DIBCAC — the Defense Industrial Base Cybersecurity Assessment Center — is the DoD assessment body operated by the Defense Contract Management Agency (DCMA) that verifies defense contractors’ cybersecurity compliance with DFARS requirements and, under the CMMC program, conducts all Level 3 certification assessments. For most small defense subcontractors, a DIBCAC assessment is something to understand and prepare for — but not necessarily something you will face directly, unless your contracts involve the most sensitive DoD programs.
You are reading the solicitation for a new contract. Under the cybersecurity requirements section, it references DIBCAC.
You know what CMMC means at this point. You know what NIST 800-171 means. But DIBCAC is a new acronym and it is not clear whether this is something your shop needs to worry about or something that only applies to the big primes.
Related Topic: Why Cybersecurity for Manufacturing Is More Important Than Ever?
Here is what you need to know.
What DIBCAC Is?
The Defense Industrial Base Cybersecurity Assessment Center is a specialized unit within the Defense Contract Management Agency, the DoD component responsible for contract administration across the department of defense industrial base. DCMA DIBCAC was established to verify that contractors are actually implementing the cybersecurity controls they are required to have — not just self-reporting compliance.
Before the CMMC program was finalized, DIBCAC’s primary role was conducting assessments under DFARS clauses 252.204-7012 and 252.204-7020 to verify contractor implementation of NIST SP 800-171 cybersecurity standards. Those assessments produced SPRS scores — the numerical scores that contracting officers use to evaluate a contractor’s cybersecurity posture during source selection. With the establishment of the Cybersecurity Maturity Model Certification (CMMC) program under 32 CFR Part 170, DIBCAC now has an additional role: it is the exclusive entity authorized to conduct CMMC Level 3 certification assessments.
Related Topic: Manufacturing Managed IT Services: What Your Shop Actually Gets
DIBCAC operates three tiers of assessment under the DoD Assessment Methodology:
Basic Assessment
A self-assessment conducted by the contractor. The contractor scores their own implementation of the 110 NIST SP 800-171 controls using the DoD Assessment Methodology and submits the score to the Supplier Performance Risk System (SPRS). The score range runs from -203 to 110, starting at 110 and applying weighted deductions for each control that is not fully implemented. This is what most small defense contractors do today under DFARS 252.204-7019.
Medium Assessment
Conducted by DIBCAC. Assessors review the contractor’s System Security Plan (SSP) and supporting documentation, and conduct interviews with responsible personnel. There is no on-site verification. The resulting score is submitted to SPRS by DIBCAC.
High Assessment
Conducted by DIBCAC on-site. Assessors review documentation, interview personnel, and verify that contractors implement security controls correctly throughout their operating environments. This is the highest-confidence assessment under DFARS and the standard used for CMMC Level 3 certification.
Related Topic: ITAR Certification: What It Means and What Manufacturers Need to Know
The Difference Between DIBCAC and CMMC
This is the question that causes the most confusion for small defense subcontractors, and the answer matters for understanding what your shop actually needs to do.
DIBCAC is an assessment body — a government organization that conducts assessments. CMMC is a compliance framework and certification program. DIBCAC conducts certain types of assessments under the CMMC program, but it is not CMMC itself.
Under the CMMC program:
CMMC Level 1 requires a self-assessment. No DIBCAC involvement.
CMMC Level 2 requires either a self-assessment or a third-party assessment by a C3PAO (Certified Third-Party Assessment Organization), depending on the contract. DIBCAC does not conduct Level 2 CMMC assessments — C3PAOs do. However, DIBCAC has the authority to conduct a government-led High Assessment that can satisfy DFARS requirements and feeds your SPRS score, which is separate from CMMC certification status.
CMMC Level 3 requires a DIBCAC assessment. This is the CMMC level where DIBCAC becomes the exclusive assessor. Level 3 is assessed against 134 controls — the 110 from NIST SP 800-171 Rev. 2 plus 24 additional controls from NIST SP 800-172 designed to counter advanced persistent threats. Before a contractor can pursue Level 3, they must first hold Final Level 2 (C3PAO) status for the same assessment scope, with all POA&M items closed.
