For MOD Supply Chain · NCSC Assured Service Provider

CE Plus, Defence Cyber Certification and supply chain security — handled.

What DCC means for your business.

Defence Cyber Certification (DCC) is the independently assessed cyber assurance credential for organisations in the UK defence supply chain. It provides a single, organisation wide certificate that demonstrates cyber resilience across your people, processes and technology, and it’s fast becoming the credential prime contractors expect to see.

What it involves: Cyber Essentials Plus as the foundation, a defined set of governance, identity and technical controls appropriate to your certification level, clear evidence of how those controls work in practice, and independent assessment by an IASME assured certification body.

What being unprepared looks like: without a live DCC pathway in place, suppliers risk losing ground with prime contractors, facing awkward gaps mid bid, and scrambling to pull evidence together against short deadlines, often at real cost to day to day delivery.

We help MOD supply chain businesses understand exactly what DCC involves at the right level, plan the route to certification, and keep evidence and governance current between assessments, so you’re steadily ready for the next review, not sprinting toward it.

DEFENCE CONTRACT CONDITION

MOD · SUPPLY CHAIN

  • Cyber Essentials or CE Plus as the baseline
  • Organisation-wide cyber resilience assessment
  • Governance, identity and technical controls evidenced
  • Independent certification by an IASME body

Cyber Essentials vs CE Plus. Which do you need?

Both certifications cover the same five technical controls, but the level of verification is different. Which one you need depends on your contracts and supply chain position.

AspectCyber EssentialsCyber Essentials Plus
Assessment typeSelf-assessment questionnaireIndependent, hands-on technical audit
Typical timeline2–4 weeks4–8 weeks
MOD contract requirementSome lower-tier contractsMost prime contractor relationships
DCC certificationPartial — may satisfy some requirementsTypically required as minimum
VerificationSelf-declared, reviewed by bodyVerified by independent auditor on-site

Nebula IT

Defence-cleared · UK-based
CERTIFICATIONS HELD
Cyber Essentials Plus
NCSC Assured Service Provider
IASME Cyber Assurance L2
IASME Cyber Assurance L1
PRIVILEGED ACCESS CONTROLS
  • Just-in-time admin access · time-boxed
  • Hardware-token MFA on every engineer
  • Per-client tenant isolation
  • Immutable audit log of every privileged session

Your MSP is a target. Make sure they’re not a vulnerability

Managed service providers hold privileged access to your systems, data, and infrastructure. In the defence supply chain, that makes your MSP a high-value target for threat actors, and a potential weak link in your compliance posture.

We hold Cyber Essentials Plus certification ourselves, operate under NCSC Assured standards, and implement strict privileged access controls across every client engagement. When your prime contractor or the MOD asks about your IT provider’s security posture, you’ll have a confident answer.

Not sure where your compliance stands?

Find out exactly where you stand. No pitch, no obligation. Just an honest assessment of where you are and what, if anything, needs attention before your next audit.