The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base

DIBCAC Assessment: What It Is, the Types, and How It Connects to CMMC

By The Defense Compliance Report Editorial Team · ·

If a prime contractor, a new solicitation, or a government email just put the words DIBCAC assessment in front of you, start here: it isn't one thing — and most of the versions people worry about aren't something you can sign up for.

A DIBCAC assessment is a U.S. government review of how well a defense contractor has actually implemented NIST SP 800-171 (the 110 cybersecurity requirements for protecting Controlled Unclassified Information). It's run by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a component of the Defense Contract Management Agency (DCMA) — not by a private assessor. The phrase usually points to one of three government assessments: a DIBCAC Medium assessment, a DIBCAC High assessment, or a CMMC Level 3 certification assessment. (People also use it loosely when they mean a C3PAO certification or an old self-assessment — we'll untangle those too.) Which one matters to you depends on your contract, whether you handle CUI, and where you are in the process. And here's the part most pages skip: for the Medium and High assessments, DoD selects you — you can't apply.

That's the whole search in one breath. Below, we decode which one applies to you, what each is scored against, what actually happens during the assessment, where the result lands, what it costs, what the February 2026 rule changes did (and didn't) touch, and the one honest catch nobody advertises. Every regulatory claim on this page is cited to its primary source, and we tell you what we verified and when.


Is this page for you?

Yes, if: you were selected or notified for a DIBCAC assessment, a prime or a solicitation used the term, you're a subcontractor trying to figure out whether flow-down reaches you, or you read somewhere that a "DIBCAC High" can turn into a CMMC certification and want to know if that's real.

Probably not, if: you already know your contract requires a CMMC Level 2 (C3PAO) assessment and you just want to choose an assessor — go straight to our C3PAO selection framework. Or if you only want the self-assessment-versus-C3PAO cost gap — see CMMC Level 2 self-assessment vs. C3PAO.


Which DIBCAC assessment are you actually facing? (Start here)

The fastest way to stop spinning is to name what just happened. Find your row.

If this is what happenedYou're probably dealing with…Your immediate next step
Your solicitation or contract says "Level 3 (DIBCAC)"A CMMC Level 3 certification assessmentConfirm you have (or can get) a Final Level 2 (C3PAO) for the same scope — it's a prerequisite.
DCMA/DIBCAC notified you of a High or Medium assessmentA government NIST SP 800-171 assessment (not necessarily CMMC Level 3)Organize your SSP, evidence, scope, and the people who can explain your controls.
A prime told you "you'll face DIBCAC" or "Level 3 is coming"Flow-down ambiguityAsk the prime, in writing, for the required level, your CUI/FCI status, the assessment type, and the timeline.
You have a DIBCAC High from before the CMMC rule (or a Joint Surveillance assessment)Possible CMMC Level 2 reciprocityCheck SPRS. A qualifying pre-rule DIBCAC High with a perfect 110, no open POA&M, and Level 2-aligned scope may already count as Final Level 2 (C3PAO).
You got a Conditional resultA POA&M closeout problemTrack your 180-day clock and remediate only the items the rule allows.

Not sure which row is yours? That's normal — the term genuinely collapses several different processes into one scary phrase. The tool below (and the full decoder further down) will sort it out.

Not sure which applies to you?

Use The Defense Compliance Report's Find My CMMC Path tool — answer a few non-sensitive questions about your required level, CUI scope, environment, and timeline, and we'll map your situation to the right provider category before you spend a dollar or field a quote.

Educational triage · about two minutes · no obligation · do not submit CUI, drawings, or sensitive contract details.

Decode my DIBCAC path →

The right CMMC provider isn't the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can't resolve those for you, use The Defense Compliance Report's Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. On this page we route to a provider category, not a named vendor; any paid sponsorship, referral, or partner relationship is disclosed wherever a named provider is recommended. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. We are not affiliated with, endorsed by, or acting on behalf of the Cyber AB, the U.S. Department of Defense, DCMA DIBCAC, NIST, SPRS, or any U.S. government agency. This is educational research, not legal, contractual, or compliance advice — confirm your obligations against the primary sources and a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.


What is a DIBCAC assessment (and who runs it)?

Answer capsule: A DIBCAC assessment is conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), a component of the Defense Contract Management Agency (DCMA). DIBCAC verifies contractor compliance with DFARS 252.204-7012 and NIST SP 800-171. For a Medium or High assessment it produces a confidence-rated score in the Supplier Performance Risk System (SPRS); for CMMC Level 3 it enters results in the CMMC instance of eMASS, which transmits status to SPRS. DIBCAC is also the DoD's only authorized assessor of C3PAOs and the sole entity that performs CMMC Level 3 assessments.

DIBCAC is the government's cybersecurity auditor for the defense supply base. On its official page, DCMA describes DIBCAC as leading the department's contractor cybersecurity risk-mitigation efforts and assessing compliance with DFARS clause 252.204-7012, NIST SP 800-171, and the NIST SP 800-171 DoD Assessment Requirements (dcma.mil/DIBCAC). In plain terms, DIBCAC checks whether the controls you say you have are the controls you actually have — and it scores the gap. This isn't a hypothetical office, either: in the CMMC rule's own words, DIBCAC had already assessed 357 entities, including DoD's major prime contractors, as of the rule's publication (Federal Register, 89 FR 83092).

