The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
July 2026 update: The Department of War suspended CMMC Phase II on July 13, 2026. DCMA DIBCAC government-led assessments are explicitly preserved. Your NIST SP 800-171 obligation under DFARS 252.204-7012 was not suspended. If DIBCAC has contacted you, prepare now.

DIBCAC High Assessment Preparation: How to Prepare for a DIBCAC Assessment

By The Defense Compliance Report Editorial Team · an independent trade publication on CMMC 2.0 and DIB compliance

· Regulatory and implementation status last verified

DIBCAC High assessment preparationcomes down to one discipline: making sure your live environment, your evidence, and the people who run your controls all tell the same story your System Security Plan tells. A DIBCAC High Assessment is a government assessment — conducted by Government personnel from the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) using NIST SP 800-171A — that verifies how completely you’ve implemented the 110 security requirements in NIST SP 800-171 Revision 2 and produces a “High confidence” score in the Supplier Performance Risk System (SPRS) on a scale from −203 to 110. It is not the same event as a CMMC Level 3 assessment, even though DIBCAC has a hand in more than one kind of assessment. To prepare for a DIBCAC assessment, you confirm the governing contract clause, lock your assessment scope, reconcile your paperwork to reality, build evidence at the objective level, and rehearse interviews and demonstrations before the government starts testing.

And here’s the part most contractors have backwards in the summer of 2026: the CMMC pause did not make this assessment go away. It may have just made it the main event. We’ll get to exactly why below — but if a letter from DIBCAC just landed on your desk, that’s the first thing you need to understand.

The Defense Compliance Report is not affiliated with the Cyber AB, the Department of War/Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.This page is educational research, not legal, contractual, assessment, or compliance advice. The contract clause and your CUI handling set your obligations — not a checklist. Confirm scope and applicability with a CMMC Registered Practitioner (RP) / Registered Provider Organization (RPO) or a qualified federal-contracts attorney.


The bottom line, before you scroll

A DIBCAC High Assessment is the highest-confidence government check of your NIST SP 800-171 implementation. If DIBCAC has contacted you, first confirm whether the notice identifies a Medium NIST SP 800-171 DoD Assessment, a High NIST SP 800-171 DoD Assessment, or a CMMC Level 3assessment — because each one has a different baseline and a different preparation plan. This guide covers preparation for a High NIST SP 800-171 DoD Assessment conducted by government personnel, commonly called a DIBCAC High Assessment. It is not a CMMC Level 3 preparation guide.

In July 2026 the Department of War suspended CMMC Phase II, but it explicitly kept “select government-led assessments,” so DCMA DIBCAC’s authority to assess your NIST SP 800-171 implementation is intact. Your job is to close the gap between what your documentation claims and what your environment can actually demonstrate.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.


Which DIBCAC assessment are you actually preparing for?

Before you collect a single screenshot, identify the exact assessment. People use “DIBCAC assessment” to mean several different things, and only some of them are happening right now. Preparing against the wrong one — say, studying NIST SP 800-172 for a Level 3 assessment when you’re actually facing a NIST SP 800-171 High Assessment — burns the most valuable days you have.

We read the governing clauses and DCMA’s own materials, which treat “High and Medium NIST SP 800-171 Assessments” as a separate track from “CMMC Assessments.” Here is the disambiguation, with each one’s status as of July 2026 and what you should verify:

DIBCAC assessment types disambiguated — July 2026
What people call itWhat it actually isGovernment-stated status (July 2026)What you should verify
DIBCAC High AssessmentGovernment verification of your NIST SP 800-171 Rev. 2 implementation using NIST SP 800-171A → “High confidence” SPRS scoreActive. Preserved among the “select government-led assessments” during the CMMC pauseThe clause and scope in your notice; modality (on-site/remote/hybrid) via coordination
DIBCAC Medium AssessmentGovernment review of your prior assessment, a thorough document review, and discussions → “Medium confidence” scoreActiveWhether your notice says Medium or High — they differ in depth
Joint Surveillance Voluntary Assessment (JSVA)A DIBCAC High conducted with Joint Surveillance (DIBCAC + a C3PAO), historically used as an early path to CMMC Level 2Historical/transitional. Expressly recognized in 32 CFR 170.20 for qualifying pre-rule assessments; widely reported as no longer open for new enrollmentCurrent availability directly with DCMA — do not assume it’s a current sign-up path
CMMC Level 3 assessmentDIBCAC-conducted CMMC certification adding 24 selected NIST SP 800-172 requirements on top of Level 2New procurement designation suspended during the CMMC reviewWhether your requirement is actually Level 3 — if so, use a Level 3 guide

The plain-English takeaway: if DIBCAC has contacted you about assessing your NIST SP 800-171 implementation, you are facing a Medium or High Assessment— the first two rows. Confirm which one from the notice. The JSVA “early path to CMMC” is a historical route, and a new CMMC Level 3 designation can’t be added to procurements during the current pause.

