A

All right everybody, it is Thanksgiving. It is November of 2025. So happy Turkey Day to everybody. We got a little bit of a scoop for you here on the show this week. Since the end of October, we have learned of at least half a dozen defense contractors that have received Official notices for DoD's Defense Industrial based cybersecurity Assessment center, the DIBCAC team, informing them that they will be undergoing in person audits of their compliance with DFARS clause 2522047, 0.12, including their implementation of the requirements in this special publication 800 171, Red Alert, Red Flag, nightmare scenario, not the email that anybody wants to get right before the holidays or forever. The problem is that every one of these companies assumed that they would only need to achieve CMMC level one self assessment status. And so while everyone has been focused on CMMC, DFARS clause 252-204-70 20 has been in contracts since the year 2020 and it gives DOD the right to show up at any time and audit your cybersecurity compliance. So what happens when you get the knock on your door? What do these notices actually look like? That's what we're going to talk about today.

B

This is one of those times where it's really, really important to read the entire text message. Because when you send me a text message and said, we're doing a Thanksgiving Day show, Jacob, and you said all I read was scoop, assume and knock at the door, I thought it was the people that are about to knock on my door. You were going to be one of them. You were going to have a scoop of delicious ice cream to go on top of a piece of pie that we were going to eat with friends and family. And now you're telling me that DIBCAC might come knocking on the door for some DIV organizations. And that kind of blows my mind because I heard we always had the, the old adage right was dip, CAC may come calling and they may want to see your documentation. You know, they'll call you on Monday and they want to see your documentation on Friday. I thought that would be what people would be more accustomed to. But now we're saying people are thinking that they're going to get level one self assessed and dip.

A

Yeah.

B

When we're doing a high assessment.

A

Yeah. Now it's, it's a whole other conversation around how somebody would think that they were CMMC level one if, I don't know, they were receiving marked cui and they work on critical programs and they're the prime contractor and that they've had these clauses in their contracts all along. Like I said, totally different story. No judgment. We're going to save that for another conversation.

B

Another conversation. Where's my scoop of ice cream that you promised?

A

Yeah, well, exactly. Yeah. If DIP cac. If DIP CAC shows up, bring in a gallon of ice cream around Thanksgiving, then Christmas will be canceled, as we'll find out shortly, because they are not playing around. And the clock starts ticking the moment that you get the official notice. So just a quick review. We've already covered DFARS 7012 and 7020 and all of the other clauses in the DFARS Cyber series as we call it. We'll link to those below. If you're unfamiliar with the text of those clauses, watch those episodes and we step through all of the paragraphs of those clauses which really are, you know, the center of gravity for the obligations imposed on contractors. CMMC is just a verification program for those requirements. This is when the DoD themselves shows up to do the audits. There's not a lot of DIBCAG auditors, which is why they went to a third party system in CMMC to try to scale that audit capacity. But just the basics real quick. Since 2016, if you are handling controlled and classified information under contract with the BoD, then the cybersecurity requirements in DFARS clause 252-204-7012 apply to you. And since 2020, the DoD reserves the right to show up and audit your compliance pursuant to DFARS clause 252-204-70 20. This is the part of the CMMC 1.0 rule from 2020 that everybody forgets about. The reason you have to conduct a self assessment and upload a score into SPRs. The reason why DIBCAT can show up and audit you at any time to see if you're actually complying with DFARS 7012 is because of the other half of the CMMC rule that never got put on hold, that never went back through other rulemaking. And so dibcac, which is part of the Defense Contract Management Agency dcma, will send you an email informing you that they will be at your door in 90 calendar days to assess your compliance with DFAR7012. 90 calendar days including holidays. So the companies that we know of that got these emails at the end of October are getting their assessments in person with DIBCAC in the middle of January. Which means any prep any deadlines around Christmas, Thanksgiving, New Year's, Whatever holidays you celebrate, they don't care. You get 90 days in order to get ready for, to get ready for the show. The email includes a pre assessment item document that outlines everything that DIBCAC wants to see. You can find this on the DIBCAC website, which we'll link below. If you want to go through and see the kinds of things that they're going to ask for, we're going to go through the list here in just a second and then you have two weeks to acknowledge that you have received this notice. So happy Halloween everybody. DIBCAC would like to show up and verify your compliance. Please acknowledge this email within two weeks. We'll see you in January. Oh, by the way, here's a massive list of all of the things that you need to provide to us. See you next year.