Four roles matter, and they're worth keeping straight:

  1. It runs the government's Medium and High NIST SP 800-171 assessments. These are the "how good is your 800-171 implementation, really?" reviews that produce a confidence-rated SPRS score.
  2. It is the sole assessor for CMMC Level 3. No private firm can grant Level 3.
  3. It is the only authorized assessor of the C3PAOs themselves. Before a Certified Third-Party Assessment Organization can assess anyone else, its own environment has to pass a DIBCAC Level 2 assessment.
  4. It verifies DFARS 252.204-7012 — the safeguarding and 72-hour cyber-incident-reporting clause that has applied to CUI-handling contractors since 2017.

DCMA, not DCSA — a mix-up that trips up whole articles

Here's a distinction we see even well-known glossaries get wrong: DIBCAC sits under DCMA (the Defense Contract Management Agency). It is not part of the DCSA (the Defense Counterintelligence and Security Agency). DCSA runs a separate FOCI (Foreign Ownership, Control, or Influence) review that C3PAOs also have to clear — different agency, different check, different purpose. If a source tells you DIBCAC is "under DCSA," treat everything else on that page with caution; we verified DIBCAC's DCMA parentage directly on the official DCMA site on July 2, 2026.

Primary sources: DCMA DIBCAC; 32 CFR Part 170; Federal Register, 89 FR 83092.


Which DIBCAC assessment are you actually facing? (The full decoder)

Answer capsule: "DIBCAC assessment" can mean several different things depending on your contract and where you are in the process. The reference below maps each meaning to who conducts it, whether you can request it, what it's scored against, where the result is recorded, and what it costs you. Most contractors match exactly one row.

This is the table we wish existed when we started researching the term — the kind of thing that otherwise takes eight browser tabs and a spreadsheet to assemble. It's built entirely from primary sources, cited beneath.

If "DIBCAC assessment" means…Who conducts itCan you request it?Scored againstResult / statusRecorded inDirect fee to you
NIST SP 800-171 self-assessment (the CMMC Level 2 (Self) assessment)YouYou run it; required by clause110 NIST 800-171 Rev. 2 controls (320 objectives)Low-confidence score; Level 2 (Self) statusSPRS (you post)No fee (internal labor)
DIBCAC Medium assessmentDCMA DIBCACNo — DoD selects you110 NIST 800-171 Rev. 2 (thorough document/SSP review + discussions)Medium-confidence SPRS scoreSPRS (DIBCAC posts)No government fee
DIBCAC High assessmentDCMA DIBCACNo — DoD selects you110 NIST 800-171 Rev. 2 (adds verification, examination & demonstration of the SSP)High-confidence SPRS scoreSPRS (DIBCAC posts)No government fee
CMMC Level 2 (C3PAO) — not DIBCACAuthorized C3PAOYes110 NIST 800-171 Rev. 2Level 2 (C3PAO) statuseMASS → SPRSYes — C3PAO fee (DoD estimate ~$104,670–$117,768 over the 3-yr cycle)
CMMC Level 3 (DIBCAC)DCMA DIBCAC (sole assessor)Yes — after Final Level 2 (C3PAO)24 selected NIST 800-172 requirements (+ limited 800-171 re-checks)Level 3 (DIBCAC) statuseMASS → SPRSNo government assessment fee (readiness/engineering cost is high)
Pre-rule DIBCAC High / Joint Surveillance assessmentDCMA DIBCAC (Joint Surveillance was run with a C3PAO)Was available during the rollout110 NIST 800-171 Rev. 2A perfect 110 (no open POA&M, aligned scope) → Final Level 2 (C3PAO) under § 170.20SPRS
A DIBCAC assessment of a C3PAO (only if you are one)DCMA DIBCACRequired for C3PAO authorizationCMMC Level 2 requirementsC3PAO authorizationCyber AB / eMASS

Sources: DCMA DIBCAC (roles; Medium/High; sole Level 3 assessor; assessor of C3PAOs); 32 CFR § 170.4 (DCMA DIBCAC High Assessment definition), § 170.17, § 170.18, § 170.20; Federal Register 89 FR 83092 (DoD cost estimates).

Read the table top to bottom and one thing jumps out: only two of these are things you initiate yourself — the self-assessment (which isn't a DIBCAC assessment at all) and the Level 3 request (which you can only make after clearing a C3PAO). Everything else with "DIBCAC" on it, the government starts. Hold that thought; it's the honest catch we come back to below.


DIBCAC Medium vs. High vs. CMMC Level 3 — the three government assessments

Answer capsule: A DIBCAC Medium assessment is a thorough review of your documentation and System Security Plan (SSP) plus discussions with your team, producing a Medium-confidence score. A DIBCAC High assessment adds verification, examination, and demonstration of the SSP — the assessors confirm the controls actually work — producing a High-confidence score. A CMMC Level 3 assessment, which only DIBCAC performs, adds 24 enhanced requirements selected from NIST SP 800-172 on top of Level 2 and requires a Final Level 2 (C3PAO) first.

