The Ministry of Defence has quietly moved the goalposts on cyber security — and this time, the changes reach well beyond the traditional defence contractor. A major update to the UK’s Defence Standard 05-138 (Def Stan 05-138 Issue 4) came into effect in May 2024, introducing a new certification framework that is set to become mandatory across the entire MOD supply chain. If your business supplies to, or supports, any organisation that holds an MOD contract, this affects you.

What is Defence Cyber Certification?

Defence Cyber Certification (DCC) is the MOD’s formal framework for assessing and certifying the cyber security posture of its suppliers. Managed by IASME on behalf of the MOD, it replaces the older risk profile categories and introduces four clearly defined certification levels — each with progressively more demanding security controls.

• Level 0 (3 controls) — basic cyber security practices. Now mandatory for all MOD suppliers.
• Level 1 (101 controls) — a comprehensive cyber security programme. Required where low to moderate cyber risk is assessed.
• Level 2 (139 controls) — advanced oversight and planning. For high-risk supply chain relationships.
• Level 3 (144 controls) — expert-level, defence-in-depth capabilities. For the most sensitive contracted outputs.

Your MOD contract (or your client’s contract) will specify the required level — known as the Cyber Risk Profile. Achieving certification at a given level removes the need for repeated assessments on future contracts at or below that level, making it well worth pursuing proactively.

What’s changed with Issue 4?

Previous iterations of the Defence Standard focused primarily on protecting MOD-identifiable information. Issue 4 marks a significant shift — the scope has expanded to cover the overall resilience of the organisation against cyber threats. This isn’t just about locking down MOD data; it’s about ensuring that the entire enterprise can withstand and recover from a cyber attack.

Critically, this obligation doesn’t stop at the direct MOD supplier. It flows downstream into the supply chain. If a Tier 1 MOD supplier assesses that their own supply chain presents cyber risk, those Tier 2 and Tier 3 suppliers — businesses that may never have spoken directly to the MOD — can find themselves pulled into scope.

Cyber Essentials: the non-negotiable baseline

Regardless of which DCC level applies, Cyber Essentials certification is a mandatory requirement at every level — including Level 0. Your CE certification must cover the same scope as your DCC assessment, and you must commit to maintaining it for the full duration of any relevant contract or DCC certification period. Letting it lapse is an automatic failure.

For many smaller businesses, Cyber Essentials has historically felt like a tick-box exercise. Under the new DCC framework, it is the foundation on which everything else is built — and the MOD will be checking.

What does DCC Level 0 actually require?

For most businesses encountering DCC for the first time, Level 0 is the immediate concern. It involves just 3 controls — but don’t let that number mislead you. The questions are substantive and require documented evidence. They cover:

• Holding valid Cyber Essentials certification aligned to your DCC scope.
• A commitment to maintaining that certification throughout the contract period.
• UK GDPR compliance — documented policies, procedures, and Data Protection Impact Assessments.
• Resilient networks and systems — evidence that you have assessed your resilience needs and taken practical steps to meet them.

The assessment is submitted via the IASME portal and reviewed by an accredited Certification Body. It is not a self-declaration — your answers and evidence are formally assessed.

Don’t wait for a contract to force your hand

One of the smarter moves available to any business in or around the defence supply chain is to achieve DCC certification proactively — before a specific contract demands it. Organisations that hold a DCC certificate at a given level will not need to go through the full assessment process again for future contracts at the same level or below. That is a significant commercial advantage when bidding is time-sensitive.

Beyond the contractual angle, the process itself is valuable. The DCC framework is designed to surface gaps — areas where your cyber security posture falls short — and give you the opportunity to fix them before an assessor formally marks you as non-compliant. Think of it as a structured improvement programme with a certificate at the end.

How we can help

At Knowall IT, we already support clients through Cyber Essentials and Cyber Essentials Plus certification — the mandatory baseline for every DCC level. Our managed cyber security service is built around ISO 27001 certified practices, meaning the controls, documentation, and evidence trails that DCC assessors look for are already part of how we work with clients day to day.

If you’re unsure whether DCC applies to your business, or you want to understand where you stand, a free security risk assessment is a practical first step. DCC Level 0 is already mandatory — if you haven’t addressed it yet, now is the time.