Bridewell has become one of the first organisations to achieve Level 2 Defence Cyber Certification (DCC), marking a significant milestone in efforts to strengthen cyber security across the UK defence supply chain.
The Reading-based cyber security services provider is currently one of only two organisations accredited at this level, underscoring its role in supporting critical national infrastructure (CNI) and defence-sector organisations with robust security practices.
The DCC scheme, developed by the UK Ministry of Defence and delivered by IASME, aims to standardise cyber security requirements across the defence supply chain. By aligning with internationally recognised standards and existing best practices, the framework is designed to reduce administrative burden over time while ensuring suppliers can demonstrate consistent and verifiable security controls.
Level 2 certification represents a substantial achievement. Organisations must meet 139 controls and demonstrate a mature, proactive approach to cyber risk management. The level is intended for contracts with moderate to high cyber risk profiles, requiring strong protective measures alongside ongoing resilience against evolving threats.
Bridewell’s accreditation comes at a time when cyber attacks targeting defence organisations and their suppliers are increasing in both frequency and sophistication. The introduction of DCC is widely seen as a key step in improving supply chain assurance, helping to safeguard sensitive information, maintain operational continuity, and support national security.
Hannah Clarke-Dabson, Principal Consultant at Bridewell, described the certification as a “significant milestone” for the company and highlighted the broader industry impact of the scheme.
“The introduction of DCC provides a clear and structured approach to supply chain assurance,” she said. “We are proud to be among the first organisations to meet these requirements and to help drive higher standards across the ecosystem.”
The DCC framework consists of four levels, aligned to the cyber risk profile of defence contracts. Certification is valid for three years, with an annual attestation process, offering both assurance and stability for suppliers and their customers while reducing the need for repeated compliance exercises.
Bridewell has also been involved in the rollout of the scheme as an early certification body working alongside IASME and the Ministry of Defence. This experience positions the company to support organisations throughout the certification process, from initial gap analysis to ongoing compliance.
Clarke-Dabson added that DCC should be viewed as more than a compliance requirement.
“It is an opportunity for organisations to strengthen their resilience in a way that reflects the real-world threat landscape,” she said. “Our focus is on helping clients translate the framework into practical, effective security measures.”
With DCC expected to become an increasingly important requirement for suppliers working with the Ministry of Defence and prime contractors, early adoption could provide a competitive advantage. Bridewell’s achievement signals both its readiness to operate at this level and its capability to support others navigating the certification process.