DIBCAC MediumDIBCAC HighCMMC Level 3 (DIBCAC)
StandardNIST 800-171 Rev. 2 (110)NIST 800-171 Rev. 2 (110)24 selected from NIST 800-172 (+ limited 800-171 checks)
MethodThorough document/SSP review + discussionsAdds verification, examination & demonstration of the SSP; access to facilities, systems & personnel as neededExamination, demonstration & interviews against the 24 enhanced requirements
ResultMedium-confidence scoreHigh-confidence scoreCMMC Level 3 status
Who starts itDoD selects youDoD selects youYou request it
PrerequisiteNoneNoneFinal Level 2 (C3PAO), same scope
Recorded inSPRSSPRSeMASS → SPRS
POA&Mn/an/aConditional if score ≥ 80%; 180-day closeout; some 800-172 controls can't be deferred

And the "Basic" you may have heard of? The old three-tier "Basic / Medium / High" language came from the DoD Assessment Methodology, where "Basic" simply meant your own self-assessment (Low confidence) — not a DIBCAC assessment. As of February 2026, the standalone DFARS "Basic" self-assessment requirement was folded into the CMMC framework (more on that below). CMMC self-assessments still exist — Level 1 (Self) and Level 2 (Self) — so the practical self-assessment paths haven't disappeared; the separate DFARS "Basic" reporting requirement is what went away. If someone still calls a self-assessment a "DIBCAC Basic assessment," they're conflating two different things.

Primary sources: 32 CFR § 170.4, § 170.18; Federal Register 89 FR 83092 (Level 3 = 24 requirements from NIST SP 800-172 Feb 2021).


What happens during a DIBCAC Medium or High assessment?

Answer capsule: A DIBCAC Medium assessment centers on a thorough review of your documentation and SSP plus discussions with your team. A DIBCAC High assessment adds verification, examination, and demonstration of your SSP — the assessors confirm the controls actually work, with access to your facilities, systems, and personnel as needed. Either way, you get a chance to respond before the summary score is posted to SPRS.

There's no mystery to the sequence once you know it. For a government NIST SP 800-171 assessment, expect roughly this arc:

  1. Selection and scheduling. DoD identifies you (you don't apply). The rule notes that planning and scheduling typically happen 3 to 6 months in advance to give both sides time to prepare — though DoD's identified priorities can expedite an assessment (Federal Register 89 FR 83092).
  2. Document and SSP review. Assessors work through your SSP and supporting evidence.
  3. Discussions. Interviews and clarification with the people who run your controls.
  4. Verification, examination, and demonstration (High). For a High assessment, assessors validate that controls are implemented as your SSP describes — not just documented (32 CFR § 170.4, DCMA DIBCAC High Assessment definition).
  5. Findings and a score. Your NIST SP 800-171 implementation is scored (see the scoring section below).
  6. Your response window. After the assessment is complete, you have 14 business days to provide additional information or rebut findings before the summary score is posted to SPRS (DFARS 252.204-7020 / now 252.240-7997). Separately, the CMMC rule provides a 21-day appeal window for a DIBCAC-conducted CMMC assessment (32 CFR Part 170).
  7. SPRS posting. The score and supporting details land in SPRS.

The practical takeaway: nothing here rewards a last-minute scramble. The assessors are checking whether your documented controls match operational reality — which is exactly what the preparation section below is built around.


Can you request a DIBCAC assessment, or does DoD choose you?

Answer capsule: For NIST SP 800-171 Medium and High assessments, DoD selects the contractor — you cannot apply. Scheduling typically happens 3 to 6 months in advance, though DoD priorities can expedite it. The only DIBCAC assessment you request yourself is CMMC Level 3, and only after you hold a Final Level 2 (C3PAO).

This is the single most common misunderstanding we see, so let's be blunt about it. The CMMC rule's own text spells out how the government initiates these reviews: any DoD component can request DCMA DIBCAC to run an assessment, those requests take priority in scheduling, and DIBCAC determines the assessment date and notifies the company to begin the pre-assessment process (Federal Register 89 FR 83092). Translation: there's no "book a DIBCAC assessment" button, and the schedule is the government's to set — not something you shop around.

DIBCAC's prioritization follows risk. DCMA states it collects and analyzes data on DoD contractors — mission-critical programs, technologies, and infrastructure; cyber threats, vulnerabilities, or incidents; and DoD leadership requests — and adjusts as the department's cyber priorities evolve (Federal Register 89 FR 83092). If you support a sensitive program, assume you're more likely to be on the list.

The exception is Level 3: you initiate that one by emailing DCMA DIBCAC (with your Level 2 certification identifier) once you're eligible. We cover the how below.


DIBCAC assessment vs. C3PAO (CMMC) assessment — not the same thing

Answer capsule: A DIBCAC assessment is performed by government assessors. A CMMC Level 2 certification assessment is performed by a private, Cyber AB-authorized C3PAO (Certified Third-Party Assessment Organization). Both evaluate the same 110 NIST SP 800-171 Rev. 2 controls, but they produce different records and serve different purposes — and DIBCAC also assesses the C3PAOs themselves.

Same standard, different assessor, different record. A DIBCAC NIST 800-171 assessment posts a score directly to SPRS. A C3PAO assessment flows through the CMMC instance of eMASS (the government's assessment-management system) and populates SPRS from there (32 CFR § 170.17). One is the government grading you; the other is an accredited private firm certifying you against the same rulebook.

The part contractors don't realize: DIBCAC can override your CMMC status

A C3PAO certificate is not a force field. Under 32 CFR § 170.16 and § 170.17, DoD reserves the right to run a DIBCAC assessment even after you've been self-certified or C3PAO-certified — and the rule is explicit about what happens next: if a subsequent DIBCAC assessment shows you haven't achieved or maintained compliance, those results "will take precedence over any pre-existing CMMC Status," and DoD will update SPRS to show you out of compliance (32 CFR § 170.16, § 170.17). Certification gets you in the door; it doesn't exempt you from the government's own audit. This is exactly why "we passed, so we're done forever" is the wrong mental model.