B

Massive list that you need to provide within the next 90 days or within that two weeks. Right. Like the email introduces, says, hey, it's Dip Cac. Give us this list of stuff within two weeks and then 90 days we're coming.

A

Yeah, so the audit in person will start in 90 days, but you have to provide these, these documents and artifacts ahead of the assessment for them to prep. So the tentative like generic schedule it's included on these emails says 5 weeks prior to the assessment you're going to have a pre coordination phone call with them. So after you've acknowledged everything and then a little while later they're going to say, okay, let's get on the phone and make sure we're all on the same page. Two weeks prior to the assessment, they're going to send you a request to give them all of the artifacts in their list sent over to them via DoD Safe, which is their file transfer setup. A week before the assessment they're going to verify that they have received your documents. So they want it two weeks ahead of time. They need to 100% have it at least a week before the assessment starts. They're going to do their outbrief by the end of the assessment and then no later than 60 days after the end of assessment, they will provide the results of their audit to you. The assessments run Monday through Friday for a week from 8 in the morning until 4:30 in the afternoon. This will blank out an entire week for a number of people in your company to answer a lot of questions and it's not negotiable because it's in your contract.

B

35 days. 30, you have essentially 35 days from the time they email you to the time that your pre coordination call is supposed to happen in order to have all of your stuff in order, all your artifacts and evidence delivered and everything like that, essentially.

A

Right? Merry Christmas, everybody.

B

Yeah.

A

So at this point, right, you have the data, you have DFAR7012 and you have uploaded a score into SPRs. And hopefully it is an accurate score because their action item checklist starts out with some basic things that they want for you. The first thing that they want you to do is to perform another self assessment and then upload that score into SPRs. You're going to conduct this assessment in accordance with the DoD assessment methodology, the 5.3.1 point controls, so on and so forth, and then you're going to upload that score into SPRs. Hopefully there's not a big disparity between your two scores and hopefully that second score that you upload is also accurate because they're going to be there in a couple weeks to double check all of your work. They want the basic self assessment results provided to them, including a score for all of the system security plans that are relevant to all of the systems, the date that the score of 110 is expected to be achieved. If you have open items on a poem, they want you to provide them with the system security plans and any poems. For all of the systems that are relevant to this assessment, they want all of the CAGE codes that are supported by your system security plan or plans and they want a description in those SSPs of how each of the 110 security requirements are being implemented. And according to DIBCAC's own words in their pre assessment checklist, simply copying and pasting the requirement verbiage from NIST SP 800171 would not be acceptable. And by the way, NIST SP 800 171A as an alpha is the companion publication developed to support assessments of CUI security requirements. As such, it is the primary and authoritative source of guidance for organizations conducting such assessments. I really, really, really hope and I know that listeners of this podcast will not get caught in this situation that a company is only finding out about 800-1-71A when they get the email from DIBCAC and open up their pre assessment checklist. That is a bad time to figure out that 171A exists.

B

Yeah. And I mean that's kind of how it was worded there, right? Like in that quote, it's just worded like oh yeah, in case you didn't.

A

Know, like by the way. Yeah.

B

This is the companion document that we're going there and you can.

A

Yeah, you can imagine that if you had uploaded a score in SPRS without knowing what 171A is, you magically discover what 171A is and you run the same assessment, your scores are going to be very different and that's going to be a big question in, in like 80 to 90 days.