DIBCAC High vs. DIBCAC Medium

Both are government assessments scored on the same −203-to-110 scale, but they go to different depths. Under the legacy clause, a Medium Assessment reviews your prior (Basic) assessment, does a thorough document review, and uses discussions to clarify — essentially, does the paperwork hold together. A High Assessment adds the part that catches people: verification, examination, and demonstration that your SSP is actually implemented in the live environment. Because that verification usually needs to be seen, a High Assessment commonly involves assessors on-site — but the clause frames access as being provided “as necessary,” so confirm whether yours will be on-site, remote, or a mix during government coordination. If the government changes the assessment type or asks for deeper verification, get the revised scope, authority, and schedule in writing.

DIBCAC High vs. CMMC Level 3 (they are not the same event)

This is the confusion we see most, so let’s kill it cleanly. A High NIST SP 800-171 Assessment measures the 110 requirements in NIST SP 800-171. CMMC Level 3 is a separate certification status that requires a Final Level 2 first and then adds 24 selected enhanced requirements from NIST SP 800-172. DIBCAC’s involvement alone does not make an assessment “Level 3,” and a High Assessment score is not a CMMC Level 3 certification.

High NIST SP 800-171 Assessment vs. CMMC Level 3
QuestionHigh NIST SP 800-171 DoD AssessmentCMMC Level 3
Primary baselineThe 110 requirements in NIST SP 800-171 Rev. 2Final Level 2 plus 24 selected NIST SP 800-172 requirements
Who assessesGovernment personnel; DCMA DIBCAC is the Department’s primary NIST SP 800-171 assessment capabilityDCMA DIBCAC
Primary resultA High-confidence score posted in SPRSCMMC Level 3 status
Same assessment?NoNo
Status in July 2026ActiveNew procurement designation suspended under the CMMC pause

Sources: DCMA DIBCAC resource hub; CMMC Final Rule, 32 CFR Part 170 (Federal Register); 32 CFR 170.20 (standards acceptance / Joint Surveillance); DFARS 252.204-7020 (Acquisition.gov).


Does the CMMC pause change your DIBCAC assessment? (Read this first.)

No — and understanding why is the single most useful thing on this page.On July 13, 2026, the Department of War suspended CMMC Phase II, the phase scheduled to begin November 10, 2026. During the suspension, program managers and requiring activities may designate only CMMC Level 1 (Self) or Level 2 (Self) in procurement requirements — they may not designate Level 2 (C3PAO) or Level 3 (DIBCAC). But the same announcement kept two enforcement mechanisms running during the review: NIST SP 800-171 self-assessments and “select government-led assessments.” DCMA DIBCAC is the Department’s primary NIST SP 800-171 assessment capability, and your obligation to implement NIST SP 800-171 under DFARS 252.204-7012 was never suspended.

We read the Department’s implementing guidance. The takeaway: the third-party certification gate was lifted for now, but the government assessors were not removed. With the C3PAO requirement paused, a government-led DIBCAC assessment is now the Department’s most direct way to verify who’s actually compliant. Legal analysts of the pause have characterized DIBCAC assessments as generally more rigorous than C3PAO assessments — that’s their comparative judgment, not a standard DoD published, but it’s worth hearing. Either way, if you were hoping the pause bought you time on a DIBCAC notice, it didn’t.

What changed and what didn’t, as of July 2026:

Editorial read

Because self-attestation now carries more of the verification load, the practical importance of a supportable, accurate SPRS record goes up. The suspension announcement doesn’t amend the False Claims Act — but it does put a brighter spotlight on whether your posted score can survive a government look.

What we verified: We read the Department of War’s suspension release and the implementing memo on July 16, 2026, and confirmed the “select government-led assessments” language and the designation rules. This is a live review with a report due within 60 days; public comments are scheduled to close August 14, 2026. Re-verify the current status before you rely on it.

Which clause governs your assessment — 252.204-7020 or 252.240-7997?

Read the actual clause in your contract or notice, because a class deviation added a new one in February 2026. Under the “Revolutionary FAR Overhaul” class deviation (DARS Tracking Number 2026-O0025, effective February 1, 2026), DoD introduced a new DFARS Part 240 and clause 252.240-7997, NIST SP 800-171 DoD Assessment Requirements, for acquisitions governed by the deviation. This matters because your compliance mapping, your SSP references, and your team’s muscle memory all still say “7020.”

Here’s the nuance that trips people up, and that we confirmed at the source: a class deviation authorizes a deviation for covered acquisitions — it does not erase the codified rule. The codified DFARS 252.204-7020 (and 252.204-7019) still exist on Acquisition.gov and still apply where they’re incorporated in an existing or otherwise applicable contract. So don’t infer your controlling clause from a calendar date. Read the actual solicitation or contract and see which clause is incorporated.

Contract clause identification guide
What your contract/notice citesWhat it meansWhat to do
DFARS 252.204-7020The codified assessment clause (still published; applies where incorporated)Use it as written; the Medium/High definitions, rebuttal rights, and SPRS posting apply
DFARS 252.240-7997The Part 240 clause used for acquisitions governed by the February 2026 class deviationUse its current text; its Medium/High framework is related to the legacy clause, but cite the exact wording in your document
Neither, or informal “DIBCAC audit” wordingThe formal authority isn’t statedAsk your contracting or assessment contact to identify the clause, scope, and assessment type in writing before you prepare
“CMMC Level 3”A different assessment pathStop using this page as your sole guide and switch to a Level 3 preparation guide

Don’t infer the assessment type from casual language. Contractors call this a “DIBCAC audit”; the clauses and DCMA call it an assessment. The clause incorporated in your contract — and the scope in your notice — is what controls.