One more independence rule worth knowing

The firm that prepares you can't also serve as your C3PAO assessor within the rule's conflict window. The CMMC rule prohibits a CMMC ecosystem member from participating in a Level 2 certification assessment for an organization it served as a consultant — to prepare that organization for a CMMC assessment — within the prior three years (32 CFR Part 170). Keep readiness work and formal assessment in separate lanes; if a single vendor offers to both fix you and grade you on the same engagement, that's a conflict, not a convenience.

Assessment-ready and know you need Level 2 (C3PAO)?

Your next move is choosing an assessor with no independence conflict — and getting on a schedule early, because C3PAO capacity is finite.

See the independent C3PAO selection framework →

How a DIBCAC High score becomes CMMC Level 2 (§ 170.20) — the reciprocity, precisely

Answer capsule: Under 32 CFR § 170.20, a contractor that achieved a perfect score with no open POA&M on a DCMA DIBCAC High Assessment conducted before the CMMC rule's effective date (December 16, 2024) — including an eligible Joint Surveillance assessment — and whose scope matches a Level 2 CMMC Assessment Scope is given Final Level 2 (C3PAO) status, valid for three years from the date of that original assessment. This is a pre-rule on-ramp, not a promise that any future DIBCAC High automatically converts.

The reciprocity is real and it's valuable — but it's narrower than a lot of pages imply, so read the fine print. The rule gives Final Level 2 (C3PAO) status to a pre-rule DIBCAC High that had a perfect 110, no open POA&M, and a scope aligned to Level 2 — good for roughly 36 months tied to when that assessment was actually performed (32 CFR § 170.20). That explicitly includes assessments done through the Joint Surveillance program that ran during the CMMC rollout (Greenberg Traurig analysis of the Final Rule).

What it does not do is let you engineer a shortcut today. § 170.20 is written for assessments conducted prior to the rule — the Joint Surveillance on-ramp that produced those qualifying assessments is no longer the path for a new contractor. For a fresh Level 2 certification, the standard route is a C3PAO assessment (or getting selected for a DIBCAC High, which you don't control). If you have a legacy DIBCAC High or Joint Surveillance result, check SPRS to confirm it's reflected correctly — don't assume the conversion happened.

The one honest catch (and why it's actually good news)

Here's the part most pages won't tell you plainly: you mostly can't "book" a DIBCAC assessment to speed up certification. For Medium and High assessments, DoD picks you — there's no application. And the § 170.20 reciprocity that turned a DIBCAC High into a CMMC Level 2 certification only applies to assessments conducted before the rule. So if you came here hoping to schedule a DIBCAC assessment as a faster route to certified status, that door is mostly shut.

Now the good news, because this genuinely works in your favor: a DIBCAC High and a C3PAO Level 2 assessment score the exact same 110 NIST SP 800-171 Rev. 2 controls, against the same scope — the rule itself defines a DIBCAC High's scope as matching a Level 2 CMMC Assessment Scope. The work to pass either is the same work. That means you don't need to guess which assessment will come — you need to be ready for the standard. Get the 110 controls truly implemented and your evidence in order, and you're covered whether the government selects you for a High or you pursue Level 2 through a C3PAO. The thing you can't control (which assessment) stops mattering once you've done the thing you can control (the readiness).

Get ready on your terms

Download the CMMC Readiness Checklist, mapped to the 14 NIST SP 800-171 control families — the same 110-control groundwork a DIBCAC High or a C3PAO Level 2 assessment will hold you to.

Get the CMMC Readiness Checklist →

Does DIBCAC do CMMC Level 3? (Yes — it's the sole assessor)

Answer capsule: Yes. DCMA DIBCAC is the only entity authorized to conduct CMMC Level 3 assessments. Level 3 requires a Final Level 2 (C3PAO) status first, then adds 24 enhanced requirements selected from NIST SP 800-172. You request a Level 3 assessment by emailing DCMA DIBCAC with your Level 2 certification identifier. DoD expects only a small fraction of the defense industrial base to need Level 3.

Level 3 is the top tier, reserved for the most sensitive CUI, and DIBCAC owns it end to end. A few specifics that resolve the usual follow-ups:

The prerequisite is non-negotiable. You must hold a Final Level 2 (C3PAO) status for the systems in your Level 3 scope before DIBCAC will assess Level 3 (32 CFR § 170.18). A ConditionalLevel 2 with open POA&M items doesn't start the clock — it has to be Final.

How you initiate it. Per DCMA's own instructions, you email the DIBCAC-CMMC point of contact with a request that includes your Level 2 (C3PAO) certification unique identifier; DIBCAC validates your Level 2 status and contacts you to schedule (Federal Register 89 FR 83092; dcma.mil/DIBCAC).

What's assessed. DIBCAC focuses on the 24 selected NIST SP 800-172 requirements, but may perform limited re-checks of the 110 NIST SP 800-171 controls (Federal Register 89 FR 83092). Note a scoping wrinkle: assets that were "Contractor Risk Managed" at Level 2 are treated as CUI Assets if they sit inside a Level 3 scope.

Conditional Level 3 and POA&M. Level 3 scoring is simple — each of the 24 requirements is worth one point. You can earn Conditional Level 3 if your score is at least 80% of the maximum, with a 180-day window to close the gaps, after which DIBCAC verifies closeout and posts the result to eMASS/SPRS (32 CFR § 170.18, § 170.21). Certain Level 3 requirements can't be placed on a POA&M at all — those have to be fully met.