B

So let's just from me immediately, just hearing the basics and you go through them and seeing them. Right. The one thing that really jumps out to me is the, there's gotta be some red flags that are gonna be raised for these organizations that the week that DIBCAT comes or the week before they have to submit this new SPRs basic score. Right. It goes from like negative to oh, we're in good shape or we're in good shape to negative. Right. Like we've heard from DIBCAC and Nick Del Rosso in the past where when the things come in to be validated, it's differently and even more, just more red flags. If DIBCAC comes in, they say, hey, that score that you just changed to, that's now your most current and accurate score with all this stuff to reflect it. We just went through and evaluated and it's more like what you had in there before. Yeah, things can get really dicey.

A

Yeah. And we also know from DoD IG reports in the past and DIBCAC's own statements, DIBCAC works very closely with the Department of Justice. So do not mess around with these scores. These are, these are not a joke. This is Defense Contract Management Agency. This isn't some random C3PAO that you hired to verify your work. This is the real deal. So this is not for messing around outside of rerunning your basic assessment, uploading your score, making your SSP available, all of those things. Now they get into the details of what they want to facilitate their on site assessment. So they want you to provide a detailed network topology diagram and a network enterprise overview briefing to include a high level operational concept graphic of how everything works in your environment. They want a diagram of the enterprise network and the unclassified systems that have CUI traversing them. They say that the diagram must depict the network topology and security posture of the enterprise systems or enclaves that process CUI data. And these drawings overview briefings must clearly delineate the applicable following things from this list, security boundaries, your cybersecurity stack, security event and information management from your SIEM system connections to other systems and networks, your cloud connections and your data flow wireless systems, dedicated point to point connections, mpls, clouds High level IP address schema for your network, critical network services, vulnerability scanning methodology, authentication methodology, your enterprise logging methodology, any remote access that you have into these systems, how remote users browse the web and how you web content, filter their activity, DNS, VoIP video, any other relevant information to allow assessors determine if your corporation is truly protecting CUI as a single or multiple enclave setup. That's what they want at the top in their briefing for how you are doing these things. Yes. Question.

B

Sounds a lot like the initial C3PO assessment process. Right. Going let's.

A

Very similar, very similar. And they want it right now. This isn't dependent on oh, we are going to schedule it out for a little while or what. I've heard from people who deal with dibcac, they're not exactly gracious with granting extensions. Their resources and time are very limited and they are very interested in talking to you as soon as possible. So yeah, if you're prepping for cmmc, then all of this stuff shouldn't sound unfamiliar. If you've been hoping that CMMC wasn't a thing and you don't know what any of this stuff is, congratulations. None of this has anything to do with cmmc. This is just dud's own thing.

B

And then as the organization, technically they're your customer and they're evaluating your effectiveness. But when you're the organization, you're getting a C3PO assessment, you're kind of in the customer relationship.

A

That's right.

B

And able to guide some stuff. You don't have any push here. Right. There's no leverage.

A

Yeah. This is so, you know, if you want to sort of split hairs on the language that gets used to CMMC assessments are assessments and they're really only looking at your implementation of NIST SP 800 171. DIBCAC assessments are straight up audits. They work for DCMA. And that gets us to the next section of this intake form where they talk about flow down. So if you've watched our video on DFAR7012, you'll know that there are multiple paragraphs in that clause and only one of them says you need to implement NIST SP 800 171. The rest of the paragraphs are equally as valid. They have other obligations that are imposed on you, like FedRamp, moderate equivalency, incident Reporting, incident response, Incident handling and flowing the clause down to subcontractors. Your CMMC assessment won't look at your flow down of DFARS7012. That's not included in the scope of assessment. It is included in the scope of assessment for dibcac. They specifically say you need to demonstrate how the organization manages contractual lower level system security plans. DIBCAC will assess the organization's ability to protect CUI at an enterprise level to cover as many contracts as practicable, which will inherit NIST SP 800171 requirements from the enterprise. Here's the juicy part. Since DFARS 7012 requires covered contract information systems to be subject to the security requirements in 800 171, DIBCAC will need to understand how the corporation provides governance over this process and will use a sample of contracts to ensure the enterprise mechanisms, policies, procedures and requirements flow down to the contract level. So you're giving us all this information about where your CUI goes when that CUI goes to your subcontractor. 7012 is supposed to go as well. You can certainly prove to us that you've been governing that process, right?