Sources: Class Deviation 2026-O0025 deviation memo (acq.osd.mil); DFARS 252.204-7012 (Acquisition.gov).


What does a DIBCAC High Assessment actually verify?

A High Assessment is built to reach high confidence, which means it goes past the paperwork. Assessors review your prior assessment and documentation, then verify, examine, and demonstrate that your SSP is implemented as written, using discussions to clarify what they’re seeing. In practice, they’re checking whether the security program you describe is the security program you run.

Assessors work from NIST SP 800-171A, the companion publication that defines how each requirement gets assessed using three methods: examine (review documents, configurations, and records), interview (talk to the people who own and operate the control), and test(watch the mechanism or process actually work). NIST SP 800-171A gives assessors discretion to choose the methods, depth, and coverage they need — so there is no universal “here’s the exact list of documents DIBCAC requires.” What there is: a requirement that every claim be demonstrable.

NIST SP 800-171A assessment methods
MethodThe question behind itWhat you prepare
Examine“What documentary or technical evidence supports this?”An index tying each objective to the authoritative artifact, the system, the date, and the owner
Interview“Can the person responsible explain the process and their role?”A role-based witness roster with evidence links — not a memorized script
Test / demonstrate“Does the mechanism or process actually operate as described?”Safe runbooks that show normal operation using authorized accounts and non-sensitive test data

Where the paperwork-vs-reality gap opens

This is the difference between a clean assessment and a painful one. Assessors and practitioners consistently point to scoping and non-defensible boundaries as a leading driver of the gap between a contractor’s self-score and its assessed score — when the boundary doesn’t hold, the SSP, system inventory, data-flow map, and evidence start to disagree. The table below maps high-leverage areas: what NIST SP 800-171 requires, what a High assessor wants to see, and where points get lost.

High-leverage areas where points are lost in DIBCAC assessments
Area (example requirements)What NIST SP 800-171 Rev. 2 requiresWhat a High assessor wants to seeWhere points are lost
Scope & boundaryA current SSP (3.12.4) describing each in-scope systemA defensible system boundary and a data-flow diagram that matches the live environmentA boundary the SSP, inventory, and evidence can’t agree on
FIPS-validated cryptography (3.13.11)Employ FIPS-validated cryptography when used to protect the confidentiality of CUIEvidence the specific CMVP-validated module is operated in its approved configurationEncryption that’s “FIPS-capable” but not validated, or not run in the approved mode
Multifactor authentication (3.5.3)MFA for local and network access to privileged accounts, and network access to non-privileged accountsA live demonstration across all applicable access paths — including admin consolesCoverage that stops at cloud logins and misses privileged admin paths
Flaw remediation (3.14.1)Identify, report, and correct flawsThe full loop in tickets: discovery → owner → deadline → fix → verificationA patching policy with no evidence the process runs and closes
Audit review (3.3.3–3.3.5)Define, review, and correlate audit eventsProof someone actually reviews logs and acts on themLogging enabled, but no demonstrable review or response

The pattern:the most damaging failures aren’t a missing tool. They’re an SSP that describes a program the assessor can’t observe in the live environment.

Sources: NIST SP 800-171A (assessment procedures); requirement wording per NIST SP 800-171 Rev. 2 (NIST CSRC).


What should a DIBCAC High assessment preparation checklist include in the first 48 hours?

The first 48 hours are for taking control of the effort, not for collecting hundreds of random screenshots. Confirm the authority and dates, put one accountable person in charge, preserve your existing records exactly as they are, surface your open scope questions, and stand up a controlled evidence tracker. Everything else builds on these five moves.
  1. Confirm the notice — in writing. Record the official assessment name, the government organization and contact, the clause and version (7020 or 7997), the applicable NIST version, the SSPs requested, the CAGE (Commercial and Government Entity) codes, the sites and systems in play, the proposed modality (on-site, remote, or hybrid), and the proposed dates.
  2. Appoint one assessment lead. Name an executive sponsor and a single assessment manager who owns government coordination. Behind them, assign owners for contracts, technical evidence, an evidence librarian, external-service providers, and a counsel escalation contact. Ambiguity about who owns what is how contradictory answers happen.
  3. Preserve the record. Say this out loud to your team: do not delete unfavorable records, backdate policies, manufacture historical evidence, or present a correction you made after the notice as proof the control operated before it. Open a change log that separates evidence that already existed, evidence you newly located, clarifications, and corrective actions completed after notice. That log is your integrity firewall.
  4. Download the current official material. Pull DCMA DIBCAC’s current pre-assessment package from the official resource page and work from that version — not a copy someone saved two years ago.
  5. Stand up a no-CUI planning channel. Create your prep workspace so nobody casually pastes CUI, drawings, contract numbers, IP addresses, diagrams, logs, or credentials into a shared doc or a tool. Your planning artifacts should be about structure and status, not sensitive content.