Who actually needs it. Very few. Level 3 is aimed at protecting CUI on the highest-priority programs against advanced persistent threats, and DoD expects only a small fraction of the DIB to require it. If your prime holds Level 3, that does not automatically flow Level 3 down to you — see the subcontractor section below. For the full requirements breakdown, see our CMMC Level 3 requirements guide.


How the DIBCAC assessment score works (−203 to 110) and where it lands

Answer capsule: DIBCAC scores your NIST SP 800-171 implementation using the DoD Assessment Methodology: start at 110 and subtract 1, 3, or 5 points for each requirement that isn't fully met. The range runs from +110 down to −203, so a first assessment can easily be negative. There's no valid score without a System Security Plan, and DIBCAC posts the result to SPRS.

The scoring is subtractive and unforgiving, which is why so many first scores shock people. You begin with a perfect 110 and lose points for every requirement you can't demonstrate:

Point value if NOT METNumber of controlsExamples
−5 each42 controlsHigh-impact controls whose absence would let an attacker into the network
−3 each14 controlsControls with a narrower, contained security impact
−1 each~54 controlsLower-impact controls
Special case (−3 or −5)2 controlsMultifactor authentication (3.5.3) and FIPS-validated cryptography (3.13.11), which deduct 3 or 5 points depending on how partially they're implemented

Because those weighted deductions add up to more than 110, the floor is −203. A contractor who hasn't done the work in earnest routinely lands well below zero — the whole reason DoD moved away from self-attestation is that self-reported scores frequently didn't hold up under a real assessment.

A few rules that decide pass or fail:

  • No SSP, no score. Without a System Security Plan, the assessment can't be completed and you're treated as non-compliant with DFARS 252.204-7012. The SSP is the foundation, not the paperwork.
  • No partial credit toward a MET finding. A requirement is scored MET only when all of its assessment objectives are satisfied — there are 320 objectives across the 110 controls. (The point deduction for MFA and FIPS-validated cryptography is the only place partial implementation changes the math — a 3-point rather than 5-point hit.) (32 CFR § 170.24.)
  • Fix the 5-pointers first. MFA and FIPS-validated cryptography are among the most-missed high-value controls; closing them moves your score the most.
  • 88 vs. 110 for CMMC. For CMMC Level 2, a Conditional status requires a score of at least 80% of the maximum (88 out of 110) with a compliant POA&M — and certain higher-weight controls must be MET, not deferred. Final status requires the full 110 with everything MET (32 CFR § 170.21, § 170.24).

Want to see the government's own data instead of taking anyone's word for it? DCMA publishes a Public High NIST SP 800-171 Self-Assessment Database on the DIBCAC page — a primary artifact you can download and inspect yourself. See also our NIST 800-171A assessment objectives breakdown for the full 320-objective picture.

Primary sources: the DoD NIST SP 800-171 Assessment Methodology; NIST SP 800-171A; 32 CFR § 170.21, § 170.24.


What a DIBCAC assessment actually costs (and what's free)

Answer capsule: The government does not charge a fee for a DIBCAC assessment — Medium, High, and Level 3 are conducted by government assessors. Your real cost is readiness and remediation. That's the opposite of the C3PAO path, where DoD's own per-entity estimate for a Level 2 (C3PAO) assessment is roughly $104,670 (small entity) to $117,768 (larger entity) over the three-year cycle, on top of remediation.

Let's separate the assessment invoice from the true cost, because they're wildly different things. The figures below are DoD's own per-entity regulatory-analysis estimates from the CMMC rule — not market quotes.

PathGovernment assessment feeDoD per-entity estimateWhere your money actually goes
DIBCAC Medium / High (NIST 800-171)None (government-conducted)Readiness, SSP, remediation, engineering, evidence, staff time
CMMC Level 2 (Self)None~$37,000–$49,000 (incl. affirmations)Readiness + self-assessment labor
CMMC Level 2 (C3PAO)C3PAO charges a fee~$104,670 (small) to $117,768 (larger) over the 3-yr cycleRemediation + C3PAO fee + travel
CMMC Level 3 (DIBCAC)None (DIBCAC-conducted)~$12,802 (small) to $44,444 (larger) in assessment/affirmation support over 3 yrs, on top of Level 2Heavy remediation + advanced controls (e.g., 24/7 monitoring)

Figures are DoD's per-entity regulatory-analysis estimates from the Federal Register (89 FR 83092).

Two things worth sitting with. First, notice the Level 3 line: even though DIBCAC (the government) runs the assessment and charges no fee, the contractor's cost to prepare for and support that assessment still runs from about $12,802 to $44,444 over three years — and that's before the heavy engineering to stand up the advanced Level 3 controls. "Free assessment" never means "free compliance."

Second, the number that surprises people: for a contractor starting from low maturity, remediation is usually the largest single line item — not the assessment. In the market, all-in Level 2 programs (readiness, remediation, tooling, and the assessment) are commonly quoted anywhere from ~$50,000 to $300,000+, driven almost entirely by how much of your environment is in scope and how far your current controls are from the standard. Treat those as market ranges reported by CMMC service providers, not DoD figures.

Which points to the single biggest lever you have: scope reduction. Pulling CUI into a dedicated CUI enclave — instead of letting it sprawl across your whole enterprise — shrinks both the remediation bill and the assessment.

