Understanding the DCPP Process and risk profiles

Cyber Essentials forms part of the overall Cyber Security Model introduced by the DCPP within the MOD. As part of this suppliers need to know the overall process and understanding of the associated Cyber Risk profiles MOD contracts may have. Under the Defcon 658 notice suppliers will need to know what level of Cyber Essentials certification their business must have in order to comply with MOD Cyber requirements throughout their supply chain. The DCPP brochure provides clear direction on both these areas and can be downloaded below.

Download DCPP brochure

cyber security


The Defence Cyber Protection Partnership (DCPP) is a holistic, industry and government response to the cyber security threat. The DCPP was established in 2013 by the Ministry of Defence, other government departments, and defence suppliers working together to improve the cyber resilience of the sector in the face of an increasing volume and sophistication of cyber-attacks.

Cyber Essentials

Our vision is to work together to better understand the risk, improve the sharing of threat information, raise awareness and collaboratively develop a set of proportional measures to counter the threat, implemented via the contract.

The DCPP’s primary output is the Cyber Security Model which has applied to all new defence procurement’s from April 2017 (to the first tier of the supply chain only) and fully implemented (with flow-down into supply chain) from October 2017. The Cyber Security Model is a three stage process which first assigns a level of risk to a contract and sets out the controls needed to mitigate that risk; second, assesses the supplier’s ability to implement the appropriate controls and finally assess the suppliers’ suitability by assessing the completed Supplier Assurance Questionnaires. More information on the DCPP is available here.

An example Self Assessment Questionnaire can be downloaded here.

A Quick Cyber guide for small businesses



What is Cyber Essentials?

Cyber Essentials is a government-backed, industry-supported initiative from the National Cyber Security Centre (NCSC) to provide businesses supplying to the MOD with a basic level of cyber security controls.

Cyber Essentials certification is crucial for businesses looking to supply into the defence market. Based on DEFCON 658, official MOD policy is that all suppliers bidding for new MOD contracts that include the transfer of ‘MOD identifiable information’ should possess Cyber Essentials certification before contract award or be able to show evidence of progress towards it in time for contract start date.

Cyber Essentials certification enables you to showcase your credentials as a trustworthy and secure organisation and puts your business in a perfect position to supply to the defence sector, knowing that your bid can be backed up with evidence that your business is cyber secure.

Minimum Requirements More on Identifiable Information Pricing Options


Cyber Essentials is a key requirement for any supplier or buyer looking to business with defence. It is essential that businesses of all types know the benefits that gaining such certification provides.

  • Cyber Essentials is a government-backed by the National Cyber Security Centre and has been in place since 2014.
  • The controls Cyber Essentials puts in place protect a business from around 80% of Cyber Attacks but these should be seen as the minimum requirements.
  • Certification is cheaper than paying the cost of a cyber breach. Cyber Breaches 2017 report indicated this cost is on average £1,340 per instance.
  • Certification can be obtained from a range of providers, for example, Cyber Essentials Online offers this from £300 ex Vat for the base level certification.
  • Cyber Essentials certification shows to us and your suppliers that you take data security seriously.
  • To date over 9,000 businesses have been certified to the Cyber Essentials scheme.

Learn more about Cyber Essentials

Find out what Cyber Essentials is and how to get certified with DCI through their free webinar. As one of a number of suppliers in the certification space, DCI is unique in that it offers a defence-focused solution for MOD tenders and is well placed to share their expertise to help suppliers position themselves to comply with and win MOD tenders.

The webinar will talk you through the benefits of Cyber Essentials certification in defence and provide you with:

  • An introduction to the DCPP
  • What is the Cyber Security Model (CSM)
  • How to meet the requirements of the Cyber Security Model
  • How does the CSM impact supplier tendering in defence?
  • How to become Cyber Certified with Cyber Essentials
Watch Now


Cyber Essentials is the minimum certification an organisation needs to implement to bid for new MOD defence contracts which include the transfer of ‘MOD identifiable information’.

The MOD has made this requirement mandatory since January 2016 for suppliers looking to do business in the defence sector.

