CE Plus, Defence Cyber Certification and supply chain security — handled.
When a prime contractor asks for Cyber Essentials Plus evidence, or Defence Cyber Certification is on the horizon, you need an IT partner who understands the defence supply chain and not a generalist MSP learning on your time. We are NCSC Assured and specialise in helping MOD supply chain SMEs work toward DCC and keep that assurance in place year after year.
What DCC means for your business.
Defence Cyber Certification (DCC) is the independently assessed cyber assurance credential for organisations in the UK defence supply chain. It provides a single, organisation wide certificate that demonstrates cyber resilience across your people, processes and technology, and it’s fast becoming the credential prime contractors expect to see.
What it involves: Cyber Essentials Plus as the foundation, a defined set of governance, identity and technical controls appropriate to your certification level, clear evidence of how those controls work in practice, and independent assessment by an IASME assured certification body.
What being unprepared looks like: without a live DCC pathway in place, suppliers risk losing ground with prime contractors, facing awkward gaps mid bid, and scrambling to pull evidence together against short deadlines, often at real cost to day to day delivery.
We help MOD supply chain businesses understand exactly what DCC involves at the right level, plan the route to certification, and keep evidence and governance current between assessments, so you’re steadily ready for the next review, not sprinting toward it.
DCC
MOD · SUPPLY CHAIN
- Cyber Essentials or CE Plus as the baseline
- Organisation-wide cyber resilience assessment
- Governance, identity and technical controls evidenced
- Independent certification by an IASME body
The moments that bring defence businesses to us
A prime contractor is requesting CE Plus
Your contract depends on it. Without Cyber Essentials Plus certification, you won’t even be considered for renewal. We take you from wherever you are today to certified and handle the technical work, the evidence gathering, and the audit preparation.
Your DCC assessment window is approaching
Cyber assurance expectations across the defence supply chain are tightening, and your route to Defence Cyber Certification needs to be mapped out well before assessment day. You need to show a credible position across technical controls, information handling and supply chain assurance, and right now your current IT setup isn’t giving you confident answers.
An MOD contract renewal is on the horizon
The assurance bar is higher than last time. Defence Cyber Certification is fast becoming the expected credential, Cyber Essentials Plus is non negotiable, and your prime wants to see a structured, evidenced approach to how you protect information across the business.
Cyber Essentials vs CE Plus. Which do you need?
Both certifications cover the same five technical controls, but the level of verification is different. Which one you need depends on your contracts and supply chain position.
| Aspect | Cyber Essentials | Cyber Essentials Plus |
|---|---|---|
| Assessment type | Self-assessment questionnaire | Independent, hands-on technical audit |
| Typical timeline | 2–4 weeks | 4–8 weeks |
| MOD contract requirement | Some lower-tier contracts | Most prime contractor relationships |
| DCC certification | Partial — may satisfy some requirements | Typically required as minimum |
| Verification | Self-declared, reviewed by body | Verified by independent auditor on-site |
Nebula IT

- Just-in-time admin access · time-boxed
- Hardware-token MFA on every engineer
- Per-client tenant isolation
- Immutable audit log of every privileged session
Your MSP is a target. Make sure they’re not a vulnerability
Managed service providers hold privileged access to your systems, data, and infrastructure. In the defence supply chain, that makes your MSP a high-value target for threat actors, and a potential weak link in your compliance posture.
We hold Cyber Essentials Plus certification ourselves, operate under NCSC Assured standards, and implement strict privileged access controls across every client engagement. When your prime contractor or the MOD asks about your IT provider’s security posture, you’ll have a confident answer.
IT and cyber compliance built for the defence supply chain
Three services, designed to work together or one at a time, when that’s all you need.

Cyber Resilience
You handle sensitive contracts, classified supply chain data, and information that carries real consequences if it’s compromised. A breach damages reputation, and can cost you your security clearance, your prime contractor relationships, and your place in the supply chain.
- Cyber Essentials & Cyber Essentials Plus certification
- DCC certification support
- Supply chain assessment and third-party security reviews
- MOD contractual cyber requirements, met and maintained.

Managed IT Support
Your business needs an IT team that picks up the phone, explains things without the jargon, and stays ahead of problems. Not one that only appears when a contract deadline is already at risk.
- Dedicated support team with defence sector understanding
- Secure device and network management across your supply chain
- Microsoft 365 setup compliant with MOD data handling requirements
- IT roadmap built around your MOD contract obligations

AI & Automation
You likely don’t have the headcount for a dedicated IT or AI strategy. But practical automation can give your team real time back every week, whether it’s on compliance documentation, contract reporting, audit trails, or the admin burden that comes with operating in a regulated supply chain.
- Unlimited helpdesk support — phone, email, and remote
- Proactive monitoring & maintenance
- Microsoft 365 & cloud management (incl. nonprofit licensing)
- Strategic IT roadmap aligned to your mission
Common questions from MOD supply chains.
The questions that come up in almost every first conversation. If yours isn’t here, we’d rather you ask.
How long does CE Plus certification take?
Typically 4–8 weeks, depending on your starting point. If you have reasonable existing controls in place, we can often accelerate the timeline. We’ve helped defence businesses go from gap analysis to certified in as little as 6 weeks when contract deadlines are tight.
What does Defence Cyber Certification actually involve?
Defence Cyber Certification builds on Cyber Essentials Plus as its foundation, then layers in governance, identity, device and information handling controls appropriate to your certification level, along with the evidence to show those controls are working in practice. The exact scope depends on the level you’re aiming for and the nature of the work you do in the defence supply chain.
Do we need to recertify annually?
Yes. Cyber Essentials and Cyber Essentials Plus are valid for 12 months and need to be renewed each year. Defence Cyber Certification runs on a three year cycle, with an annual attestation in between to confirm your position is still current. We keep the recertification and attestation cadence running in the background as part of our ongoing service, so renewals arrive as planned pieces of work rather than last minute scrambles.
Can you help with supply chain security requirements?
Yes. As Defence Cyber Certification becomes the expected credential across the defence supply chain, showing that your own suppliers and subcontractors take cyber assurance seriously is part of the picture. We help you build a proportionate view of that supply chain risk, keep the right conversations going with the suppliers who matter most, and pull together the evidence your prime contractor wants to see.