Cost is the problem? Attack the scope first.

The fastest way to cut both remediation and assessment cost is to shrink what's in scope. See the CMMC enclave cost and the scope-reduction math — then use Find My CMMC Path to match the work to the right category of provider before you request scoped quotes.

See the scope-reduction math →

Did the 2026 FAR overhaul change DIBCAC assessments?

Answer capsule: Mostly no — it renamed the paperwork, not the assessment. Effective February 1, 2026, the Revolutionary FAR Overhaul (RFO) class deviations eliminated DFARS 252.204-7019 and renumbered DFARS 252.204-7020 to DFARS 252.240-7997, removing the standalone "Basic" self-assessment. DIBCAC's Medium and High assessments are unchanged — still government-conducted under NIST SP 800-171A, with scores still posted to SPRS by DIBCAC.

If you've read older guides, you'll see the clauses "252.204-7019" and "252.204-7020" cited as current. As of February 2026, a new set of clause numbers is in play — and knowing which is which is a quiet way to tell whether a source is keeping up. Here's the crosswalk we verified against the DoD class-deviation postings on :

Old citationNew citation (RFO class deviation)Current statusWhat it means for DIBCAC assessments
DFARS 252.204-7019EliminatedClass deviation (interim); CFR not yet updatedThe standalone "Basic" self-assessment + SPRS-posting requirement is gone; assessment obligations now run through CMMC (DFARS 252.204-7021).
DFARS 252.204-7020DFARS 252.240-7997Class deviation (interim); codified 252.204-7020 still shown on Acquisition.govRenumbered; "Basic" removed. DIBCAC Medium & High assessments are unchanged — still government-run per NIST SP 800-171A, scores posted to SPRS by DIBCAC.
FAR 52.204-21FAR 52.240-93Class deviation (interim)Same 15 FCI safeguards; renumbered under the new FAR Part 40. (Underpins CMMC Level 1.)
DFARS 252.204-7012UnchangedCodifiedStill the CUI-safeguarding and 72-hour incident-reporting clause DIBCAC verifies.
DFARS 252.204-7021UnchangedCodifiedStill the CMMC clause — now the primary assessment pathway.
DFARS 252.204-7025UnchangedCodifiedWhere the contracting officer specifies Level 1 (Self) / 2 (Self) / 2 (C3PAO) / 3 (DIBCAC).

Sources: DoD Revolutionary FAR Overhaul class deviations (Class Deviation 2026-O0025, DFARS Part 240, effective Feb 1, 2026); Acquisition.gov DFARS 252.204-7020; DCMA DIBCAC.

Why you'll still see both numbers. These are class deviations — interim regulatory text the government is using ahead of formal rulemaking, not the finalized Code of Federal Regulations. So during the transition you'll see the old numbers in the CFR, in older contracts, and even on official pages: Acquisition.gov still displays the codified DFARS 252.204-7020, the CMMC rule at 32 CFR Part 170 still references "252.204-7020," and DCMA's own DIBCAC page still cites it. Solicitations that invoke the RFO class deviation use the new numbers; many active contracts still use the old ones. The safe move is simple — follow the clause set in your actual solicitation or contract, and don't assume a number is wrong just because it's the old one.

The bottom line for a contractor: nothing about how DIBCAC assesses you changed. The Medium and High assessments still measure the same 110 controls the same way and still post to SPRS. The "Basic" self-attestation went away as a standalone DFARS requirement because it now lives inside the CMMC framework. See also our full DFARS 252.204-7019 and 7020 explainer for the complete clause history.


If your prime has Level 3, does your subcontract need DIBCAC too?

Answer capsule: Not automatically. A Level 3 prime requirement does not, by itself, mean every subcontractor needs a DIBCAC Level 3 assessment. Under the 32 CFR Part 170 flow-down rules, a subcontractor handling CUI under a Level 3 prime generally needs at least Level 2 (C3PAO) — unless the subcontract itself specifically requires Level 3.

Flow-down is where a lot of unnecessary panic (and unnecessary spending) starts. Your required level is driven by what information is flowed down to you and what your subcontract actually says — not by what tier your prime holds. The CMMC rule spells out the minimums directly (Federal Register 89 FR 83092, Table 2; 32 CFR § 170.23):

Prime contractor requirementIf the sub handles FCIIf the sub handles CUI
Level 1 (Self)Level 1 (Self)N/A
Level 2 (Self)Level 1 (Self)Level 2 (Self)
Level 2 (C3PAO)Level 1 (Self)Level 2 (C3PAO)
Level 3 (DIBCAC)Level 1 (Self)Level 2 (C3PAO)

That last row is the one people get wrong: a subcontractor handling CUI under a Level 3 prime needs Level 2 (C3PAO) at minimum — not Level 3 — unless the prime specifically flows Level 3 down to you. Before you spend anything, get four things from your prime in writing:

  1. The required CMMC level for your subcontract.
  2. Whether you'll handle FCI, CUI, or neither.
  3. The assessment type (self vs. C3PAO vs. Level 3) and the timeline.
  4. What they expect for your CMMC status / SPRS posting.

That single email prevents the most expensive mistake we see subcontractors make: assuming they need what the prime needs.


