TL;DR: DCC obligations don’t stop at the MOD’s direct suppliers — they flow downstream.
A client calls and asks whether you hold Cyber Essentials certification. Or a tender arrives with a new section on cyber security requirements that wasn’t there last year. Or a long-standing contract comes up for renewal and suddenly there’s a questionnaire about your information security policies. If any of this sounds familiar, you’re not imagining it — and it’s not a coincidence. It’s the MOD’s new Defence Cyber Certification framework making its way through the supply chain, and it’s heading in your direction.
Under the new Defence Standard 05-138 Issue 4, MOD contractors don’t just have to demonstrate their own cyber security — they have to understand and manage the cyber risks that arise from their dependencies on external suppliers. That obligation is baked directly into the DCC control framework at Level 1 and above.
In plain terms: if a business holds an MOD contract, the MOD expects them to know who they’re buying services from, assess the risk those suppliers introduce, and take appropriate steps to manage it. An IT provider with access to a contractor’s systems and data is an obvious place to start asking questions.
The MOD supply chain isn’t a single tier. A large defence contractor typically relies on dozens of technology partners, software vendors, cloud providers, and managed service providers to deliver its contracted output. Each of those relationships represents a potential route for a cyber attacker to reach sensitive systems or data.
The new framework explicitly acknowledges this. It requires Tier 1 MOD suppliers to establish and maintain documented trust relationships with their external service providers — based on clearly defined security requirements. That documentation has to exist. It has to be auditable. And it has to reflect actual assessments, not assumptions.
The practical consequence is straightforward. If your business provides managed IT support, cyber security services, cloud hosting, or any other technology service to a business that holds an MOD contract, your client now has a formal obligation to understand your security posture. And if they can’t demonstrate that understanding to their assessor, it becomes their problem — which means it quickly becomes yours.
The specific questions vary depending on the client and their DCC level, but the themes are consistent. Expect to be asked about:
These aren’t unreasonable questions. They’re the same questions a well-run business should be able to answer regardless of whether a client is asking. But if you haven’t formalised this — if the answers live in someone’s head rather than in documented policies and auditable processes — then you have a gap that will eventually cost you a contract.
There’s a temptation to treat these requests reactively — answer each questionnaire as it arrives, patch together a response, move on. That approach has a short shelf life. As DCC becomes embedded across the defence supply chain, the volume and rigour of these requests will only increase. Clients will start to favour suppliers who can provide immediate, evidenced assurance over those who scramble to respond.
More importantly, the businesses that build their security posture proactively — rather than in response to individual client demands — are the ones that win contracts rather than lose them. A current Cyber Essentials Plus certificate and ISO 27001 certification doesn’t just answer the question. It closes it before it’s asked.
At Knowall IT, we hold ISO 27001 certification — the internationally recognised standard for information security management. Our managed cyber security service is built around the same controls and evidence frameworks that DCC assessors look for. And our fully managed Cyber Essentials certification service takes the entire process off your plate — from gap assessment through to submission and sign-off.
If your clients are starting to ask about your cyber security, or you want to get ahead of the question before they do, a free security risk assessment is the practical first step. It maps where you stand today against the frameworks your clients — and their clients — are increasingly required to evidence.
