The Ministry of Defence have asked all industry partners to achieve Level 0 of the Defence Cyber Certification (DCC) by 31st December 2026, which includes a requirement for obtaining Cyber Essentials for all applicable business-critical systems within scope.
The cyber landscape is rapidly changing, and supply chain security has never been more important. The recently announced Cyber Resilience Pledge and the forthcoming National Cyber Action Plan (NCAP) and Cyber Resilience Bill are asking all organisations to reassess their cyber resilience and harden their critical supply chains. The DCC is the next step to a more secure defence industry. The UK needs to ensure that Defence and its partners are protected.
To support this transition, suppliers must be encouraged to work towards this objective and to ensure that any subcontractor timescales are set appropriately, where higher levels of certification are required at lower tiers in the supply chain.
The Ministry of Defence would like to share a success story of an organisation becoming DCC accredited.
Lockheed Martin has received the first DCC Level 3 certification, a landmark moment in cyber resilience and industry.
This is a massive win for Defence and industry, but also for the UK. This shows that not only is the DCC certification capable of being realised across all of industry, large and small, but that cyber resilience for UK industry is achievable.
“I am delighted that Lockheed Martin have successfully achieved L3 of the new Defence Cyber Certification demonstrating excellent cyber resilience in their business supporting UK Defence.”
Cyber Defence & Risk’s Director, Eleanor Fairford
"It is a fantastic achievement for Lockheed Martin to become the first large company to achieve Defence Cyber Certification Level 3. This certification demonstrates a strong leadership in cyber security and shows that the DCC Level 3 is rigorous but achievable, even for the largest of organisation.”
IASME CEO, Emma Philpott MBE
James Shortle, Lockheed Martin’s EMEA Information Security Officer, gives us a unique glimpse inside the process of becoming certified with the DCC, the unexpected opportunities that arose, and why the DCC offers a clear, authoritative standardised benchmark that strengthens both internal and external confidence for primes.
What made you decide to become certified with the DCC?We wanted independent confirmation that our understanding of the DCC framework was accurate and that our cyber controls were aligned with what the defence sector expects. Although we already operate a strong internal governance model, Level 0 certification gave us the opportunity to validate our approach and ensure we were aligned before progressing to the higher certification levels. Upon completion of the Level 0 we set about our mission to achieve the Level 3 to build on our assurance offering.
How did you find your experience of finding and selecting a certifying body to work with? What was your experience of working towards DCC certification?Surprisingly easy. We focused on finding a certification body with genuine defence sector experience and a clear grasp of the DCC framework. The organisations we spoke to were transparent about their assessment approach, evidence expectations, and timelines. This made it easy to identify a certification body whose approach we could ensure understood the size and complexity of our organisation.
Scoping of the certification was something that proved complex owing to how we operate as a large enterprise organisation. We finally adopted a scope that is akin to international and ensures that we able to differentiate the difference between an “Organisation” level certification meeting the requirements of DCC (DefStan-05-138) but also Secure by Design for our program related contract deliverables.
What value does DCC have for you as an organisation? E.g., will it lead to primes assessing their security posture and acting on it to make supply chain security more robust? Will it empower CISOs and those working in cyber security in an organisation to get buy-in from their board or C-Suite?DCC provides us a clear, authoritative standardised benchmark that strengthens both internal and external confidence. It now combines the Cyber Essentials Scheme with a set of binary controls, that unlike other frameworks such as ISO 27001 can be risk based and subjective in their scope.
For primes, it provides us a consistent way to assess and assure our defence sub-contractors security posture.
For our internal teams, it gives security leaders like me a certification to demonstrate through independent validation the effectiveness of our cyber controls across the entire organisation not just IT.
For customers, it demonstrates transparency and independent assurance.
What advice would you give to other organisations preparing for certification under DCC?Step 1: Start with scoping — it’s the foundation for everything that follows.
Step 2: Have board level buy-in.
Step 3: Use Level 0 as a learning opportunity to validate your interpretation of the controls.
Step 4: Engage early with your certifying body, via IASME, to avoid misinterpretation of control requirements and how they are contextually applicable to your organisation.
Step 5: If you are a subcontractor to a Prime, engage with your Prime and discuss what level you should be looking to achieve. It is fair to say that not every supplier will require the Level 3 and indeed 2. However, there is nothing wrong with the aspiration to achieve it as part of your own continual improvement or cyber road maps.
Step 6: Treat the process as a chance to strengthen internal governance and use as further education for teams as to why security controls are necessary.
Finally, Step 7, start gathering evidence early. The Level 3 certification has over 300 requirements and each requires multiple evidence examples to provide assurance of controls being effectively documented, implemented and managed.
We will be sharing more of these success stories as the DCC deadline approaches.
seen at 10:01, 13 July in Digital and Data.