DIBCAC assessment checklist: how to prepare before DoD calls

Answer capsule: Preparing for a DIBCAC assessment is the same groundwork as preparing for a C3PAO assessment: define your CUI/assessment scope, build an SSP that accurately reflects all 110 NIST SP 800-171 controls, close the high-value 5-point gaps first (MFA, FIPS-validated crypto), keep a realistic POA&M, and organize evidence so you can demonstrate controls in real time.

Because you often can't control when a DIBCAC assessment comes, the entire game is being ready before it does. Prepare around scope first, controls second — that order saves money and avoids assessing systems you could have carved out.

Evidence you'll needWhy it mattersCommon mistake
SSP (name, version, date)Assessments and SPRS entries are anchored to the SSPTreating it as a static document that doesn't match reality
CAGE code(s)Tie your systems to the right contracting entitiesMissing subsidiaries or covered CAGEs
Architecture / data-flow diagramsShow where CUI is processed, stored, and transmittedDiagrams that don't match how the network actually works
Asset inventory + categoriesRequired for correct CMMC scopingMisclassifying Security Protection Assets or specialized assets
POA&MShows unresolved gaps and closure datesAssuming everything can be placed on a POA&M
Control evidenceDemonstrates implementation, not just policyProducing written policy with nothing to prove it's operating
Personnel who can speak to controlsDIBCAC may interview your staffSending people who can't answer operational questions
Cloud inheritance evidence (CRM/SRM)Needed when you rely on a CSP/ESP for controlsAssuming FedRAMP / GCC High / GovCloud solves everything by itself

What trips people up most: an SSP that describes an environment the company doesn't actually run; the two most-missed high-value controls, MFA (3.5.3) and FIPS-validated cryptography (3.13.11); and scoping errors that pull far more into the assessment than necessary. Fix those three and you've eliminated the majority of preventable point losses.

A simple sequence works: scope → SSP → close the 5-pointers → organize evidence → maintain the POA&M → run a dry run. Our readiness checklist walks each step against the 14 control families.

Not sure whether you need readiness help, a GRC platform, a CUI enclave, or a C3PAO?

That's exactly what our tool resolves. Use Find My CMMC Path — tell us your level, scope, and timeline, and we'll match you with source-checked provider options. Do not submit CUI, drawings, or sensitive contract details.

Find My CMMC Path →

What can a CMMC provider actually do for a DIBCAC assessment — and what can't they?

Answer capsule: Commercial providers can help you scope, implement controls, build evidence, operate security capabilities, prepare for a Level 2 (C3PAO) assessment, and get organized for a DIBCAC review. They cannot grant Level 3, replace DIBCAC, guarantee a certification outcome, or blur readiness work with assessment independence.

There's no single "CMMC provider" — there are categories, and the one you need depends on the gap you're closing. This is the map:

Provider categoryUseful when you need…What it cannot do
RPO / RP (Registered Provider Organization / Registered Practitioner)Readiness, scoping, SSP, POA&M, and rule interpretationGrant or guarantee a CMMC status
MSP / MSSP / vCISO (Managed / Managed Security Service Provider)Operational controls, monitoring, incident response, endpoint and security tooling, GCC High implementationReplace an assessor's authority
GRC platform (governance, risk & compliance software)Evidence management, control mapping, POA&M tracking, continuous complianceMake weak evidence pass — software alone doesn't satisfy CMMC
CUI enclave / secure collaborationReduce scope and isolate CUI (the biggest cost lever)Eliminate all of your responsibility
C3PAOThe formal Level 2 (C3PAO) certification assessmentPerform a DIBCAC assessment or a Level 3 assessment
Federal-contracts attorneyClause interpretation and legal-risk adviceServe as your technical implementer

A note on how we route: on a page like this we match you to a category, not a named vendor, and any paid relationship is disclosed where a named provider is recommended. When a provider claims certifications, assessment success rates, or partner status, treat those as the provider's own statements to verify independently — not as facts we've confirmed for you.

The DIBCAC assessment red flags worth watching for

Keep this short list handy when you're evaluating help:

  • A provider says it can "certify" you at Level 3. (Only DIBCAC assesses Level 3.)
  • You're not Final Level 2 yet, but you're being sold a Level 3 assessment package.
  • A page or vendor says CMMC Level 2 uses NIST SP 800-171 Rev. 3. (For CMMC, Level 2 maps to Rev. 2 unless and until DoD amends the rule.)
  • The same firm wants to both remediate you and serve as your C3PAO assessor inside the rule's conflict window.
  • You don't know which CAGE codes or SSPs are tied to the assessment.
  • Your SPRS score is stale or unsupported by evidence.
  • Someone tells you a subcontractor "needs Level 3" just because the prime does.
  • Any vendor form asks you to upload CUI to get a quote. (Don't.)

What we actually verified for this guide

We built this page from primary sources and checked the time-sensitive facts on . Here's the receipt.