B

Let's see, let's. Let's just see. Let's just give it a whirl.

A

Let's see. You can have a perfect 110 score and fully implement NIST SP 800171 and have massive violations on your DIBCAC assessment because you haven't flowed anything down to follow the flow of CUI to your subcontractors. This is much bigger than just, oh, did you turn on mfa? Right? This is the, this is the contract Management Agency. They're worried about contract flow down.

B

Sometimes when you tell me things are.

A

Juicy.

B

We exaggerate a little bit. I get it. But like when we're in the middle of a conversation where the entire conversation's juicy, I'm like, how could you make it even juicier? I don't know if you saw my face when I realized exactly what you were saying. That's wild. Because now what controls the spiderweb? There's no limits. It says we'll do maybe one or two contracts. It's how far do we go down this web? If you see spinning deep. And now we get into those third, fourth, fifth year contractors that okay, just.

A

Like I hope you didn't find out what 171A is when you got their email. I hope the first time that you told your suppliers that they have these obligations was when you got the email. So just be aware. And if you're one of these companies, you know, God forbid that thought you were CMC level one, that's really bad situation because you just don't have time to get all this stuff done.

B

Oh dude, I totally.

A

That.

B

I just completely overlooked that.

A

That was the whole premise of the stroke. That was the whole premise of the show. Right.

B

Like this is happening to people that think that level one was the only thing that was in the immediate future.

A

Yeah, absolutely. Yeah. Now, now, when this was starting out like in 2020, 2021, this was all news to people. But at this point Dibcac's gonna say hey man, DFAR 7020 has been out for six years. Like this isn't, this isn't news to anybody. Well, speaking of the rest of DFAR 7012, not just Flowdown, they also say in addition to the NIST SP 800171 requirements imposed by DFAR 7012, DIBCAC will need to verify compliance with the additional requirements of the clause Cloud Computing, Cyber Incident Reporting, Cyber incident Damage assessment activities. So you could have a perfect 110 score having fully implemented 800171 and have done none of the other paragraphs in DFAR 7012 and have massive problems on your hands when DIBCAC shows up that you wouldn't otherwise have in your CMMC assessment. So be aware, watch that episode on 7012, you have more than just what's in 171.

B

Yeah, I think that that's the thing is people. Even more mind blowing here is people are narrowly focused on their CMMC requirements right when this hits them and that CMMC focus is obviously siloed compared to what this covers. It's insane.

A

Yeah. So the good news is is everybody has a fully staffed, fully funded, well resourced, well trained cybersecurity department inside of their company. And so DIBCAC isn't going to bother you Mr. And Mrs. Business owner about the details of your compliance with cybersecurity requirements. They even give you a list of who they would like to talk to. The recommended subject matter experts who can demonstrate implementation and answer questions should be available for interviews for each security family in NIST SP 800171 up to including your network administrator and security engineer employees with audit and accountability responsibilities, Cybersecurity and information technology policy oversight team, whoever's responsible for account management personnel with information security responsibilities in general, your system developers, personnel with access enforcement responsibilities, your risk assessment team, your incident response team, your senior information security officer, anybody who works in human resources that's a adjacent to these things, your physical security specialist and or manager team, your configuration management team, anybody who runs enterprise services or leads that team Your active directory administrator, if you have such a person on your team, so on and so forth. If you make those people available, they can answer all the questions that DIBCAC has. Certainly those people are available because that's how you answered the questions in accordance with NIST SB 800 171A.

B

Right, wait, so let's think about what realistically is going to happen for 70 of the dip. It's going to be like, hi, here's the company that I outsource this to these services to my service provider, right? And then for some of the stuff that they don't outsource, it's going to be the same person. They're just going to switch like Polos, like in the old west movies with the guy that ran like the hotel and the bar at the same time, two different jobs like that. That's what it's like. That's, that's what the real trenches are like.