The fastest low-risk first step is our CMMC Readiness Checklist, mapped to the 14 NIST SP 800-171 control families — use it to see where your evidence is thin before you build anything else. Do not enter CUI, drawings, credentials, logs, screenshots, IP addresses, contract numbers, or sensitive contract details — structure and dates only.

Start with the CMMC Readiness Checklist

The right help depends on your situation — here’s how to think about it

The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Because a general answer can’t resolve those for you, use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes — and do not submit CUI, drawings, or sensitive contract details.

One thing to be clear about up front: a readiness provider helps you prepare. It does not replace the government, and it does not conduct your DIBCAC High Assessment.


How do you confirm the assessment scope before building evidence?

Start from the covered contractor information systems that actually handle the covered defense information, and the specific SSP the government expects to assess — not from an assumption. Do not assume the scope equals your entire corporate network, a single CAGE code, or a CMMC enclave you already carved out for another purpose. Resolve scope before you spend a week gathering evidence for the wrong boundary.

Work through it in order. First, identify the contractual source of the safeguarding requirement (the contract carrying DFARS 252.204-7012) and the covered defense information you actually handle. Second, map the systems that process, store, or transmit that information — plus the systems that provide security functions for them, and the external services in the path. Third, reconcile that against your SSP’s stated boundary; NIST SP 800-171A treats the SSP as the starting description of your boundary and environment, but if the architecture has changed, the SSP is a starting point, not the last word.

Then build a scope-questions register and get the ambiguous ones confirmed. The table below is a template — fill it from your notice and resolve unknowns before you build a single evidence folder:

Scope questions register template
Scope questionYour positionEvidenceStatus: confirmed / assumed / unresolved
Which SSP(s) are in scope?Fill from noticeFill from noticeConfirm with government
Which CAGE codes are associated?Fill from noticeFill from noticeConfirm with government
Are corporate shared services included?Fill from noticeFill from noticeConfirm with government
Which cloud/managed services are material?Fill from noticeFill from noticeConfirm with government
Which physical sites may be accessed?Fill from noticeFill from noticeConfirm with government
Is the assessment remote, on-site, or mixed?Fill from noticeFill from noticeConfirm with government

A crisp, defensible boundary is the highest-return hour you’ll spend preparing. Resolve it before you think about providers.


How do you reconcile your SSP, prior score, SPRS record, and CMMC status?

Build a line-by-line reconciliation of your authoritative SSP, your prior assessment result, your posted SPRS score, your CAGE codes, and any CMMC status — and document any discrepancy before the assessors find it. A prior score your current environment and evidence can’t support isn’t a cushion; it’s exposure. The move is to surface the gap and escalate it internally, not to hope no one looks.

For every requirement you’ve previously called “satisfied,” ask: who made that call, which SSP version did they use, what evidence backed it, has the system changed since, and is it still true? Where the answer is shaky, document it and route it to your executive sponsor and — where a prior representation to the government may be affected — counsel.

Why this matters: a $507,144 reminder

We pulled the primary source on this one. On June 18, 2026, the Department of Justice announced that LOGZONE Inc., a Huntsville, Alabama defense contractor, agreed to pay $507,144to resolve False Claims Act allegations tied to two Navy contracts. According to the DOJ, when the Defense Contract Management Agency assessed LOGZONE’s implementation of NIST SP 800-171, the company received a score of −170— at the low end of the −203-to-110 range — and DOJ alleged LOGZONE billed the Navy from May 2021 to March 2025 while non-compliant. DCMA’s DIBCAC assisted the investigation. The claims were resolved as allegations, with no determination of liability.

Our narrow inference from the public allegations: a government assessment can expose a material gap between represented and assessed implementation — and, notably, the DOJ release describes no data breach. You don’t have to get hacked for a bad score to become a problem. See our False Claims Act CMMC risk guide for the full context. Reconcile your number to your reality before an assessment does it for you.

Not sure whether you're facing the assessment type you think you are — or which kind of help you'd need to get ready? Find My CMMC Path maps your level, scope, environment, and timeline to the right provider category. It routes to a category, not a company. Do not submit CUI or sensitive contract details.

Map My Assessment Path

Sources: DOJ press release, LOGZONE settlement (June 18, 2026).


How do you prepare the evidence, the people, and the demonstrations?

Build evidence at the assessment-objective level, not the requirement level — and make sure a real person can stand behind each one. Putting one policy next to each of the 110 requirements is not preparation. Each applicable objective in NIST SP 800-171A should point to an authoritative artifact, the system it lives on, the owner who can explain it, the evidence date, and the interview or demonstration that could confirm it operates.

Use the version your contract requires — not the newest one

Do not migrate your assessment workbook from NIST SP 800-171 Revision 2 to Revision 3 just because Revision 3 exists. For CMMC Level 2 and current DoD assessments, the controlling baseline is Revision 2. DFARS 252.204-7012 ties the applicable version to the one in effect when the solicitation was issued, or another version the contracting officer authorizes. Follow the contract and the notice.

