Today marks a significant milestone for the Periculo team, which has completed its Defence Cyber Certification (DCC) auditor training at Level 2 and Level 3, making Periculo one of the only firms in the UK currently qualified to assess and certify defence suppliers across all four levels of the scheme.
For UK defence suppliers facing increasing pressure to demonstrate independent cyber assurance, this matters.
The Defence Cyber Certification (DCC) is the Ministry of Defence's framework for supply chain cyber assurance, developed in partnership with IASME. It replaces the previous patchwork of per-contract self-assessments and Supplier Assurance Questionnaires (SAQs) with a single, independently verified, organisation-level certification, governed by DEF STAN 05-138 and aligned to the Cyber Security Model (CSM) version 4, which went live in December 2025.
The scheme is structured across four progressive levels, L0 through to L3, with each corresponding to the degree of cyber risk associated with a supplier's role in the MoD supply chain. All four levels are now open for assessment. While DCC is currently a voluntary certification, individual MoD contracts are beginning to reference it, and the trajectory is clear: early adoption positions you as a trusted, cyber-resilient supplier before the rest of the market catches up.
Unlike the old SAQ model, which relied on declared intent and varied widely in quality, DCC requires an independently verifiable, evidence-led demonstration that controls are in place and operating. Assessors interview staff, request live demonstrations, and verify operational evidence. Policies on paper will not pass.
Once certified, organisations are valid for three years, with an annual check-in to confirm continued compliance.
All four DCC levels build progressively on DEF STAN 05-138, with each tier requiring a broader scope and greater depth of evidence.
Level 0 is the entry-level tier, designed for organisations with very low assessed cyber risk. It requires a valid Cyber Essentials certificate as a baseline and is worth achieving early, even before DCC appears in a contract, to demonstrate commitment to the supply chain.
Level 1 steps up the control requirements and remains grounded in Cyber Essentials. It covers the core of an organisation's IT infrastructure and is appropriate for suppliers with a moderate cyber risk profile.
Level 2 is where the scheme changes character significantly. Cyber Essentials Plus is required as a foundation, not just Cyber Essentials self-assessment.
The assessment extends across the full organisation: operational technology, physical security, supply chain management, and business continuity all fall within scope. Evidence requirements are substantially more demanding, and the audit process is more intensive.
Level 3 is the highest tier, intended for suppliers operating in the most sensitive areas of the defence supply chain. It carries the full breadth of controls defined in DEF STAN 05-138, requiring comprehensive incident response capability, advanced supply chain assurance, and demonstrable security culture across the entire organisation.
The level that applies to your organisation is determined by your Cyber Risk Profile (CRP), a structured assessment based on your contracts, the sensitivity of the data or systems you handle, and your position in the supply chain. You can apply for certification at any level, even without a current MoD contract, which can be a meaningful advantage when competing for future tenders.
DCC auditor training for L2 and L3 only recently became available. The combination of a brand-new scheme, complex control requirements at the higher tiers, and the specific qualifications required to assess at those levels means that very few organisations in the UK are currently certified to do so. This reflects the recency of the scheme and the structured training pathway that auditors must complete through IASME before they can assess at L2 or L3.
The result of Periculo's deliberate investment in DCC capability since the scheme was first announced. because we knew the defence supply chain would need qualified, independent auditors quickly once the higher levels opened.
That puts us in a strong position to support you through the full journey, from initial readiness through to certification and ongoing compliance.
Our Defence Cyber Certification service covers:
Gap analysis and readiness assessment. Before committing to a full audit, most organisations benefit from understanding exactly where they stand against DEF STAN 05-138 at their required level. We map your existing controls, identify gaps, and provide a practical remediation roadmap — prioritised based on your actual environment, not a generic checklist.
Evidence preparation and remediation support. DCC is an evidence-led scheme. We help you build and structure the documentation, logs, policies, and operational records that assessors will review, so nothing is left to chance on audit day.
Formal DCC assessment and certification. We conduct the independent assessment against your required level and, on success, issue your official DCC certificate through IASME's certification process.
DCC as a Service — ongoing managed compliance. Certification is the start, not the finish. Our managed service keeps you audit-ready year-round: continuous monitoring against DEF STAN 05-138, proactive gap identification, maintained evidence libraries, and support through your annual check-in and recertification cycle. It's the equivalent of having a dedicated compliance function without the overhead.
For organisations already holding Cyber Essentials Plus or ISO 27001, the preparation effort for DCC is typically reduced; existing controls and documentation often map directly onto DCC requirements, particularly at L2. If you hold CE+ already, you're further along than you may realise.
Organisations that certify ahead of any requirement demonstrate proactive commitment to supply chain security, avoid the scramble when it does appear in contracts, and strengthen their position in competitive tenders. If any of the following apply, early engagement makes sense:
Prime contractors whose subcontractor networks are beginning to receive DCC requirements flowing down through the supply chain. If you're a prime, you need to understand your own certification level and the assurance requirements you'll need to pass on to third parties.
Specialist SMEs are appearing in defence tenders for the first time. Understanding your CRP early, before a bid deadline, gives you time to remediate gaps rather than scramble to comply. Achieving DCC certification before it's required also positions you ahead of competitors who haven't started.
Organisations already investing in security assurance, those holding Cyber Essentials Plus or ISO 27001, who want to understand how that existing investment maps to DCC and what the gap looks like at their likely level.
Drone and emerging technology suppliers are entering the defence space, where cyber risk profiles can be high, and contract requirements are evolving quickly.
The Periculo team are ready to support you from wherever you are in the process, whether you're starting from scratch or already hold Cyber Essentials Plus and want to understand the path to L2 or L3 certification.
Book a call with our team to talk through your Cyber Risk Profile, your likely certification level, and what preparation would realistically involve.
You can also explore our full range of defence security services, including supplier assurance and penetration testing, on the Periculo website.