Preparing for DCC Evidence Requirements

The Defence Cyber Certification (DCC) scheme, launched in 2025, represents a fundamental shift in how the MOD validates cyber security across its supply chain. Unlike the previous Supplier Assurance Questionnaire (SAQ) approach that relied on self-assessment, DCC introduces independent, third-party verification of controls outlined in DefStan 05-138.

For defence suppliers, this transition from “we have controls” to “we can prove our controls work” requires a different approach to evidence collection and documentation. While DCC certification is not yet mandated for every MOD contract, suppliers should expect to see increasing requirements to hold valid DCC certification for the duration of applicable contracts. Early preparation remains essential for maintaining competitive positioning.

With CSMv4 soon to be launched under Industry Security Notice 2025/04, the Defence Cyber Certification (DCC) scheme will operate within the live MOD assurance framework. Under the CSM process, the MOD Delivery Team completes the contract Risk Assessment (RA) to assign a Cyber Risk Profile (CRP0–CRP3), while suppliers complete the corresponding Supplier Assurance Questionnaire (SAQ) via the MOD’s online tooling and use DCC certification to evidence control effectiveness against the assigned CRP.

Understanding the DCC Assessment Framework

The DCC scheme operates across four progressive levels, each corresponding to different Cyber Risk Profiles (CRP):

• Level 0: 3 controls, with Cyber Essentials required
• Level 1: 101 controls, with Cyber Essentials required 
• Level 2: 139 controls, with Cyber Essentials Plus required
• Level 3: 144 controls, with Cyber Essentials Plus required

Levels are independent (you can certify directly at any level). A certificate provides a single, organisation‑level assurance that can be presented in support of UK Defence procurements; the MOD sets contract requirements and will specify the level where it is required. Certification is valid for three years, with annual attestations (and maintaining valid Cyber Essentials/Plus) required to maintain compliance.

The key difference from previous approaches is that DCC assessments are conducted by IASME-accredited Certification Bodies, requiring verifiable evidence that controls are not just documented but effectively implemented and operational.

The Evidence Challenge

Traditional defence supplier assurance often focused heavily on policy documentation. Having comprehensive information security policies, detailed procedures, and evidence of staff training was typically sufficient to demonstrate compliance. Under DCC, these remain important foundations, but they’re no longer enough on their own.

IASME-accredited assessors will be looking for operational evidence that controls are working in practice. This shift requires organisations to think beyond policy documents toward demonstrable proof of control effectiveness. The question becomes not just “do you have this control documented?” but “can you show evidence that this control is implemented and working?”

This represents a particular challenge for organisations that have operated successfully under previous MOD cyber requirements but may not have established systematic evidence collection processes. Many suppliers will find themselves needing to retrofit evidence collection capabilities around existing security controls.

What Effective Evidence Collection Looks Like

During the early phase of the scheme, applicants obtain guidance and supporting documents from IASME and the assessing Certification Bodies. Successful evidence collection typically encompasses several key areas:

• Policy Implementation Evidence: Documentation showing how policies translate into operational practice. This includes configuration standards, deployment procedures, and regular review processes that demonstrate policies are actively maintained and followed.
• Control Effectiveness Monitoring: Regular testing and validation activities that prove controls continue to work as intended. This might include vulnerability assessments, access reviews, system monitoring reports, and incident response exercises.
• Training and Awareness Records: Evidence that staff understand their security responsibilities and are equipped to implement controls effectively. This goes beyond attendance records to include competency assessments and role-specific training outcomes.
• Third-Party Management Documentation: For organisations using external suppliers or managed services, evidence of due diligence processes, contract security requirements, and ongoing monitoring of third-party security posture.

The common thread is that assessors want to see security as an operational discipline, embedded in day-to-day business processes and continuously improved based on real-world experience.

Building Evidence Collection Capabilities

For organisations preparing for DCC certification, establishing robust evidence collection capabilities should be a priority. This involves several strategic considerations:

• Systematic Documentation: Moving beyond ad-hoc record keeping toward systematic documentation processes that capture evidence consistently. This includes establishing clear responsibilities for evidence collection and regular review cycles to ensure completeness.
• Automated Monitoring and Reporting: Where possible, implementing tools that can automatically capture evidence of control effectiveness. This reduces manual overhead and provides more consistent, reliable evidence for assessments.
• Regular Internal Reviews: Conducting periodic internal assessments to ensure evidence collection processes are working effectively and identify any gaps before formal certification assessments.
• Integration with Business Processes: Embedding evidence collection into existing business processes rather than treating it as a separate compliance exercise. This ensures evidence collection becomes part of normal operations rather than an additional burden.

This is where managed services can support compliance efforts. Platforms designed for defence‑grade operation often implement many of the technical measures referenced in DEFSTAN 05‑138. For example, secure managed services like DISX enforce policy configurations, access controls, system hardening and monitored operations that can help organisations evidence technical control implementation. Certification under DCC, however, is organisation‑level and evidence responsibility ultimately remains with the supplier. While evidence collection remains the responsibility of the organisation, solutions like DISX can simplify this process by ensuring that compliant configurations and monitoring mechanisms are in place by default.

Preparing for Annual Attestations

One of the key features of DCC is the requirement for annual attestations between full three-year assessments. This means organisations must maintain evidence collection and control monitoring throughout the certification period, not just during assessment windows.

This continuous requirement changes how organisations need to approach their security operations. The traditional model of “preparing for audit” gives way to “always being assessment-ready” – which requires different processes and mindset.

Successful organisations typically establish quarterly or bi-annual internal review cycles that mirror the assessment process. This helps ensure evidence collection remains current and identifies any gaps before they become issues during attestation reviews.

Getting Ahead of the Requirements

For defence suppliers planning to pursue DCC certification, early preparation is essential. Start by identifying your likely CRP level based on the types of MOD contracts you pursue, then map your current controls against the relevant DCC requirements.

Conduct a gap assessment focused specifically on evidence collection capabilities. Review your existing security controls and ask not just “do we have this control?” but “can we demonstrate this control is working effectively?” Identify where evidence collection is manual, inconsistent, or absent entirely.

Consider engaging with IASME-accredited Certification Bodies early to understand their assessment expectations and evidence requirements. While specific assessment criteria are still being finalised, early engagement can help inform your preparation strategy.

Most importantly, start building evidence collection capabilities now, even if certification isn’t immediately required. Organisations that establish these foundations early will be better positioned to respond quickly when DCC becomes mandatory for their contract types.

The Strategic Opportunity

While DCC represents new compliance requirements, it also offers strategic opportunities for well-prepared organisations. Suppliers that achieve certification early will be better positioned to win contracts, differentiate themselves from competitors, and demonstrate mature cyber posture to prime contractors.

The evidence collection capabilities required for DCC also drive genuine improvements in security operations. Organisations that embrace this shift often find themselves not just certified, but genuinely more secure and operationally resilient.

The key is recognising that DCC preparation isn’t just about meeting new compliance requirements – it’s about building better security operations that provide lasting value beyond certification.

For organisations looking to stay ahead of compliance demands while reducing internal overhead, adopting secure managed services that are aligned with DCC, such as DISX, can provide a strong operational foundation for both certification and day-to-day cyber resilience.