The DIBCAC High evidence-to-action matrix

This is our preparation framework — an original operating model, not an official DIBCAC checklist and not a prediction of your result. It translates the clause and the NIST assessment methods into workstreams, each with the artifact to have ready, the person or live proof behind it, the red flag that signals trouble, and the gate that tells you the workstream is done.

DIBCAC High evidence-to-action matrix
WorkstreamHave ready (artifact)Person / live proofRed flag“Ready” gate
Authority & noticeOne-page sheet: contract, clause + version, notice, government contact, stated assessment typeContracts lead can retrieve and explain the exact authorityTeam just says "the CMMC audit"Exact assessment name, clause, version, and contact confirmed
Assessment identityHigh / Medium / Level 3 disambiguation memoAssessment manager can explain assessor, baseline, and outputPreparing against 800-172 just because DIBCAC is involvedAll materials use one correct assessment label
Scope & systemsBoundary diagram, CUI data-flow map, system inventory, CAGE list, site listSystem owner can trace representative data through the environmentA CMMC enclave scope reused without checking the assessment scopeEvery material system, service, site, and CAGE is included, excluded, or escalated
Status reconciliationTable comparing prior score, SPRS entry, CMMC status, SSP version, assessment dateSponsor + lead can explain any discrepancyAn unsupported score or unexplained status conflictRecord and evidence agree, or the gap is documented and escalated
Objective evidence indexObjective-by-objective index: artifact, system, owner, date, possible demonstrationOwner retrieves evidence without diggingOne generic policy reused as proof for many objectivesEvery applicable objective has current, identifiable support
Operational recordsTickets, logs, reviews, scans, training records, test resultsControl owner can explain the record's system, date, and processScreenshots with no system, date, owner, or contextEvidence is traceable, reproducible, and period-appropriate
Live demonstrationsDemo runbook, test accounts, approved sample data, rollback stepsOperator performs the normal process in the normal environmentTemporary settings that exist only for the demoThe process repeats safely without changing the assessed reality
Interviews & witnessesRole-to-objective roster, availability calendar, backupsStaff give truthful, role-limited, consistent answersMemorized scripts, or people guessing outside their roleEach material process has a knowledgeable primary and backup
External providers (CSP/MSP/MSSP)Contracts, responsibility matrices, authorization evidence, diagramsInternal owner and provider can each explain who does whatA provider marketing page treated as proofInherited and retained responsibilities are documented and supported
Findings & rebuttalFinding log, evidence chain, response owner, 14-business-day calendarTeam can tell existing evidence apart from a new corrective actionRebuttal planning starts after the window is half goneOwners and decision-makers scheduled before assessment close

Prepare people, not scripts

Your witnesses should answer truthfully, within their actual role, and connect answers to the systems and records they use. Build one-page role cards (role, processes owned, systems used, evidence relied on, escalation point, backup witness) and teach four behaviors: answer the question actually asked; speak only to what you know and do; say when you need to verify or retrieve something; and correct an inaccurate statement promptly. An honest operational exception with a documented process is more credible than rehearsed certainty the evidence disproves.

Rehearse demonstrations without staging the environment

Demonstrations should show ordinary controls working, using safe test data, authorized accounts, and documented rollback steps. The goal is to make normal operation observable and repeatable — not to flip on a control only while the assessor is watching. And rehearse the demo that fails: stop, preserve the observed result, diagnose whether it’s access, test setup, or a real gap, provide accurate existing evidence, and record any correction separately.

Before the more expensive provider decision, walk your controls against the CMMC Readiness Checklist so you know exactly which objectives have evidence and which don't. It's the cleanest way to turn 'we think we're ready' into a defensible list. No CUI, credentials, or contract details.

Open the 110-requirement readiness checklist

Which requirements deserve a second pressure-test before DIBCAC arrives?

Put extra preparation on cryptography and multifactor authentication first — a DIBCAC official has named them as the two requirements contractors struggle with most. In a public presentation on October 26, 2022, DIBCAC published its ten most frequently “Other Than Satisfied” (i.e., failed) NIST SP 800-171 requirements. And in a May 2026 interview, a DIBCAC official, Nick DelRosso, said the two requirements he sees contractors struggle with most are MFA and FIPS encryption. When the assessing body flags the same two areas four years apart, believe it.
Historical data, used as a pressure-test — not a prediction. The percentages below are from a public-release DCMA DIBCAC presentation dated October 26, 2022 (copy hosted by PreVeil). They identify high-value areas to double-check; they do not forecast a 2026 finding rate or your result. We include them because a DIBCAC official reaffirmed the top two in 2026.
DIBCAC most frequently Other Than Satisfied requirements (Oct 2022)
RequirementShare with an “Other Than Satisfied” finding (Oct 2022)Your pressure-test
3.13.11 — FIPS-validated cryptography50%Inventory every cryptographic path protecting CUI; tie the actual product, module, version, and configuration to the CMVP certificate you’re relying on
3.5.3 — Multifactor authentication38%Map every applicable local, network, privileged, and non-privileged access path; test for the admin-console and legacy-system gaps
3.14.1 — Identify, report, and correct flaws22%Show the remediation loop in tickets — not just a patching policy
3.11.1 — Periodically assess risk18%Produce a current risk assessment with methodology, decisions, and evidence it drove action
3.11.2 — Vulnerability scanning18%Reconcile coverage, credentialed scanning, cadence, exclusions, and remediation
3.3.3 — Review and update logged events16%Show the defined event set and proof it’s actually maintained
3.3.4 — Alert on audit logging failure15%Demonstrate detection, who’s alerted, and what happens next
3.3.5 — Correlate audit review, analysis, reporting15%Produce recurring outputs proving logs turn into action
3.6.3 — Test incident response capability15%Show the exercise, participants, after-action findings, and closure
3.4.1 — Establish/maintain baseline configurations15%Connect the baseline to deployment, change control, and drift detection (see also: CMMC continuous monitoring)

