The Defence Cyber Certification (DCC) is a new cyber security certification scheme launched in 2025 by the UK Ministry of Defence (MOD), in collaboration with IASME.

It aims to strengthen the cyber resilience of the UK Defence supply chain by introducing a formal, risk-based framework for assessing and assuring the cyber security posture of defence suppliers.

As part of this initiative, DCC certification will become mandatory for all suppliers working on MOD projects below the ‘Secret’ classification level.

We’re proud to share that FSP is one of only five organisations accredited to deliver DCC certifications. This positions us at the forefront of supporting defence suppliers in meeting these critical new standards and contributing to the UK’s national cyber defence strategy.

So, we know it’s a mandatory requirement, what are the most important things organisations should know and what are the benefits moving forward?

What you need to know and how to prepare

Until now, cyber compliance was largely self-assessed. With DCC, that’s changing. You’ll now need to formally certify that your cyber security controls are in place and working and that certification will be independently verified.

What does this mean for you, in a nutshell?

• If you already follow DefStan 05-138, you’re on the right track. DCC doesn’t add new controls, it just checks they’re actually working.
• You’ll be assigned a Cyber Risk Profile (CRP) for each MOD contract, which determines the level of certification you need, from basic to expert.
• Cyber Essentials or Cyber Essentials Plus will be required, depending on your level.
• Certification lasts three years, with annual check-ins to stay compliant.

Getting ready

Here’s a simple, tried-and-tested checklist to help you prepare:

1. Know your CRP – Understand the risk level of your MOD contracts.
2. Do a gap analysis – Check if your current controls meet the DCC level you’ll need.
3. Gather your evidence – DCC is all about proving what you do, not just saying it.
4. Train your team – Cyber resilience is everyone’s responsibility.
5. Check your suppliers – You’ll need to show they’re secure too.
6. Get ahead – Even if it’s not mandatory yet, it will be soon. Utilise this time to do it properly.

How FSP can help

As one of only five organisations authorised to deliver DCC certifications, we are here to guide you through it, we’ve already helped several organisations. Whether you’re just starting or already partway there, we’ll help you understand what’s needed, close any gaps, and get certified with confidence.

We’d love to hear from you. Get in touch via dcc@fsp.co