Where does DCC come from?

DCC can feel like a brand new requirement, but it is really the next step in a wider change to how Defence looks at supplier cyber security.

Under the legacy Cyber Security Model v3, the focus was mainly on protecting MOD Identifiable Information. With Cyber Security Model v4, and Def Stan 05-138 Issue 4, that focus has shifted to broader organisational security and resilience.

Def Stan 05-138 Issue 4 no longer looks only at a narrow information boundary. It is aimed at the resilience of the wider organisation delivering the work.

That change is exactly where DCC comes from.

From Def Stan i3 to i4

Def Stan 05-138 Issue 3 sat behind the older CSMv3 model. That older model used the familiar Very Low, Low, Moderate and High risk profiles, and was much more closely tied to the protection of MOD information.

Issue 4 is different.

It underpins CSMv4, introduces the new Level 0 to Level 3 structure, and moves the conversation onto whether the supplier organisation is actually resilient enough to deliver securely.

That means businesses need to think beyond just the obvious MOD-facing systems and data. If a function, service, team or system is necessary to keep the business operational and able to deliver the MOD work, it can fall into scope. Even business functions that do not directly support the MOD contract may still need to meet the DCC controls if the organisation depends on that revenue and operating model to continue delivering the MOD service.

That is why DCC feels broader than the old model. In many cases, it really is.

So where does DCC fit?

DCC is the independent certification route that sits alongside the Cyber Security Model. The MOD describes it as a way of independently evidencing compliance with the Cyber Security Model.

In other words, the SAQ is still the tendering mechanism, but DCC is the formal certification route that proves an organisation has been assessed against the relevant level.

What about the levels?

There are four DCC levels in total, from Level 0 through to Level 3.

In practice, most suppliers are going to be looking at Level 0 or Level 1. Level 3 exists in the model, but is unlikely to be practically obtainable for most organisations.

Punk Security can certify suppliers to Level 0 and Level 1, which will be the right fit for the vast majority of businesses entering the scheme.

It is also worth getting clarity early. There is no upgrade path where you simply assess the difference between one level and the next, so businesses should either confirm the level they actually need, or start with Level 0 to get familiar with the scheme before moving further.

Can you still self-assess when tendering?

Yes.

At the moment, suppliers still complete the SAQ through the Supplier Cyber Protection Service as part of tendering and contractual processes. Even if you already hold DCC, the current MOD guidance says completion of the SAQ remains mandatory for now.

That matters because some organisations assume DCC replaces the questionnaire completely. At the time of writing, it does not.

Why are more businesses being asked for DCC?

This is where the practical reality starts to matter.

You may still be able to bid by completing the self-assessment questionnaire, but more suppliers are seeing DCC come up for three reasons:

1. It gives independent evidence of compliance rather than self-attestation alone.
2. It may strengthen your position in competitive tenders where buyers want more confidence.
3. Your prime may require it before passing work down the supply chain.

That last point is particularly important. IASME states that the level required for a contract may be decided by the MOD or your Prime, so some businesses will encounter DCC through supply chain flow-down before they ever see it directly from the MOD.

The short version

DCC comes from the MOD’s move away from a narrow MOD-information model and towards whole-organisation cyber resilience.

The self-assessment questionnaire is still part of tendering, but DCC is becoming the stronger way to demonstrate that your answers stand up to independent scrutiny.

If you are bidding into Defence, it is worth understanding both parts now: the SAQ for procurement, and DCC for the assurance expectations that increasingly sit behind it.

For more information, email us at [email protected] or call us on 01609 635 932