What the Defence Cyber Certification means for the defence supply chain (and where to start)

If you supply to the UK Ministry of Defence, or want to, you now need to align with the Defence Cyber Certification (DCC). Developed by the Ministry of Defence (MOD) and IASME, the DCC sets out the cyber security standards that defence suppliers are expected to meet as part of a broader national cyber strategy to protect the UK’s most critical assets from the ground up. Vendors within the UK defence supply chain will start to see DCC certification written into contract conditions as standard.

The MOD has long recognised the risks posed by the supply chain. It is one of the most reliably exploited routes into critical systems, and “weakest links” risks are real: attackers don’t always go after the prime contractor directly. They target a smaller supplier with weaker defences and use that foothold to work their way in. Nearly 70% of respondents to the WEF’s latest Cybersecurity Outlook report said supply chain disruption had increased in the past year. CISOs consistently rank it among their top concerns, and close to 80% of highly resilient organisations say it’s their biggest blocker to resilience. The MOD has drawn the logical conclusion: if you’re in the supply chain, your security posture is their problem too.

How the framework works

The DCC operates across four levels, from Level 0 to Level 3, each reflecting the assessed cyber risk of a supplier’s role in the defence supply chain. It functions as a cyber assurance framework, giving the MOD a consistent, verifiable way to assess the security of every organisation it works with, regardless of size or sector.

All levels begin with Cyber Essentials certification, the government-backed scheme overseen by the National Cyber Security Centre (NCSC) that sets out the baseline controls every organisation should have in place. Levels 2 and 3 also require Cyber Essentials Plus, which involves independent technical verification rather than self-assessment. The controls at each level cover governance and policy, data security, malware protection, personnel vetting and awareness, supply chain cyber security within your own supplier network, and resilience planning. Level 3, the highest tier, requires demonstrating what the MOD calls a “defence in depth” approach, essentially ensuring that your security posture doesn’t collapse the moment a single control is bypassed.

For example, if an attacker gets past your perimeter firewall, can they then walk straight into your systems? Or do they hit Multi-Factor Authentication (MFA), then network segmentation, then access controls that limit what they can reach even with valid credentials? Each layer buys time and limits damage. The idea is that no single point of failure brings everything down.

The number of controls scales with the level: from 3 controls at Level 0 to 144 at Level 3. Most suppliers to the defence sector will be working toward Levels 1 or 2.

What defence suppliers need to do now

If you’re working through DCC alignment for the first time, the practical steps look roughly like this.

• Start by identifying which Cyber Risk Profile applies to each of your MOD contracts
• Run a gap analysis against the controls required at that level
• Get Cyber Essentials (or Plus, if needed) and engage an IASME-accredited certification body
• Gather your evidence: policies, logs, training records, third-party assessments. The MOD maps its requirements to Def Stan 05-138, so your controls need to align with that standard

Once assessed, compliance isn’t a one-time event. The certification requires annual reviews and recertification every three years.

The DCC is open to applicants at any level, even if you’re not currently in an active MOD contract. Getting ahead of it now is sensible, since the requirement is only going to become more embedded in procurement processes.

MFA is a good place to start

One of the simplest things you can do to begin aligning with the DCC framework is also one of the most effective: get MFA in place across your organisation.

Stolen credentials are the initial access vector in 22% of confirmed breaches. A password on its own isn’t enough. MFA adds a second layer of verification and is one of the most direct forms of identity protection available, so that even if login details are leaked, brute-forced, or bought off the dark web, an attacker still can’t get in without the second factor.

The DCC framework addresses user access control across multiple levels. Cyber Essentials, which all DCC levels require, already recommends MFA on internet-facing services. Getting it deployed across staff accounts, admin systems, and any vendor access is a straightforward way to demonstrate that you’re taking cyber protection seriously, and it puts you in a stronger position for the broader assessment.

For defence suppliers handling sensitive contracts, phishing-resistant MFA isn’t a nice-to-have. It’s the standard that the NCSC and agencies, including CISA, actively recommend. Phishing-resistant MFA, particularly FIDO2-based approaches, means authentication happens cryptographically between the device and the legitimate service, so there’s nothing for an attacker to intercept or manipulate. Implementing it early means you’re ahead when formal DCC assessment comes around.

Authentication in air-gapped and on-premise environments

Not all defence suppliers are running standard cloud infrastructure, and the DCC framework accounts for that. Many organisations working with the MOD operate in air-gapped or tightly controlled on-premise environments where the usual cloud-based authentication tools simply don’t fit. If your network has no outbound internet connection, an MFA solution that phones home to a cloud service to deliver a push notification is going to be a problem.

This is more common in the defence cyber sector than vendors often acknowledge. Mobile phones may be prohibited on-site for safety or security reasons. Users may not be willing, or permitted, to install corporate software on personal devices. And for systems handling classified or operationally sensitive data, cloud-based authentication introduces dependencies and potential exposure that compliance mandates won’t accept.

For these environments, the authentication method matters as much as the requirement. SMS-based and app-push MFA both rely on external connectivity, which makes them unsuitable for fully isolated networks. The more appropriate options are OTP apps that generate codes locally, hardware tokens that operate entirely offline, or certificate-based and FIDO2 approaches where the cryptographic authentication happens between the device and the local system without touching the internet.

There’s also the question of enrolment. In a high-security environment, enrolling users through a web portal introduces cyber risk: internal directory credentials may pass through an external service, and the security of that pathway is difficult to guarantee. On-premise enrolment, where the process stays entirely within the local network, removes that exposure.

The principle of least privilege applies here too. Not every user needs the same authentication path. A member of staff accessing a low-risk internal tool has different requirements from an administrator with access to critical systems or an external contractor with time-limited network access. The DCC framework’s tiered approach reflects this, and your user access controls should too.

For suppliers assessing DCC compliance, the question to ask is whether your current MFA solution would actually work in your most restricted environment. If the answer involves a carve-out or a workaround, that’s worth addressing before a formal assessment surfaces it.

Getting started

The DCC isn’t a quick tick-box exercise, but the path to certification doesn’t require starting from scratch. Most organisations already have some controls in place. A gap analysis against your target DCC level will show you what’s missing, and in most cases, getting authentication right, including in any air-gapped or on-premise parts of your environment, sits near the top of that list.

SecurEnvoy has spent over 20 years working with organisations in regulated and high-risk sectors on supply chain cyber security, including those with complex on-premise and air-gapped requirements. If you’re working through DCC requirements and want to understand how MFA fits into your broader security posture, get in touch.

Published: 15 April 2026

Category: Industry News

Access Management / Compliance / Defence / MFA