A

Yeah, that's. Most, most companies do not have these separate dedicated teams.

B

Like half of the people listening to our show are going to be like listening to every role that you just listed and they're like, wait, that's me, that's me.

A

I do all. Yeah, like I wear all those hats. Yeah, well, Tiptack's going to want to talk to you. And so if you have been, I don't know, working with an outsourced managed service provider or managed security service provider, and they haven't really been doing what they've told you you've been doing, that's your problem. Because if you don't have a service level agreement that says they're going to be sitting at a table to answer these questions if they're not prepared, if they're not ready to go in two weeks, five weeks out, you know, one week out and then the actual assessment, are they going to sit with you for five days, Monday through Friday from eight to four? Like, how much is that going to cost? Are, Is that what they've built? Do they even know what's going on? Do they have any experience in what's happening? Do you just have one IT guy? Are you just finding about all this stuff for the first time? This is not a joke. This is the real deal. This is completely separate from the CMMC process. This is happening to real companies right now. Has been happening for a long time, but for some reason we got notified of a flurry of these situations. If you are out there and you think you will be CMMC level one, double check your math. If you think you're not going to see a CMMC Level 2 C3 PAO Assessment Requirement 1, go check sam.gov, i don't know if you've been checking it recently, but go check that or follow me on LinkedIn. I post about them all the time like and subscribe. I think then you need to also double check your math because you could never see a CMMC level 2 C3PA requirement. For whatever reason, you still have obligations under DFARS 7012 and dud will still show up whenever they want pursuant to DFAR 7020. And you can't say, well, we thought CMMC wasn't happening. They're going to go, what are you talking about? That has nothing to do with what's in your contract.

B

Yeah, and I mean kind of the same outcome scenarios, right? Like you're going to lose contracts if you blow a DIBCAC assessment.

A

Right.

B

You're not. That's going to happen. It's good for business.

A

The boilerplate language is standard. Contractual remedies will apply. You can get. Yeah, a bunch of stuff can happen. You can get fines, you can lose contracts, you can get negative performance indicators, you can get referred to the doj, so on and so forth. They're not very transparent with the kinds of things that happen. But as you can imagine, this is not the situation that you want to be.

B

None of them sound good, none of them are good.

A

Nothing good will come out of getting this email and then discovering a new revelation every time you read every sentence in that email about the things that you are on the hook for and the things that you now need to provide quick, fast and in a hurry. So we have heard about this situation through the grapevine either from the companies themselves, at the people working with them. It is a mad scramble for them to get ready for this assessment and there's a good chance that it's going to cost them dearly. It's definitely going to cost them time and money. They are in a bad situation. So as we enter into the holidays, let's all give thanks that we haven't received these emails from DIBCAC and that we never will receive these emails from dibcac. But just so you know, they got some stocking stuffers for you. These things are all in contracts right now. Have been in contracts for 7020 has been in there since 2020. 7012 has been in there unchanged since 2016. They don't want to hear anything about your thoughts about CMMC when you thought CMC was going to happen. What level of CMMC you thought was going to happen? Fun fact pro tip here at the end. Thanks for staying until the end of the video. If you have a CMMC level two C3PAO assessments, I have heard that DIBCAC isn't all that interested in what's going on because they have some assurance that you've been doing these things and they'll move on to another company. So the best way to avoid this email, from what I have heard, is to go get your CMMC Level 2 C3 PAO assessment because that's what that system is for. So yeah, there you go everybody. This is real. It's absolutely happening. I hope everybody has a cheery Thanksgiving and is watching lots of football. A bunch of people out there are not having a good Thanksgiving. They're not going to have a good holiday season at all. And it sounds like they're not going to have a good 2026 either because this is getting kicked off for them right there in January. But there you go. We'll link to the DIBCAC website. It has a list of all the things that they would send you in the email. Make sure you're familiar with it because it's in your contracts. And there you go. We'll see you next week.

B

See you next week. Sam.