The two gotchas worth extra care

Sources: DCMA DIBCAC public presentation, Oct 26, 2022 (hosted copy); Federal News Network interview with DIBCAC’s Nick DelRosso, May 2026.


What actually happens during a DIBCAC High Assessment?

The exact schedule, modality, sampling, and duration come from your notice and the government’s coordination — so don’t plan around a rumored “one week on-site” formula. A useful planning model is: initial coordination, an opening conference, document and evidence review, interviews and demonstrations, daily issue resolution, closeout, and then the rebuttal window. What varies is depth; what’s constant is that assessors trace your SSP claims to observable reality.

Expect the opening conference to lock down authority, assessment type, scope, standard and version, the SSPs, sites and systems, the schedule, the communications and evidence-transfer process, and how issues get resolved. Through the assessment, keep a neutral issue tracker and run short opening and closing check-ins each day: what’s on the schedule, which interviews and demos are up, what’s still open, and any statement that needs correcting. Resist two temptations — turning every question into a legal dispute, and burying the assessor in irrelevant files. Provide the artifact that answers the objective, with enough context to understand it.

When someone asks “how deep do they go?”, the honest answer is: deep enough to reach the confidence the assessment requires. That can involve documents, people, mechanisms, and activities. There is no universal checklist — which is exactly why an evidence index tied to objectives beats a shoebox of screenshots.


How is a DIBCAC High Assessment scored?

You start at 110 and subtract each unmet requirement’s weight — 5, 3, or 1 point — with the range running from 110 down to −203. The weight reflects how much a missing control exposes the system, so a handful of high-weight misses can push you negative fast. Partial credit is limited to two specific requirements. And because the score depends on your SSP, the absence of an up-to-date SSP means the assessment can’t be completed.

A few specifics worth getting right, because they change how you sequence remediation:

For the full calculation, the SPRS submission mechanics, and the requirements you can’t cover with a plan of action, see our companion guide, How your SPRS score is calculated. We won’t repeat all of it here.

Sources: NIST SP 800-171 DoD Assessment Methodology, v1.2.1 (acq.osd.mil); the identical weighting scheme is codified for CMMC at 32 CFR 170.24.


What exactly gets posted to SPRS, and who can see it?

Your assessment produces a summary-level record in SPRS — not your line-by-line findings — and access is limited. The summary record includes the standard assessed, the organization that conducted the assessment, the associated CAGE codes, a brief architecture description, the assessment date and level (Basic, Medium, or High), the summary score, and the date by which all requirements are expected to be implemented. Knowing what’s captured helps you check it after posting.

On visibility: assessment summary scores posted in SPRS are available to DoD personnel, and authorized representatives of your company can view their own summary scores. The DoD side — including contracting officers evaluating you — can see your posted score, while your detailed findings aren’t broadcast. After a score posts, assign an owner to confirm the entity, CAGE codes, date, level, standard, score, and expected-implementation date are all correct.

Sources: DFARS 252.204-7020, paragraphs (d)–(f) (Acquisition.gov).


What if you score below 110 — POA&Ms and the 14-business-day rebuttal window

A sub-110 score isn’t a universal automatic disqualification, but you have a hard, short window to respond before it posts. Under the assessment clause, DoD provides your Medium or High summary score and offers the chance to rebut and adjudicate beforeit’s posted to SPRS — and you have 14 business daysafter the assessment to provide additional information showing you meet requirements the team didn’t observe, or to rebut findings you believe are wrong. This is a real deadline, and it’s the most under-prepared moment in the entire process.

We read this straight from the clause. The rebuttal right isn’t a courtesy you request; it’s built in — and it runs on a clock. So the mistake to avoid is starting your rebuttal after most of the window is gone. Stand up the response team before closeout.

Planning framework for the 14 business days (our framework, not a government-mandated sub-schedule):

14-business-day rebuttal window planning framework
WindowWhat you do
Closeout / Day 0Confirm preliminary findings, open items, the recipient/route, and how the deadline is counted
Days 1–3Triage every finding by requirement, objective, system, evidence, and materiality
Days 4–7Retrieve existing evidence, interview owners, draft factual responses
Days 8–10Contracts, technical, leadership, and counsel review
Days 11–12Resolve inconsistencies; finalize the supporting package
Days 13–14Submit through the directed route; retain confirmation

Keep three things distinct. Rebuttal shows why a finding or score should change based on facts, scope, method, or qualifying evidence. Remediation corrects a real deficiency. New implementationmay improve your current state but does not, by itself, prove the requirement was satisfied earlier. And whether a sub-110 score affects a specific award depends on the solicitation, the incorporated clauses, any required CMMC status, and any score condition — so confirm the contractual consequence rather than assuming it.

