Skip to main content
background

DIBCAC (Defense Industrial Base Cybersecurity Assessment Center)

DIBCAC is the Department of Defense organization responsible for evaluating defense contractors’ cybersecurity compliance with DFARS requirements, including their implementation of NIST SP 800-171. DIBCAC conducts both voluntary and mandatory assessments and assigns confidence-level scores that are recorded in the Supplier Performance Risk System (SPRS) — scores that directly impact a contractor’s eligibility for DoD contracts.

What Is DIBCAC?

The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) operates under the Defense Contract Management Agency (DCMA) and serves as the primary body for assessing defense contractors’ compliance with DFARS cybersecurity clauses. DIBCAC evaluates how well contractors have implemented the 110 security requirements in NIST SP 800-171 through structured assessment methodologies that go beyond self-reported scores.

Types of DIBCAC Assessments

DIBCAC conducts assessments at three confidence levels, as defined by DFARS 252.204-7019 and 252.204-7020:

  • Basic Assessment: A contractor self-assessment scored against the DoD Assessment Methodology. The resulting score (ranging from -203 to 110) is submitted to SPRS by the contractor.
  • Medium Assessment: Conducted by DIBCAC, this involves a review of the contractor’s System Security Plan (SSP) and supporting documentation, along with interviews, but does not include on-site verification.
  • High Assessment: The most rigorous level, involving on-site examination by DIBCAC assessors who verify that security controls are implemented as documented and are operating effectively.

DIBCAC vs. C3PAO Assessments

While DIBCAC and CMMC Third-Party Assessment Organizations (C3PAOs) both evaluate contractor cybersecurity, they serve different purposes. DIBCAC assessments evaluate compliance with current DFARS requirements and produce SPRS scores. C3PAO assessments are part of the CMMC certification process and result in a formal certification level. As CMMC implementation progresses, DIBCAC will continue to play a role in high-assurance assessments and oversight of the broader DIB cybersecurity posture.

Preparing for a DIBCAC Assessment

Organizations preparing for a DIBCAC assessment should ensure their System Security Plan (SSP) accurately reflects their current security posture, Plan of Action and Milestones (POA&M) documents are current and realistic, evidence of control implementation is organized and accessible, personnel are prepared to discuss their roles in maintaining security controls, and network diagrams and data flow documentation are up to date. DIBCAC assessments can be triggered by contract requirements, DoD selection for assessment, or as part of incident response activities.

SPRS Score Implications

DIBCAC assessment results feed directly into the Supplier Performance Risk System (SPRS), which contracting officers consult when making award decisions. A low SPRS score can disqualify a contractor from competing for contracts that require handling CUI. Maintaining an accurate, high-confidence SPRS score is increasingly critical as the DoD tightens enforcement of cybersecurity requirements across the Defense Industrial Base.