Lockheed’s DCC Level 3 raises Britain’s cyber baseline

Lockheed’s DCC Level 3 raises Britain’s cyber baseline

Lockheed Martin UK has secured Britain’s highest defence cyber certification. The milestone places factory systems, engineering data, governance, and supplier assurance under closer scrutiny.


IN Brief:

  • Lockheed Martin UK has become the first defence company announced at Defence Cyber Certification Level 3.
  • The scheme assesses cyber controls, governance, risk management, resilience, and protection of defence information.
  • Wider adoption will require proportionate routes for smaller manufacturers operating ageing production equipment.

Lockheed Martin UK has achieved Level 3 under the Ministry of Defence’s Defence Cyber Certification programme, becoming the first defence company announced as reaching the scheme’s highest tier.

The certification provides an early benchmark for organisations handling sensitive defence information or operating systems connected to critical programmes. Level 3 is intended for environments where disruption, manipulation, or loss of data could affect national-security activity.

Defence Cyber Certification moves assurance beyond supplier questionnaires and written policy. Organisations must demonstrate that controls operate in practice, responsibilities are assigned, risks are monitored, and recovery arrangements have been tested.

Within a major prime contractor, that scope reaches deep into industrial operations. Aerospace and defence production depends on product-lifecycle-management systems, digital drawings, simulation models, test results, manufacturing execution software, machine tools, logistics platforms, and remote engineering access.

Compromise can disclose sensitive designs, alter production data, interrupt deliveries, or undermine confidence in completed equipment. Attackers do not need to damage a final platform when manipulating a drawing, software build, or inspection record can produce effects further downstream.

Operational technology presents a particularly difficult environment. Machine controllers, test rigs, inspection equipment, environmental systems, and specialist production machinery often remain in service considerably longer than office computers.

Some operate unsupported software or cannot accept routine security patches without affecting their qualification. Others depend on remote maintenance links supplied by equipment manufacturers, creating access routes that are useful operationally but difficult to govern.

Separating production systems from corporate networks can reduce exposure, although modern digital engineering requires information to move quickly between customers, designers, factories, and suppliers. Controls that obstruct legitimate work can encourage staff to create unapproved copies or alternative transfer methods.

Effective certification therefore depends on architecture rather than a collection of security products. Asset inventories, identity management, access control, secure configuration, vulnerability handling, logging, backups, recovery, and incident response must work together across several business units.

Evidence carries considerable weight during assessment. Policies have limited value without records showing that access reviews take place, patches are considered, incidents are investigated, backups are restored, and supplier risks are actively managed.

Producing that evidence across a large organisation requires disciplined processes and reliable data. Inconsistent local practices can weaken an otherwise mature system, while separate programme requirements may create duplicated work unless controls are standardised.

Lockheed Martin UK’s certification will also influence companies below prime-contract level. Sensitive drawings, software, components, and engineering services pass through extensive supplier networks, where a small specialist business may hold material valuable to hostile intelligence services.

A subcontractor’s systems can provide an indirect route into a programme even when the prime’s own network is well defended. Attackers frequently target organisations with fewer security resources but trusted access to customers or shared data environments.

Smaller manufacturers face a different scale of burden. Many operate with limited IT staff, narrow margins, and production machinery that cannot be replaced quickly. Enterprise security tools and extensive documentation can become disproportionate when applied without regard to company size or the information held.

The MOD’s tiered structure is intended to match controls with risk, avoiding a requirement for every supplier to reach Level 3. Lower tiers still require companies to understand where defence information is stored, who can access it, and how work would continue after an incident.

That exercise often exposes weaknesses that have accumulated gradually. Essential machines may depend on unsupported systems, engineering data may sit in uncontrolled folders, and supplier remote access may lack clear ownership or monitoring.

Formal assessment brings those conditions into contract readiness. A business may retain unique tooling, approvals, and manufacturing expertise yet become unavailable to a programme when it cannot demonstrate adequate protection.

Cybersecurity is consequently joining quality accreditation, special-process approval, material traceability, and export compliance as a condition of industrial participation. Secure access to drawings and customer platforms can determine whether a supplier is able to quote or deliver.

American contractors are dealing with similar pressure through CMMC, where companies have begun obtaining formal Level 2 certification and adopting managed environments intended to reduce the compliance burden.

Britain will encounter comparable questions over assessor capacity, interpretation, cost, and mutual recognition. Suppliers working for several primes could otherwise face different evidence demands for the same underlying controls.

Certification can also become overly focused on audit preparation. Resilience deteriorates when organisations treat the assessment date as the objective and allow controls, inventories, or training to weaken afterwards.

Continuous monitoring and tested recovery remain more useful than a static certificate. Defence companies face espionage, ransomware, destructive attacks, supply-chain compromise, and persistent attempts to obtain programme information.

Factories are increasingly attractive targets as production expands and digital systems become more connected. Disruption to a specialist machining, electronics, or test facility can delay equipment even when no classified design is stolen.

Prime contractors will need to extend practical support into their supplier base through clear requirements, shared tools, templates, training, and early notification of contract conditions. Passing cost and responsibility downwards without support risks removing capable small companies.

Lockheed Martin UK’s Level 3 result demonstrates that the highest current standard can be achieved across a large defence organisation. The wider industrial result will depend on whether stronger assurance can spread through factories and engineering businesses without narrowing the supplier base on which major programmes rely.