Sources: DFARS 252.204-7020(e), 14-business-day rebuttal (eCFR).


Can a C3PAO assessment replace a DIBCAC High Assessment? Does a High score grant CMMC status?

Don’t assume either. They come from different authorities, and any substitution or scope change should be confirmed in writing by the responsible government official. A C3PAO conducts CMMC third-party assessments; a High NIST SP 800-171 Assessment is conducted by government personnel. A readiness consultant, a C3PAO, and DIBCAC are not interchangeable roles — and during the current pause, new procurement designation of the C3PAO (Level 2) and DIBCAC (Level 3) certification requirements is suspended while the government-led DIBCAC assessment pathway continues.

People conflate a DIBCAC High score with CMMC status because both can involve DIBCAC and both aim for high-confidence verification. But a High Assessment measures NIST SP 800-171; CMMC Level 2 is a status, and Level 3 adds NIST SP 800-172 requirements on top of a Final Level 2. There is one narrow, easily-overstated exception worth stating precisely. Under 32 CFR 170.20, a DCMA DIBCAC High Assessment can be given the CMMC Status of Final Level 2 (C3PAO) only if it:

That status is valid for three yearsfrom the date of the original High Assessment, and DCMA DIBCAC identifies qualifying assessments (including ones conducted with Joint Surveillance). That’s the exception — it does not convert every High Assessment into a CMMC certification, and a High score does not generally equal Level 2 or Level 3.

If you’re actually preparing for Level 3, use our CMMC Level 3 requirements guide instead. If you’re trying to determine whether a C3PAO assessment is what your contract requires, resolve that before you spend money.

Sources: 32 CFR 170.20 (Acquisition.gov / eCFR).


Should you hire outside help — and which provider category fits?

Match the help to the gap that could derail your assessment: contract interpretation, scoping, implementation, managed operations, evidence control, or environment redesign. No private provider replaces the government’s High Assessment. And a subtle but important rule: for a CMMC Level 2 certification assessment, a C3PAO’s ecosystem members are prohibited from participating in the assessment of an organization they served as a consultant to prepare for any CMMC assessment within the prior three years (32 CFR 170.8(b)(17)(ii)(G)). That conflict rule governs CMMC Level 2 certification assessments — it does not govern the Government’s separate DIBCAC High Assessment — but it’s why you keep readiness and formal assessment in appropriate lanes.

Here’s how to think about the categories:

Provider category matching guide for DIBCAC High Assessment preparation
Your problemLikely categoryWhat it should deliverCan it conduct the Government High Assessment?
Assessment path or scope unclearRPO/RP or counselClause/scope analysis, readiness planNo
Controls not operatingMSP/MSSP/readiness implementerTechnical and operational remediationNo
Evidence fragmentedGRC platform + a readiness ownerCollection, ownership, traceabilityNo
Environment too broadCUI enclave specialistSegmentation design and buildNo
A separate CMMC Level 2 certification is requiredC3PAOA formal CMMC assessment (with the 3-year conflict rule)No — that’s a CMMC assessment, not the DIBCAC High
The government requested a High AssessmentDCMA / governmentThe official High AssessmentYes — this is the government’s role

Tell us your broad level, scope, environment, and timing, and we'll identify the source-checked provider categories that fit the work — so you can request scoped quotes from the right kind of partner instead of the first vendor that promises a certificate. Find My CMMC Path routes to a category, not a named provider. Do not submit CUI or sensitive contract details.

Compare provider categories for your situation →
Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

Sources: 32 CFR 170.8 (conflict of interest / code of professional conduct).


What we actually verified for this guide

We built this page from primary and authoritative sources, and used vendor articles only to understand the competing content and the questions contractors ask — not as authority for government requirements.

Verified against primary sources on :the DFARS 252.204-7020 High Assessment definition, the SPRS posting fields and access rules, and the 14-business-day rebuttal right (Acquisition.gov / eCFR); the February 1, 2026 class deviation that introduced DFARS Part 240 and clause 252.240-7997 (deviation memo), and the fact that codified 7019/7020 still exist; the July 13, 2026 CMMC Phase II suspension, its designation rules, and its preservation of “select government-led assessments” (DoW release + implementing memo); the scoring methodology, including the MFA/FIPS partial-credit rule, the five-point requirement spread, and the no-SSP consequence (32 CFR 170.24); the pre-rule DIBCAC-High-to-Final-Level-2 conditions and the Joint Surveillance recognition (32 CFR 170.20); the three-year Level 2 consultant conflict rule (32 CFR 170.8); the LOGZONE settlement (DOJ press release); and DIBCAC’s historical “Other Than Satisfied” data plus a DIBCAC official’s May 2026 remarks.

What to re-verify before you rely on it:the current status of the CMMC review (a live process); the exact current text of DFARS 252.240-7997 in your specific solicitation; the contents of DCMA’s current pre-assessment package; and your own contract’s clause number, applicable NIST version, and scope. Those are the things that move.

