Defence Cyber Certification DCC | Fast Compliance Readiness

Achieve DCC Certification Without Disrupting Your Operations

Theodosian helps UK defence suppliers meet MoD Cyber Security Model v4 requirements with persistent, file-level encryption and access controls that work on top of your existing infrastructure. Get IASME assessment-ready faster and more affordably with Theodosian’s data-centric security platform.

Talk to Sales Book a Demo

Why UK Defence Suppliers Are Struggling with DCC Levels 3 and 4

The new Defence Cyber Certification (DCC) scheme, part of Cyber Security Model (CSM) v4, requires UK defence suppliers to demonstrate robust cyber controls tailored to contract sensitivity. While Cyber Essentials and Cyber Essentials Plus (DCC Levels 1 and 2) cover basic cyber hygiene, DCC Levels 3 and 4 demand more: encryption of sensitive defence data, granular access controls, comprehensive audit trails, and incident response capabilities.

Traditional security tools like firewalls, VPNs, and cloud folder permissions were designed to protect perimeters, not individual files containing sensitive information.

When defence data is downloaded to a laptop, synced via personal cloud storage, or shared with subcontractors, your encryption and access controls disappear. When your IASME assessor asks for evidence that only authorized personnel accessed sensitive data from approved devices, can you produce detailed logs? Most suppliers can't.

The result: Extended compliance timelines, expensive consultant engagements, forced cloud migrations, and failed assessments that put MoD contracts at risk.

Solution? Persistent Data Protection with Theodosian The Foundation of Your DCC Programme

Theodosian encrypts sensitive defence data at the file level and applies dynamic access controls that travel with the data across cloud storage, endpoints, email, and subcontractor networks. Instead of building a stronger perimeter around data that constantly moves, Theodosian protects the data itself.

Persistent, Per-File Encryption

Every sensitive file is encrypted using FIPS 140-3 validated cryptography. Files stay encrypted everywhere: in your cloud environments, on laptops, in email, on USB drives, etc. Supports DCC Level 3/4 encryption requirements and aligns with NCSC Cloud Security Principles.

Context-Aware Access Controls

Enforce who can access sensitive data, from which devices, in which locations, and under what conditions. Go beyond RBAC to implement attribute-based policies. Exceeds Cyber Essentials Plus requirements and supports IASME Cyber Assurance standards.

IASME Assessment-Ready Audit Trails

Detailed logs of every access attempt with user identity, device, location, timestamp, and policy outcome. Export evidence on demand for your IASME assessment. Demonstrate compliance with audit and accountability requirements for DCC Levels 3 and 4.

Automatic Incident Detection and Containment

Real-time anomaly detection with automatic "kill switch" freezes access when suspicious behaviour is detected, before sensitive data is exfiltrated. Supports incident response requirements and helps meet MoD expectations for threat detection.

Zero-Knowledge Architecture

Theodosian cannot decrypt your data, even as the vendor. Our patented key management ensures no unauthorized party (including Theodosian staff, cloud providers, or foreign entities) can access your defence information. Critical for data sovereignty and national security requirements.

UK Data Residency Support

Deploy Theodosian with UK-based data residency to meet MoD data sovereignty requirements and NCSC guidance for protecting sensitive government information.

Why Theodosian Is the Fastest, Most Affordable Path to Achieving DCC Compliance

Meet DCC Level 3/4 Requirements Faster

Deploy in days, achieve IASME assessment readiness in weeks (vs. 6-12+ months with traditional approaches).

Cut Compliance Costs by 60%+

No cloud migration, no workflow disruption, no buying multiple point solutions for encryption, access control, and audit logging.

No Data Migration Required

Works with your existing Microsoft 365, Google Workspace, Dropbox, Box, network drives, and endpoints; bring compliance to your current infrastructure.

Works Alongside Cyber Essentials/Cyber Essentials Plus

Theodosian complements your existing certifications and adds the data protection layer required for higher DCC levels.

Pass Your IASME Assessment with Confidence

Pre-built evidence packages, detailed audit logs, and clear documentation mapping Theodosian controls to DCC requirements.

One Platform for DCC and CMMC

If you work with both UK MoD and US DoD, Theodosian helps you meet both frameworks simultaneously, reducing complexity and cost.

CSM v4 Is Here, Are You Ready?

The MoD's Cyber Security Model version 4 makes DCC certification mandatory for defence suppliers. Required DCC levels are now being specified in tender documentation.

If you're bidding on MoD contracts involving sensitive information or critical services, you'll need DCC Level 3 or 4 certification. IASME assessors are booking months in advance - start preparing now to avoid contract delays or lost opportunities.

See How Theodosian Accelerates DCC Compliance

Book a 15-minute demo to see persistent data protection and IASME-ready evidence in action, or start a 2-week proof of concept in your own environment.

Talk to Sales Book a Demo

Frequently Asked Questions

DCC Questions, Answered.

The required DCC level is specified in your MoD contract or tender documentation, based on the sensitivity of the work:

Level 1: Cyber Essentials (basic cyber hygiene)
Level 2: Cyber Essentials Plus (verified controls)
Level 3: IASME Cyber Assurance (enhanced security for sensitive contracts)
Level 4: Bespoke/highest sensitivity (custom requirements, often aligned with NCSC standards, ISO 27001, or NIST frameworks)

Theodosian is designed to support you in pursuing compliance with all levels, including Levels 3 and 4, where data protection, access control, and audit requirements are most stringent.

No. Cyber Essentials and Cyber Essentials Plus (DCC Levels 1 and 2) remain foundational requirements. Theodosian adds the data-centric protection layer needed for DCC Levels 3 and 4; persistent encryption, granular access controls, and comprehensive audit trails that go beyond what Cyber Essentials covers.

Yes. Theodosian can be deployed with UK-based data residency to meet MoD data sovereignty requirements and NCSC guidance for protecting sensitive government information. All deployments are also single-tenant by default.

Our zero-knowledge architecture ensures that no foreign entities (including Theodosian as the vendor) can access your protected defence data.

Yes. Many UK defence suppliers work with both the UK MoD and the US DoD. Theodosian's data-centric security approach satisfies requirements in both frameworks:

DCC Levels 3/4 (UK MoD suppliers)
CMMC Level 2/3 (US DoD contractors)

One platform, two compliance frameworks, reducing complexity, cost, and administrative burden. Learn more about Theodosian's CMMC-compliant solutions.