Cyber threats targeting the UK Defence sector have intensified in recent years, driven by geopolitical instability, the war in Ukraine, and rising tensions in the Middle East. The MOD’s supply chain is vast, with the MOD stating: 130,000 indirect jobs were supported in the UK supply chain” , making it a prime target for threat actors.
This supply chain is particularly vulnerable due to inconsistent cybersecurity maturity among suppliers. While Cyber Essentials has become a widely adopted baseline, its Basic level relies on self-assessment, offering limited assurance. To encourage more robust practices, both HMG and the MOD have introduced Secure by Design principles, though they follow different frameworks: HMG aligns with the NCSC’s 10 Principles, while the MOD uses NIST standards.
To address these vulnerabilities, the MOD released DEFSTAN 05-138 Issue 4, a framework that defines four levels of cyber assurance based on an organisation’s risk profile. It encourages suppliers to assess their cybersecurity posture, identify gaps, and implement remediation plans.
However, without a formal certification process, assessing compliance was challenging. That’s where the Defence Cyber Certification (DCC) comes in.
Developed by the MOD in collaboration with IASME, DCC provides independent assurance that organisations meet the cybersecurity requirements outlined in DEFSTAN 05-138, tailored to their risk level and contractual obligations.
The DCC framework is tiered, ranging from Level 0 (Basic) to Level 3 (Expert). All applicants must first achieve Cyber Essentials, with higher levels requiring Cyber Essentials Plus.
The certification journey includes:
Numerous resources are available to support this journey, including the DCC website and guidance from the National Cyber Security Centre (NCSC). Defence Cyber Certification - Defence Cyber Certification
Achieving Defence Cyber Certification (DCC) offers significant advantages for organisations operating within the defence sector. Certification enhances credibility with the MOD and potential clients by demonstrating adherence to stringent cybersecurity standards, ultimately strengthening an organisation's cyber resilience and providing a competitive edge when bidding for projects.
To prepare for certification, organisations should thoroughly understand the DCC process and DEFSTAN 05-138 requirements, conduct a comprehensive self-assessment, and develop a robust cybersecurity plan. Fortunately, ample resources are available to assist in this process, including the official DCC website and guidance from the National Cyber Security Centre (NCSC).
At Salus, we’ve taken a proactive approach by successfully achieving both Level 0 and Level 1 DCC certification. This dual achievement reflects our commitment to foundational cybersecurity and continuous improvement.
Defence Cyber Certification is a crucial step in ensuring that organisations meet the highest standards of cyber security. By understanding both the benefits and the certification process, organisations can strengthen and sustain their reputation as trusted suppliers to the MOD.
We’re now helping other organisations navigate the DCC journey, from initial gap analysis to tailored remediation planning. Our team of experts understands the nuances of DEFSTAN 05-138 and can guide you through every step of the certification process.
To learn more about how we can assist your organisation, or if you have any questions, feel free to contact us at info@saluscyber.com
At our core, we believe in the power of personalised guidance. Whether you have questions or feedback, we're here to listen and support you every step of the way. Reach out via the form and we will be in touch as soon as possible.