This is educational research, not legal, contractual, or compliance advice. The contract clause and your CUI handling set your obligations. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.


Frequently asked questions about DIBCAC High assessment preparation

What is a DIBCAC High Assessment?
It’s a government High NIST SP 800-171 DoD Assessment — conducted by Government personnel using NIST SP 800-171A — that reaches a “High confidence” score by reviewing your prior assessment and documentation and verifying and demonstrating that your System Security Plan is actually implemented. It’s scored on a −203-to-110 scale and posted to SPRS.
Is a DIBCAC High Assessment the same as CMMC Level 3?
No. CMMC Level 3 is a separate certification with a Final Level 2 prerequisite that adds 24 selected NIST SP 800-172 requirements. DIBCAC’s involvement alone doesn’t make an assessment “Level 3,” and a High score is not a Level 3 certification.
Does the CMMC pause mean DIBCAC stopped assessing contractors?
No. The July 13, 2026 suspension bars program managers from designating new Level 2 (C3PAO) or Level 3 (DIBCAC) certification requirements, but the Department explicitly kept “select government-led assessments,” and DCMA DIBCAC remains its primary NIST SP 800-171 assessment capability. Your NIST SP 800-171 obligation under DFARS 252.204-7012 was not suspended.
Which DFARS clause covers DIBCAC assessments — 7020 or 7997?
Read your contract. The codified DFARS 252.204-7020 still exists and applies where incorporated; acquisitions governed by the February 2026 class deviation use the Part 240 clause 252.240-7997. The clause incorporated in your document controls — don’t infer it from the issue date.
Contractors call it a “DIBCAC audit” — is that the right term?
Informally, yes, but the clauses and DCMA use the word assessment. Don’t infer the formal assessment type from casual language; get the clause, scope, and type in writing.
What does the public record say about why my company was selected?
The published assessment clauses don’t provide a universal contractor-selection formula. In practice, assessments have been reported to arise from DoD/DIBCAC sampling, contract requirements, and strategic or higher-risk suppliers — but rather than guessing from your score or profile, ask your DIBCAC or contracting contact to identify the assessment authority, scope, and any notice-specific basis.
What documents does DIBCAC require?
There’s no universal required-document list. Assessors work from NIST SP 800-171A and select the evidence they need per objective, so prepare evidence at the objective level rather than assuming a fixed checklist.
How deep does DIBCAC go?
Deep enough to reach the confidence the assessment requires — which can mean documents, interviews, technical mechanisms, activities, and live demonstrations. Depth varies by objective and by what your evidence supports.
Will DIBCAC assess my whole company?
Not automatically. Scope comes from your contract, the covered systems and information, the SSPs, CAGE codes, sites, and the government’s direction — not from your entire corporate network by default.
Is the assessment remote or on-site?
A High Assessment verifies implementation, which commonly means assessors on-site, but the clause frames access as being provided “as necessary.” Confirm the modality during government coordination rather than assuming a fixed rule.
How long does a DIBCAC High Assessment take?
There’s no defensible universal duration. It depends on scope, environment, evidence quality, number of locations, and the government’s schedule. Treat any single “it takes one week” claim with caution.
What if our SPRS score is wrong?
Reconcile it now, preserve the record, document the discrepancy, and get contract or legal guidance where a prior representation may be affected. A stale or optimistic score is a liability, not a cushion. See our self-reported vs. DIBCAC assessed score guide for how the gap plays out.
How long do we have to rebut findings?
Under the assessment clause, you have 14 business days after the assessment to provide additional information or rebut findings, and DoD offers rebuttal and adjudication before the score posts to SPRS. Stand up your response team before closeout.
Can POA&M items stay open?
The assessment record may include an expected implementation date, but an open POA&M is not the same as satisfying a requirement — the requirement is still scored NOT MET. Whether an open item affects a specific award is contract-specific; confirm rather than assume.
Can a C3PAO assessment replace a DIBCAC High Assessment?
Don’t assume it can. They arise from different authorities; get written government confirmation before treating one as a substitute for the other.
Does a perfect score from DIBCAC grant CMMC Level 2?
Only under a narrow transition provision. A DCMA DIBCAC High Assessment conducted before December 16, 2024, with a perfect score, no open POA&M, and a scope identical to the Level 2 scope, can convert to Final Level 2 status (valid three years, with an SPRS affirmation) — but that’s the exception, not the rule.
How much does DIBCAC preparation cost?
There’s no reliable universal price. The government conducts the DIBCAC assessment as a government function; your contractor-side cost is preparation, remediation, evidence work, external providers, and business disruption — driven by your scope, evidence quality, and how much time you have.

Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options.

Tell us your level, scope, and timeline, and we'll identify the provider categories that fit your situation — so you can request scoped quotes from the right kind of partner. Routing only. Do not submit CUI, drawings, credentials, logs, screenshots, IP addresses, contract numbers, or sensitive contract details.

Find My CMMC Path →
Disclosure:The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification. This is educational research, not legal, contractual, or compliance advice — confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney.

Primary sources referenced on this page