Sum IT Up: CMMC News Roundup

Episode Summary – DIBCAC Assessment Requirements

Date: November 27, 2025
Host: Summit 7 Team

Episode Overview

This episode provides a crucial and timely update about a surge in DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) assessments, catching many defense contractors off guard just before the holidays. The hosts break down what these assessments mean, how they differ from CMMC Level 1 self-assessments, the real-world impact of DFARS 252.204-7012 and 252.204-7020 clauses, and offer advice for organizations who may be unprepared for a DIBCAC “knock at the door”. The tone mixes urgency, a dash of gallows humor, and sober calls to action.

Key Discussion Points & Insights

1. DIBCAC Assessments: The “Nightmare Scenario”

• [00:02] Host A reports a real uptick since October: at least half a dozen defense contractors have received official notice that DIBCAC will audit their compliance—specifically with DFARS 252.204-7012 and NIST SP 800-171.
• Many companies mistakenly believed only a CMMC Level 1 self-assessment was needed and are totally unprepared.
• “Red Alert, Red Flag, nightmare scenario, not the email that anybody wants to get right before the holidays or ever.” — Host A [00:09]

2. Key DFARS Clauses & DIBCAC Authority

• [02:42] Host A clarifies: DIBCAC assessments are NOT about CMMC—they are the DoD's own audits, justified under DFARS 7012 and the less-remembered but crucial 7020 clauses.
• Since 2016, contractors handling CUI have had DFARS 7012 requirements. Since 2020, DoD can audit compliance any time thanks to 7020.
  • “CMMC is just a verification program. This is when DoD themselves show up to do the audits.” — Host A [03:16]

3. Anatomy of the DIBCAC Audit Notification

• [04:34] DIBCAC sends an email with:
  • 90 calendar days’ notice (including holidays) before in-person audit
  • Pre-assessment document outlining all required artifacts and evidence
  • 2 weeks to acknowledge receipt of notification
• If the notice comes near holidays, companies lose valuable prep time.

4. Audit Schedule and Deadlines

• [05:56] Breakdown of critical milestones:
  • 2 weeks: Submit required documentation and artifacts list for DIBCAC prep
  • 5 weeks before assessment: Pre-coordination phone call
  • 2 weeks before assessment: Submit full artifact package via DoD Safe
  • Assessment week: 5 days, Monday–Friday, 8 am–4:30 pm, no negotiation
  • Within 60 days after assessment: Receive results
• “This will blank out an entire week for a number of people in your company… it's in your contract.” — Host A [07:01]

5. What DIBCAC Wants to See: Evidence & Documentation

• Required Deliverables:

  • Fresh, accurate self-assessment per DoD methodology, uploaded to SPRS, with relevant System Security Plans (SSPs) and Plans of Action & Milestones (POA&Ms)
  • Descriptive documentation—not just copy-paste from NIST
  • Explicit reference to NIST SP 800-171A as authoritative for assessment conduct
  • Full network diagrams and operational briefs mapping every path CUI takes
  • Artifacts covering all network services, connections, logging, remote access, cloud, etc.

  Memorable Moment:
  “Simply copying and pasting the requirement verbiage from NIST SP 800-171 would not be acceptable.” — Host A [08:47]
  “I really, really, really hope… a company is only finding out about 800-171A when they get the email from DIBCAC… Bad time to figure out that 171A exists.” — Host A [09:32]

6. Accuracy Matters: The Dangers of Fudging Your Scores

• DoD Inspector General reports and DIBCAC's own statements make clear: DIBCAC works closely with the DOJ.
• Falsified or “massaged” scores are not a joke—potential for legal jeopardy.
  • “This is not some random C3PAO… This is the real deal. So this is not for messing around.” — Host A [11:05]

7. Scope Beyond NIST 800-171: Flowdown, Cloud, and Incident Response

• DIBCAC audits are broader than CMMC and explicitly cover:
  • Flowdown of DFARS 7012 to subcontractors (requiring SSPs and governance controls to show how CUI is protected down the chain)
  • Other DFARS 7012 requirements: FedRAMP equivalency for cloud, incident cyber reporting/damage assessment, etc.
• “You can have a perfect 110 score and fully implement NIST SP 800-171 and have massive violations… because you haven’t flowed anything down to your subcontractors.” — Host A [16:08]

