The construction company Morgan Sindall Group has become the first organisation to achieve certification under the new Defence Cyber Certification (DCC) scheme. The DCC cyber security framework was developed by the certification body IASME with the Ministry of Defence (MoD). The aim; to aid the cyber resilience of the UK’s defence supply chain. Dr Emma Philpott, CEO of IASME, said: “We are thrilled to collaborate with the Ministry of Defence on the Defence Cyber Certification scheme and very grateful to the cyber security experts who have been so generous with their time to help us develop the scheme.”
Threats
Cyber threats to the defence sector are growing, those in the field say, in frequency and sophistication. According to the 2024 Data Threat Report from defence contractor Thales, the vast majority (93 per cent) of organisations in the CNI sector have observed an increase in cyber attacks. Hence the Defence Cyber Certification (DCC) scheme as a response, for those in the defence supply chain, regardless of size, are equipped to defend against cyber risks. The DCC certification emphasises the overall security and resilience of an organisation and is structured into four levels, L0-L3. Each level corresponds to a degree of cyber risk associated with a supplier’s role in the MoD supply chain.
Eleanor Fairford – Director Cyber Defence and Risk, at the MoD, said: “Defence Cyber Certification (DCC) strengthens cyber resilience in the UK’s defence supply chain. Organisations obtaining and maintaining DCC prove their ongoing commitment to UK Defence.”
Certification
While the MoD assigns the required level for suppliers working on specific contracts, organisations are not limited to applying for certification only at the level specified in their contracts. Applicants can apply for certification at any level, even if they are not engaged in an MoD contract. This allows organisations to show their commitment to cyber resilience, prepare for future opportunities, and avoid the need for repeated assessments on a contract-by-contract basis, organisers add.
The certification process involves a point-in-time assessment against the uplifted UK Defence standard. Compliance with this UK Defence standard for cyber resilience in organisations will soon become a requirement in all defence procurement and contract activities. Certification allows suppliers to submit their certification in satisfaction of MoD requirements and provides a ‘badge’ that signals to other buyers that the organisation is taking cyber resilience seriously.
Framework
The DCC scheme aligns with international best practices in cyber security, showing that organisations certified under the scheme meet globally recognised standards, IASME adds. All levels start with Cyber Essentials certification, with Levels 2 and 3 requiring the more detailed Cyber Essentials Plus certification.
Phased rollout of certification levels
The scheme’s first certification level, Level 0, is now live for applicants, marking the official start of this programme. The DCC scheme’s higher certification levels will become available in the coming months. ISAME pointed to the contributions of Hexegic, Arcanum, Stratia, Bridewell, and C3IA in helping IASME shape and refine the scheme.
Why certify?
The DCC scheme provides defence suppliers with a valuable opportunity to enhance their cyber security posture while gaining a competitive edge in the industry. Certification demonstrates a commitment to cyber resilience, bolstering an organisation’s reputation and positioning it as a trusted partner for MOD contracts. Proactively achieving certification allows organisations to meet MOD requirements in advance, simplifying compliance and future-proofing their operations.
How to get started
Organisations interested in certifying to the DCC scheme can begin the process by contacting IASME or one of its assured DCC Certification Bodies. For more information about the DCC scheme and the process of certifying, read the blog here.
About IASME
The cyber security certification company is based in the Malvern Hills, with an office in Belfast and one in Dalgety Bay, near Edinburgh. It’s the UK official National Cyber Security Centre’s sole Deliver Partner for the Cyber Essentials scheme. Visit https://iasme.co.uk.
