DCC has replaced SAQ self-assessment for MOD suppliers. Independent product assurance is next. SecurLab is an NCSC-Certified CRTF

The MOD Moved Beyond Self-Assessment. Product Assurance Is Next. The vendors who act now go into the mandate with a current assurance output and not a queue.

"DCC tells the MOD about your organisation. Prime contractors are now asking about your product. SecurLab is the independent answer to that question."

DCC replaced the SAQ because self-assessment was not producing credible assurance. The same logic now applies to the products your organisation supplies. SecurLab is an NCSC-listed CRTF with a team with real defence sector credentials.

Prime contractors are already pushing product assurance requirements down the supply chain. Defence spending rises to 2.5% GDP from April 2027, increasing scrutiny of every supplier.

A DCC certificate covers your organisation. It does not cover your product.

DCC tells the MOD that your organisation has security controls in place. It says nothing about the security of the specific software, systems, or connected technology you are supplying. Prime contractors are already closing this gap by asking sub-tier suppliers for product-level security assurance. Independent CRTF assessment is the credible answer.

What your clients are asking

Your DCC Level 1 certification covers your organisation. We need independent evidence of the security posture of the specific product you are delivering under this contract."

This request is appearing in defence supply chain conversations right now, informally today, contractually in 2027. SecurLab's CRTF assessment provides the product-level evidence that DCC alone does not.

Our expertise

SecurLab's founding team includes GCHQ operational experience bringing national security context to product assurance that generic cybersecurity consultancies cannot replicate.

If your prime contractor is already asking questions your DCC certificate cannot answer, speak to Securlab now before that requirement becomes a contract condition.

What Our Product Assessment Covers

Product & System Security

Software architecture review

NCSC principles alignment

Secure Development

Defence context threat modelling

Supply chain development controls

Build & Pipeline Integrity

Tampering controls

Component provenance

Classified Data Handling

MODII-relevant controls

Data classification alignment

Operational Security

Deployment environment controls

Access management

Incident Response

Detection capability

Reporting to MOD obligations

Recovery evidence

The Timeline You Need to Know

Now

Prime contractors pushing product assurance requirements into sub-tier supply chains informally.

Apr 2027

Defence spending rises to 2.5% GDP. Procurement scrutiny intensifies.

2027

Product assurance expectations formalise in MOD contract schedules.

2028

Independent product assurance condition of supply for technology above defined risk thresholds.

WHY SECURLAB?

FULL ACCREDITATION STACK

ISO 17020 (Pending) | ISO 27001 | ISO 9001 | CE+

The most comprehensive assurance credential set available from an independent specialist.

INDEPENDENT

We do not consult for the clients we assess.

Our output is credible because our independence is structural, not claimed.

NCSC-LISTED CRTF

One of the only independent specialist CRTFs in the UK.

Listed on the NCSC website — the credential procurement teams recognise.

FASTER AND CLEARER

Workflow platform reduces delivery time without reducing quality.

You know what we are assessing, what evidence we need, and what the output will look like.

FAQs

  • DCC covers your organisation's security controls. CRTF assessment covers the security posture of the specific product or system you are supplying. Both are increasingly expected DCC for organisational assurance, CRTF for product assurance. Having both puts you ahead of most of the defence supply chain.

  • Yes. One of Securlab's founders has a GCHQ background, bringing operational experience in UK national security that is directly relevant to the threat context your products face. This is not generic cybersecurity expertise applied to defence it is defence-native understanding.

  • Our current CRTF scope covers OFFICIAL and OFFICIAL-SENSITIVE product assurance. Engagements involving SECRET or above require additional security arrangements. Contact us to discuss specific programme requirements and security clearance considerations.

  • In most cases, yes. A Securlab CRTF report is produced against NCSC-published Assurance Principles — the same framework the MOD's own security policy references. It is the most credible independent assurance format available from a UK-based specialist body. We recommend sharing our assessment methodology with your prime contractor's security team before you commission the assessment.