DIBCAC (Defense Industrial Base Cybersecurity Assessment Center)

What does DIBCAC assess?

DIBCAC conducts: (1) CMMC Level 3 Expert assessments for contractors handling highest-priority CUI; (2) DFARS 252.204-7012 compliance reviews on selected contracts; (3) Joint Surveillance Voluntary Assessments for contractors who want pre-CMMC demonstration of NIST 800-171 implementation; (4) High Assessments for contractors with significant CUI handling but not yet CMMC-required.

How does DIBCAC differ from C3PAOs?

DIBCAC is a DoD government organization conducting assessments under government authority. C3PAOs are commercial third-party assessor organizations authorized by Cyber AB to conduct Level 2 assessments. DIBCAC handles Level 3 (the highest tier) and DoD-initiated DFARS reviews. C3PAOs handle Level 2 (the larger contractor population). C3PAO assessment reports are private; DIBCAC findings are accessible to the DoD.

Who pays for DIBCAC assessments?

DIBCAC assessments are conducted at no cost to the contractor — they are funded as a DoD government function. C3PAO assessments, by contrast, are paid by the contractor under commercial arrangement (typical $50K-$250K). The DIBCAC funding model is one reason the DoD selected DIBCAC for Level 3 (low contractor population) and C3PAO for Level 2 (high population, scaled commercially).

What is a Joint Surveillance Voluntary Assessment?

JSVA is a DIBCAC-conducted assessment that contractors can request voluntarily. It demonstrates the contractor's NIST 800-171 implementation to DoD without waiting for CMMC certification to be required. Contractors who pass JSVA receive favorable consideration on contract awards before CMMC requirements roll out. JSVAs were used as a phased rollout mechanism during the CMMC 2.0 transition period.