCC levels where the Certification Body is limited to an advisory role, at Level 0 we can roll up our sleeves and do the work with you. We prepare your documentation, build your evidence, and get you over the line. You won't be left staring at a blank questionnaire wondering where to start.

Deep expertise in the controls that matter. The DCC Level 0 requirements beyond Cyber Essentials, namely data protection and business resilience, map closely to the IASME Cyber Assurance framework. We certify organisations against IASME Cyber Assurance regularly, so the governance, resilience, and data protection topics in DCC Level 0 are areas we work in every day, not new territory.

One provider, the full journey. DCC Level 0 requires Cyber Essentials as a prerequisite. Most Certification Bodies can do one or the other. We're authorised for both, which means you deal with one team from start to finish, with no handoffs, no repeated conversations, and consistent advice throughout.

We've done it ourselves. Cool Waters Cyber holds DCC Level 0 certification. We haven't just read the guidance. We've been through the process, answered the questions, and supplied the evidence. That means we can give you practical, first-hand advice on what good looks like.

Supply chain expertise. We work with organisations across construction, public sector, and regulated industries to manage cyber compliance across complex supply chains. If your prime contractor has told you to get certified, we understand the pressure you're under and we know how to help you move quickly.

NCSC recognised. We are an NCSC Assured Service Provider and NCSC Cyber Advisor, providing an additional layer of credibility and assurance.