Construction business Morgan Sindall has become the first UK organisation to achieve certification under a new scheme set up by the Ministry of Defence (MoD) and certification body IASME.
The Defence Cyber Certification (DCC) scheme was established in a bid to improve supply chain security across the nation, and strengthen the UK’s overall resilience in the face of near-constant cyber attacks orchestrated via victims’ supply chain suppliers – recent incidents affecting retailers Marks & Spencer, Co-op Group and Harrods being good examples of such.
According to a 2024 Thales report, over 90% of organisations working around critical national infrastructure (CNI) have experienced an increase in attempted and successful cyber attacks.
The DCC project was designed as a proactive response to this and will ensure that all organisations working in the MoD’s supply chain – of which Morgan Sindall is one, working extensively with the department on a project to revitalise Britain’s military housing stock and other facilities across the MoD’s estate – are equipped to defend against cyber risks.
The organisation also works extensively on public infrastructure projects, with some noteworthy recent builds including upgrades to the A421 in Milton Keynes, an extension to the London Overground rail line in Barking, and the replacement of overhead power lines with underground cabling in Dorset. As such, it is considered a key target for threat actors targeting sectors such as transport and utility providers.
“Defence Cyber Certification (DCC) strengthens cyber resilience in the UK’s defence supply chain. Organisations obtaining and maintaining DCC prove their ongoing commitment to UK defence,” said Eleanor Fairford, director of cyber defence and risk, at the MoD.
Multi-level certification
The DCC certification itself is designed to emphasise the overall security and resilience of the receiving organisation, and has been structured in four tiers, L0 to L3, each corresponding to a specific degree of cyber risk, depending on what role the organisation plays within the MoD supply chain.
The scheme is being rolled out in a phased manner, currently only L0 is available, with L1 coming on-stream at the end of August 2025. Levels L2 and L3 – which set rigorous standards designed for organisations facing the highest levels of cyber risk – will become available at the end of July.
The assessment process for DCC certification will include a point-in-time assessment against UK defence standards, compliance with which is soon set to become a requirement in all defence procurement and contract activities. This assessment will enable organisations to demonstrate a “clear, future-focused” approach to cyber resilience that they can then submit in satisfaction of MoD contract requirements, and use as a means to demonstrate their expertise to other potential customers.
When it comes to future procurement exercises, the MoD will assign a required level for suppliers working on different contracts, however businesses interested in bidding will not be limited in the certification level for which they apply – indeed, they can apply for certification at any level they which, even if they are not currently working on any MoD business.
The scheme’s backers said they hoped this level of flexibility would enable organisations to better demonstrate their commitment to ongoing resilience, prepare for future opportunities in advance, and avoid the need to go through repeat assessments over and over.
The programme also aligns with wider cyber best practice, with all levels requiring organisations to already hold the National Cyber Security Centre’s (NCSC’s) Cyber Essentials badge – levels two and three will require Cyber Essentials Plus certification once they are launched.
“We are thrilled to collaborate with the Ministry of Defence on the Defence Cyber Certification scheme and very grateful to the cyber security experts who have been so generous with their time to help us develop the scheme,” said IASME CEO Emma Philpott.
Hannah Clarke-Dabson, principal consultant at CNI cyber specialist Bridewell, who was involved in creating the guidance for the DCC scheme, added: “Bridewell is excited to continue supporting the evolution of the DCC scheme as it gains traction across the defence supply chain.
“From the outset, we have been working closely with IASME, defence suppliers and key stakeholders from across the industry to help shape the future of the DCC scheme and ensure that we, as a DCC Certification Body, are actively supporting and guiding organisations through the certification process,” she said.
Organisations interested in participating are encouraged to visit the scheme’s homepage hosted by IASME to learn more.