As the risk level goes up, some additional controls are required that can be evaluated through Cyber Essentials Plus vulnerability tests.


The controls that need to be in place to achieve Cyber Essentials certification protect a business from around 80% of common cyber attacks.

It’s worth considering that certification is cheaper than the alternative of paying for the cost of a cyber breach. The Cyber Breaches Survey 2017 report indicated this cost is, on average, £1,340 per instance of a cyber breach.


Certification allows your business/organisation to promote itself as cyber secure up to the Cyber Essentials standard level, which can make a real difference when bidding for contracts.

When you receive your Cyber Essentials certificate, you will also receive the relevant Cyber Essentials branding to use on collateral such as tender bids for one of the many defence contracts available through Cyber Essentials Online.

Download a free Cyber Essentials Scheme Summary

The Cyber Essentials scheme summary will provide you with:

– Some background information about the scheme
– The scope of the assessment
– Assurance framework
– The next steps to becoming certified

After reading the scheme summary, you will have a clearer picture of the importance of the scheme and what is involved in the certification process.

As one of the available Cyber Essentials suppliers DCI offers the following options:

Cyber Essentials
Self Assessment certification
For MOD Contracts where the risk is "Very Low" Inclusive support and advice throughout application process Access to the online self-assessment questionnaire Includes certificate and Cyber Essentials branding for your business Provides 12 months’ certification upon successful application No additional costs for retests or Gap Analysis
Cyber Essentials Fast Track
Certification within 24 hours
Access to the online self-assessment questionnaire For MOD Contracts where the risk is "Very Low" No additional costs for retests or Gap Analysis Inclusive support and advice throughout application process Includes certificate and Cyber Essentials branding for your business Provides 12 months’ certification upon successful application
Cyber Essentials Plus
The certification for maturing networks
Access to the online self-assessment questionnaire Required for MOD contracts where the risk is "Low", "Moderate" or "High" On Site assessment and vulnerability test Provides 12 months’ certification upon successful application Includes certificate and Cyber Essentials branding for your business The price includes expedited remedial assessments if required




Key Supplier Information for Cyber Essentials certification

Which of the different accreditation/certification bodies should I choose to gain the Cyber Essentials certification?

Suppliers are free to decide which certification body to use, but must be aware they have a choice.  Information on the different accreditation bodies is available here. The illustrated pricing above is from Defence Contracts International and illustrates the service they offer as a defence focused business intelligence provider other suppliers are available and service offerings will differ.

Are there scenarios where I may be unable to gain Cyber Essentials certification?

Suppliers may be unable to achieve Cyber Essentials if any hardware or software on their network is unsupported by their manufacturer/developer and is deemed ‘not supported’. This means security updates cannot be developed and patched to these products.

If a supplier is unable to achieve Cyber Essentials in support of an MOD requirement they may be able to have this requirement waivered, this ‘risk acceptance’ process is outlined in DEFSTAN 05-138.

Do I need Cyber Essentials Plus?

In line with MOD procurement policy note 09/14, Cyber Essentials Plus will be incorporated into the CSM, under which any contract assigned a risk level of ‘Low’ or higher will require suppliers to hold Cyber Essentials Plus. Full details of the Cyber Risk Profiles are in DEFSTAN 05-138 which is available via defencegateway.mod.uk. New users will need to register to access the DEFSTANs.

How much does Cyber Essentials cost?

The cost of achieving Cyber Essentials certification through an official certifying body is currently approximately £300. This does not include the cost of any improvements required to achieve Cyber Essentials compliance. A Cyber Essentials certificate is valid for 12 months and must be renewed annually. The pricing may differ from supplier demanding on the service offering or level to which they offer.

Do I need to get Cyber Essentials to bid for UK MOD work as an overseas supplier?

Overseas suppliers may apply for and gain Cyber Essentials accreditation, this is not a UK only accreditation. International equivalents may also be acceptable and the ability for a supplier to submit a Cyber Implementation Plan alongside the SAQ enables suppliers to prove their standards match the controls required by DEFSTAN 05-138.