Risk & Compliance Exchange 2026: DIBCAC’s Nick DelRosso on evolving role of CMMC assessments

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points.

The Defense Industrial Base Cybersecurity Assessment Center is a key cog in the Pentagon’s efforts to protect sensitive information from leaking to foreign adversaries.
DIBCAC, as it’s known, has been evaluating whether select companies meet cybersecurity requirements that have been in defense contracts going back to a decade. The National Institute of Standards and Technology Special Publication 800-171 for protecting controlled unclassified information (CUI) form the basis of those requirements.
But the Pentagon is now ramping up a new evaluation regime under the Cybersecurity Maturity Model Certification program. The CMMC requirements started rolling into contracts last fall. Under the program, CMMC third-party assessment organizations (C3PAOs) evaluate whether contractors are meeting the NIST 800-171 requirements.]]>

The Defense Department is moving to that model to meet the scale of evaluating potentially tens of thousands of contractors that hold sensitive CUI.
Changing focus at DIBCAC
For DIBCAC, the CMMC program marks a shift. The center, within the Defense Contract Management Agency, is charged with both evaluating hundreds of C3PAOs that will go on to assess defense contractor cybersecurity, while also assessing the highest CMMC requirements — for Level 3 of the program.
“We’ve seen some of those assessment requests start to come in, and we anticipate that demand is going to probably quickly escalate over the next year,” DIBCAC Director Nick DelRosso said during Federal News Network’s Risk & Compliance Exchange 2026.
CMMC Level 3 is designed for DoD contractors handling highly sensitive CUI that could impact national security if it’s pilfered from their networks. The requirements include the 110 controls from CMMC Level 2, plus more advanced and rigorous requirements based on NIST SP 800-172 to protect against advanced persistent threats.
Many are now focused on the CMMC Level 2 requirements that will start becoming standard in applicable contracts this November.
But given the effort involved to comply with the Level 3 requirements, some contractors are getting ahead of the formal start in November 2027. Level 3 requirements will apply to a small subset of contractors compared to Level 2, but that isn’t stopping companies from ensuring they’re ready.
“There are quite a few companies that suspect that they’re going to need the Level 3, and they want to be prepared,” DelRosso said. “It’s always better to be prepared and make sure you’re fully implemented, rather than trying to get into a crunch where you need to get assessed quickly to support a contract.”]]>

DIBCAC itself has been “gearing up” too, he added.
“We have the capability to execute,” DelRosso said. “From a management standpoint, you hope the uptick is kind of gradual at first, so you could work out any process kinks. But we have performed training for our workforce. We’ve looked to increase the efficiency and kind of lean out some of those processes. And we do have a few scheduled in the near term, which is great because it’s an opportunity to test the workflows and the processes in place before the demand spike hits.”
Common cyber challenges for contractors
Given that the DIBCAC has been performing the NIST 800-171 assessments for more than six years, the center has been plenty of lessons learned as the CMMC program ramps up.
DelRosso said the two requirements he sees contractors struggle with the most are multifactor authentication and Federal Information Processing Standards encryption.
“Particularly, I think FIPS is a challenging one because it relies on your vendor stack from your IT,” he said. “If you’re using products that don’t support it, it’s hard to get compliant quickly because you have to switch out that tech stack. Other times, the products may support it, but you need to enable the FIPS mode, which requires additional testing because anytime you change a configuration that may lead to some breakages in the system. So, it’s something you want to take your time implementing and make sure you test all the requirements.”
Keeping pace with technology, maintaining consistency
Meanwhile, DelRosso pointed to the need for DIBCAC to pivot quickly should the Defense Department update contractual cybersecurity standards. Currently, the requirements are tied to revision two of the NIST 800-171 requirements. But NIST has already released a third revision of those standards.
“We want to make sure that we’re looking at the training required for our folks as part of a potential transition to that at some point in the future, just so we can be prepared that if the department decides to transition, that we’re prepped and ready to go retrain the workforce and adjust our processes to accommodate that new revision,” he said.
Beyond DoD requirements, DIBCAC teams also need to stay abreast of changes in technology use across the industrial base.
“There are different vendor stacks that are being used, different cloud providers that are being used, and our folks have to have a knowledge, general knowledge, of what’s out there — what the differences are,” DelRosso said. “No assessor is going to be able to know all technology. But there’s also a process that, if you don’t know a technology, how do you get to the answer? And so you kind of drill down through and you identify what the requirements are, what the objectives are, and then you start mapping — how does this technology meet those requirements — through discussion or demonstrations with the contractors.”]]>

A key focus for DIBCAC is consistency, he said.
“Contractors know what to expect, and that they should be expecting the same type of assessment, whether it’s a team from the east coast or a team from the west coast, they should be performing very similarly,” DelRosso said. “You’re always going to have some nuances based on individuals in terms of how they ask questions, but that’s really more on the communication side. The process needs to flow consistently.”
Discover more articles and videos now on the Risk & Compliance Exchange event page.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.