Risk & Compliance Exchange 2026: DIBCAC’s Nick DelRosso on Evolving Role of CMMC Assessments

The Pentagon’s shift to the Cybersecurity Maturity Model Certification (CMMC) marks a watershed moment for defense contractors. While NIST 800‑171 has guided CUI protection for a decade, CMMC introduces tiered maturity levels that scale to the sensitivity of the data handled. DIBCAC, housed within the Defense Contract Management Agency, now serves as the central hub for both evaluating third‑party assessment organizations (C3PAOs) and directly certifying contractors at the highest Level 3. This expansion is designed to manage the sheer volume of thousands of suppliers that touch classified information, ensuring a uniform security baseline across the industrial base.

Contractors are already feeling the pressure of the new requirements. DelRosso highlights multifactor authentication and Federal Information Processing Standards (FIPS) encryption as the most common stumbling blocks. Implementing MFA often requires re‑architecting legacy systems, while FIPS compliance can force a wholesale swap of cryptographic modules or extensive configuration testing. Some firms are proactively pursuing Level 3 readiness ahead of the November 2026 contract deadline, betting that early adoption will avoid last‑minute scrambles and give them a competitive edge in winning high‑value DoD work.

Internally, DIBCAC is bolstering its own capabilities to keep pace. The agency has rolled out targeted training for assessors, refined workflow efficiencies, and scheduled pilot assessments to iron out process kinks before demand spikes. Anticipating future updates, DIBCAC is also preparing for the third revision of NIST 800‑171, ensuring its workforce can quickly adapt to new standards. By emphasizing consistent assessment practices across geographic teams, DIBCAC aims to deliver predictable outcomes for contractors, reinforcing confidence in the defense supply chain’s cyber resilience.