For most small manufacturers in the defense supply chain, the relevant question is which level your contracts require. Level 3 is designed for a narrow subset of contractors on the DoD’s most sensitive programs. The DoD’s own rulemaking estimates that approximately 1,487 entities will require CMMC Level 3. If your contracts do not reference Level 3 or NIST SP 800-172, DIBCAC as an assessor is likely not something you will face directly — though understanding what it is remains useful context.
Related Topic: IT Support for Manufacturing: Why Modern Manufacturers Need Expert IT Services
What a DIBCAC High Assessment Actually Involves?
If your shop does receive a DIBCAC assessment — either a Medium or High — the process is more rigorous than a self-assessment and more structured than a typical audit.
DIBCAC assessors examine documentation, including your System Security Plan, policies, procedures, and any Plan of Action and Milestones. They conduct interviews with personnel responsible for implementing and maintaining controls — not just the IT manager, but the people who actually operate the systems. During a High Assessment, assessors verify security controls on-site to confirm technical implementation instead of relying only on documented policies.
Your environment defines the assessment scope by including every system that stores, processes, transmits, or receives Controlled Unclassified Information (CUI). Ensure your SSP accurately describes your environment and documents security controls that match the systems operating throughout your organization. Gaps between documentation and implementation are the most common finding.
At the end of the assessment, DIBCAC generates assessment results and submits a score to SPRS. A score below an acceptable threshold affects your eligibility for new contract awards. Contracting officers see that score during source selection.
Related Topic: IT Solutions for Manufacturing: A Guide for Small Shops
What DIBCAC Means for CMMC Compliance Preparation?
Whether or not your shop will face a DIBCAC assessment directly, the standards DIBCAC assesses against are the same standards you need for CMMC Level 2 compliance: NIST SP 800-171, documented in a System Security Plan, with controls that are actually implemented rather than just described.
Prepare thoroughly for CMMC Level 2 with an SSP, gap assessment, and implemented controls to strengthen readiness for DIBCAC assessments. Contractors who self-attest without implementing required controls risk DIBCAC assessments, as the DoD may review compliance under DFARS 252.204-7020 anytime. The cybersecurity maturity your shop demonstrates through CMMC Level 2 preparation is the same maturity DIBCAC assessors are evaluating.
The Supplier Performance Risk System score your shop carries is visible to every contracting officer evaluating you as a potential supplier. A low SPRS score — or a score that has not been updated to reflect the actual controls protecting sensitive defense information — is a liability that extends beyond any single contract. DIBCAC assessments consistently reveal documentation that describes security controls missing from the actual environment, creating significant compliance gaps during evaluations.
Right Hand Technology Group helps defense contractors build documented NIST SP 800-171 programs that meet DIBCAC expectations and support CMMC compliance. If you want to understand where your current program stands and what a real gap assessment looks like, schedule a free consultation with our team.
Related Topic: How Much Should You Pay for Managed IT Services?
Frequently Asked Questions
What is the difference between DIBCAC and CMMC?
DIBCAC is a government assessment organization within the DCMA. CMMC is the DoD’s cybersecurity certification program. DIBCAC conducts government and CMMC Level 3 assessments, while authorized C3PAOs perform most CMMC Level 2 assessments for defense contractors.
Does my shop need a DIBCAC assessment?
Most small defense contractors do not need a direct DIBCAC assessment. Most will complete a CMMC Level 2 assessment through a C3PAO. Only contractors requiring CMMC Level 3 typically undergo a DIBCAC assessment. Your contract will specify the required CMMC level.
What does DIBCAC assess against?
DIBCAC evaluates compliance with the 110 security requirements in NIST SP 800-171. For CMMC Level 3, it also assesses 24 additional NIST SP 800-172 controls. Assessors review documentation, interview staff, verify technical controls, and submit assessment scores to the Supplier Performance Risk System (SPRS).