8. Real Life in the Trenches: Resource Demands and Organizational Strain

• DIBCAC expects interviews with SMEs across all NIST families (network admins, audit/accountability, incident response, HR, etc.)
• Most small/medium businesses have 1–2 people wearing all these hats or outsource to MSPs—who often aren’t ready or contractually obligated to support you for a crushing assessment week.
  • “Half the people… are going to be like, ‘Wait, that’s me, that’s me… I wear all those hats.’” — Host B [20:53]
• Outsourced providers may not supply required support or even know what is expected.
  • “If you don’t have a service level agreement… that says they’re going to be sitting at a table to answer these questions… That’s your problem.” — Host A [21:01]

9. Real-World Consequences

• Failing a DIBCAC assessment brings severe contractual and reputational risks:
  • Fines, lost contracts, negative performance indicators, referrals to DOJ—the full menu of standard contractual remedies.
  • “Nothing good will come out of getting this email and then discovering a new revelation every time” — Host A [23:14]
• DIBCAC’s process is opaque, but the business risk is clear and present.

10. Key Advice and Pro Tips

• Don’t expect CMMC delays or requirements to shield you from DIBCAC. These audits are contract-driven and predate CMMC.
• Best defense: Achieve CMMC Level 2 and a third-party assessment (C3PAO); those with demonstrated compliance are less likely to face a DIBCAC in-person audit.
  • “The best way to avoid this email… is to go get your CMMC Level 2 C3PAO assessment because that’s what that system is for.” — Host A [24:46]

Notable Quotes & Memorable Moments

• “Red Alert, Red Flag, nightmare scenario… Not the email anybody wants to get right before the holidays or ever.”
  — Host A [00:09]

• “So what happens when you get the knock on your door?”
  — Host A [00:58]

• “CMMC is just a verification program for those requirements. This is when the DoD themselves shows up to do the audits.”
  — Host A [03:16]

• “Simply copying and pasting the requirement verbiage from NIST SP 800-171 would not be acceptable.”
  — [08:47]

• “This is the real deal. So this is not for messing around.”
  — [11:05]

• “You can have a perfect 110 score and fully implement NIST SP 800-171 and have massive violations… because you haven’t flowed anything down to your subcontractors.”
  — [16:08]

• “Half the people listening to our show… ‘Wait, that’s me, that’s me. I wear all those hats.'”
  — Host B [20:53]

• “Nothing good will come out of getting this email and then discovering a new revelation every time you read every sentence…”
  — Host A [23:14]

Timestamps of Important Segments

• 00:02 — Episode opens: DIBCAC announces audits to unprepared defense contractors
• 03:16 — Why these notices are more than CMMC; background on DFARS obligations
• 04:34 — Anatomy of the DIBCAC audit notification and pre-assessment checklist
• 05:56 — Walkthrough of the DIBCAC assessment schedule and timeline
• 08:47 — Why copying from NIST 800-171 isn't enough; importance of 800-171A
• 11:01 — Dangers of inaccurate scores and DOJ involvement
• 16:08 — New audit “juicy” moment: flowdown to subcontractors, broader obligations
• 20:53 — Resource realities for SMBs; impact of outsourcing and thin staffing
• 22:42 — Business consequences of failing a DIBCAC assessment
• 24:46 — Pro tip: Achieve CMMC Level 2 third-party assessment to minimize risk

Tone and Takeaways

• Language/Tone: Direct, slightly irreverent, but always practical. Mix of urgency (“nightmare scenario”), empathy (“Let’s all give thanks we haven’t gotten this email”), and real-world exasperation at persistent confusion over contracts, CMMC, and DFARS.
• Big Takeaway: DIBCAC can audit any defense contractor—regardless of CMMC status. Compliance with DFARS 7012, 7020, and proper preparation well before the notice comes are non-negotiable. Don’t sleep on NIST SP 800-171A, flowdown, or non-technical DFARS 7012 paragraphs. Third-party CMMC Level 2 is now a strategic shield.

Actionable Advice for Defense Contractors

• Review your contracts and understand all DFARS cybersecurity clauses (esp. 7012, 7020)
• Be audit-ready: Have all artifacts, evidence, and subject matter experts lined up—even if you think you only need “Level 1”
• Don’t rely on CMMC timelines—DFARS enforcement is here, now
• Consider proactive CMMC Level 2 C3PAO assessment to potentially avert DIBCAC scrutiny

Links to referenced resources (DFARS clause text, DIBCAC intake form, 7012 flowdown, etc.) are promised in the podcast description.

See you next week—hopefully without a DIBCAC email in your inbox.