What the source says (with citation)What we verified, and when
DIBCAC is the DoD's only authorized assessor of C3PAOs and the sole entity for CMMC Level 3 — and sits inside DCMA, not DCSA (dcma.mil/DIBCAC)Verified on the official DCMA DIBCAC page
§ 170.20 reciprocity applies to a pre-rule DIBCAC High (perfect 110, no open POA&M, Level 2-aligned scope), including eligible Joint Surveillance assessments → Final Level 2 (C3PAO) (32 CFR § 170.20)Verified against the eCFR text of 32 CFR Part 170
DFARS 252.204-7019 eliminated; 252.204-7020 → 252.240-7997; FAR 52.204-21 → 52.240-93 (RFO class deviations, eff. Feb 1, 2026); DIBCAC Medium/High unchangedVerified against the DoD class-deviation postings; noted the CFR and DCMA still show the old number
CMMC Level 2 = NIST SP 800-171 Rev. 2 (110 controls); Level 3 = 24 requirements from NIST SP 800-172 (32 CFR § 170.4, § 170.14)Verified against 32 CFR Part 170
Score is subtractive, range −203 to +110; no valid score without an SSP; MFA/FIPS crypto deduct 3 or 5 points (DoD Assessment Methodology; § 170.24)Verified against the DoD Assessment Methodology and § 170.24
For Medium/High, DoD selects the contractor and sets the date; scheduling is typically 3–6 months out but can be expedited; DIBCAC had assessed 357 entities as of publication (Federal Register 89 FR 83092)Verified against the CMMC rule's Federal Register text
DoD per-entity cost estimates: Level 2 (C3PAO) ~$104,670–$117,768 over the cycle; Level 3 assessment/affirmation ~$12,802–$44,444 over three years on top of Level 2 (Federal Register 89 FR 83092)Verified against the CMMC rule's regulatory analysis

Why this page exists: to resolve a genuinely confusing term so a defense contractor can make the next expensive CMMC decision with less confusion, less risk, and a clearer path to the right provider category — before hiring anyone. The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance.


Frequently asked questions

Is a DIBCAC assessment mandatory?

You can't opt out if DoD selects you for a Medium or High NIST SP 800-171 assessment, and a CMMC Level 3 (DIBCAC) assessment is mandatory for contracts that require it. But you don't self-initiate Medium or High assessments — DoD selects the contractor and sets the schedule. (32 CFR § 170.18; DFARS 252.240-7997.)

Is a DIBCAC assessment the same as CMMC certification?

No. A DIBCAC NIST SP 800-171 assessment produces a scored SPRS entry; CMMC Level 2 certification is issued through an authorized C3PAO. A DIBCAC High conducted beforethe CMMC rule's effective date, with a perfect 110 and no open POA&M, can convert to Final Level 2 (C3PAO) under 32 CFR § 170.20 — but that reciprocity is for pre-rule assessments, not a general shortcut.

Is DIBCAC under DCMA or DCSA?

DCMA — the Defense Contract Management Agency. The DCSA (Defense Counterintelligence and Security Agency) handles the separate FOCI review that C3PAOs must pass. Different agency, different check. (dcma.mil/DIBCAC.)

Can my DIBCAC assessment score be negative?

Yes. Under the DoD Assessment Methodology the score starts at 110 and subtracts weighted values (1, 3, or 5 points) for unmet requirements, with a range from +110 down to −203. First assessments are often negative.

What score do I need for CMMC Level 2?

At least 88 (80% of 110) for Conditional status with a compliant POA&M, or the full 110 for Final status. Higher-weight controls generally must be met, not deferred. (32 CFR § 170.21, § 170.24.)

Does a C3PAO certification protect me from a DIBCAC assessment?

No. DoD reserves the right to run a DIBCAC assessment after you're certified, and its results take precedence over your existing CMMC status. (32 CFR § 170.16, § 170.17.)

How much does a DIBCAC assessment cost?

The government charges no fee for the assessment itself; your cost is readiness, remediation, engineering, evidence, and any help you hire. For comparison, DoD's per-entity estimate for a Level 2 (C3PAO) assessment is roughly $104,670–$117,768 over the three-year cycle. (Federal Register 89 FR 83092.)

Did the February 2026 FAR overhaul change how DIBCAC assesses me?

No. It eliminated DFARS 252.204-7019 and renumbered 252.204-7020 to 252.240-7997, removing the standalone "Basic" self-assessment — but DIBCAC's Medium and High assessments still run under NIST SP 800-171A and still post to SPRS. During the transition, follow the clause set in your actual solicitation.

What standard does DIBCAC assess against?

NIST SP 800-171 Rev. 2 (110 controls across 14 families, 320 objectives) for Medium and High assessments; 24 selected NIST SP 800-172 requirements for CMMC Level 3. For CMMC, it's Rev. 2, not Rev. 3. (32 CFR § 170.4, § 170.14.)

Does every subcontractor under a Level 3 prime need DIBCAC?

No. A subcontractor handling CUI under a Level 3 prime generally needs at least Level 2 (C3PAO) unless Level 3 is specifically flowed down. Get your required level in writing from your prime. (32 CFR § 170.23.)


Where the CMMC timeline stands right now

The CMMC Program rule (32 CFR Part 170) took effect December 16, 2024, and the acquisition rule that puts CMMC requirements into contracts began appearing on November 10, 2025, opening Phase 1 (self-assessment requirements phasing in). Phase 1 runs through November 9, 2026; Phase 2 begins November 10, 2026, when Level 2 (C3PAO) certification requirements start appearing in solicitations. Phase 3 begins November 10, 2027, adding Level 3 certification requirements — though DoD may include Level 3 in some earlier procurements at its discretion — and Phase 4 (full implementation) begins November 10, 2028. Phases and rules change; we date every regulatory fact for that reason, and re-verify this page on a regular cadence. See our full CMMC Phase 2 deadline guide for the full implementation timeline.


Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we'll match you with source-checked CMMC provider options.

Find your CMMC path →

Reminder: do not submit CUI, drawings, or sensitive contract details through any form on this site. This page is educational research, not legal, contractual, or compliance advice — confirm your obligations with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.