{"id":217457,"date":"2026-05-20T15:35:00","date_gmt":"2026-05-20T19:35:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/20\/risk-compliance-exchange-2026-dibcacs-nick-delrosso-on-evolving-role-of-cmmc-assessments\/"},"modified":"2026-05-20T15:40:08","modified_gmt":"2026-05-20T19:40:08","slug":"risk-compliance-exchange-2026-dibcacs-nick-delrosso-on-evolving-role-of-cmmc-assessments","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/20\/risk-compliance-exchange-2026-dibcacs-nick-delrosso-on-evolving-role-of-cmmc-assessments\/","title":{"rendered":"Risk & Compliance Exchange 2026: DIBCAC\u2019s Nick DelRosso on evolving role of CMMC assessments"},"content":{"rendered":"

Risk & Compliance Exchange 2026: DIBCAC\u2019s Nick DelRosso on evolving role of CMMC assessments<\/a><\/p>\n

https:\/\/federalnewsnetwork.com\/it-modernization\/2026\/05\/risk-compliance-exchange-2026-dibcacs-nick-delrosso-on-evolving-role-of-cmmc-assessments\/<\/a><\/p>\n

Publish Date: 2026-05-20 15:35:00<\/a><\/p>\n

Source Domain: federalnewsnetwork.com<\/a><\/p>\n

Author: <\/a><\/p>\n

Using an unordered list, summarize the following article with between 4 and 8 key points. <\/p>\n

The Defense Industrial Base Cybersecurity Assessment Center is a key cog in the Pentagon\u2019s efforts to protect sensitive information from leaking to foreign adversaries.
\nDIBCAC, as it\u2019s known, has been evaluating whether select companies meet cybersecurity requirements that have been in defense contracts going back to a decade. The National Institute of Standards and Technology Special Publication 800-171 for protecting controlled unclassified information (CUI) form the basis of those requirements.
\nBut the Pentagon is now ramping up a new evaluation regime under the Cybersecurity Maturity Model Certification program. The CMMC requirements started rolling into contracts last fall. Under the program, CMMC third-party assessment organizations (C3PAOs) evaluate whether contractors are meeting the NIST 800-171 requirements.]]><\/p>\n

The Defense Department is moving to that model to meet the scale of evaluating potentially tens of thousands of contractors that hold sensitive CUI.
\nChanging focus at DIBCAC
\nFor DIBCAC, the CMMC program marks a shift. The center, within the Defense Contract Management Agency, is charged with both evaluating hundreds of C3PAOs that will go on to assess defense contractor cybersecurity, while also assessing the highest CMMC requirements \u2014 for Level 3 of the program.
\n\u201cWe\u2019ve seen some of those assessment requests start to come in, and we anticipate that demand is going to probably quickly escalate over the next year,\u201d DIBCAC Director Nick DelRosso said during Federal News Network\u2019s Risk & Compliance Exchange 2026.
\nCMMC Level 3 is designed for DoD contractors handling highly sensitive CUI that could impact national security if it\u2019s pilfered from their networks. The requirements include the 110 controls from CMMC Level 2, plus more advanced and rigorous requirements based on NIST SP 800-172\u00a0to protect against advanced persistent threats.
\nMany are now focused on the CMMC Level 2 requirements that will start becoming standard in applicable contracts this November.
\nBut given the effort involved to comply with the Level 3 requirements, some contractors are getting ahead of the formal start in November 2027. Level 3 requirements will apply to a small subset of contractors compared to Level 2, but that isn\u2019t stopping companies from ensuring they\u2019re ready.
\n\u201cThere are quite a few companies that suspect that they\u2019re going to need the Level 3, and they want to be prepared,\u201d DelRosso said. \u201cIt\u2019s always better to be prepared and make sure you\u2019re fully implemented, rather than trying to get into a crunch where you need to get assessed quickly to support a contract.\u201d]]><\/p>\n

DIBCAC itself has been \u201cgearing up\u201d too, he added.
\n\u201cWe have the capability to execute,\u201d DelRosso said. \u201cFrom a management standpoint, you hope the uptick is kind of gradual at first, so you could work out any process kinks. But we have performed training for our workforce. We\u2019ve looked to increase the efficiency and kind of lean out some of those processes. And we do have a few scheduled in the near term, which is great because it\u2019s an opportunity to test the workflows and the processes in place before the demand spike hits.\u201d
\nCommon cyber challenges for contractors
\nGiven that the DIBCAC has been performing the NIST 800-171 assessments for more than six years, the center has been plenty of lessons learned as the CMMC program ramps up.
\nDelRosso said the two requirements he sees contractors struggle with the most are multifactor authentication and Federal Information Processing Standards encryption.
\n\u201cParticularly, I think FIPS is a challenging one because it relies on your vendor stack from your IT,\u201d he said. \u201cIf you\u2019re using products that don\u2019t support it, it\u2019s hard to get compliant quickly because you have to switch out that tech stack. Other times, the products may support it, but you need to enable the FIPS mode, which requires additional testing because anytime you change a configuration that may lead to some breakages in the system. So, it\u2019s something you want to take your time implementing and make sure you test all the requirements.\u201d
\nKeeping pace with technology, maintaining consistency
\nMeanwhile, DelRosso pointed to the need for DIBCAC to pivot quickly should the Defense Department update contractual cybersecurity standards. Currently, the requirements are tied to revision two of the NIST 800-171 requirements. But NIST has already released a third revision of those standards.
\n\u201cWe want to make sure that we\u2019re looking at the training required for our folks as part of a potential transition to that at some point in the future, just so we can be prepared that if the department decides to transition, that we\u2019re prepped and ready to go retrain the workforce and adjust our processes to accommodate that new revision,\u201d he said.
\nBeyond DoD requirements, DIBCAC teams also need to stay abreast of changes in technology use across the industrial base.
\n\u201cThere are different vendor stacks that are being used, different cloud providers that are being used, and our folks have to have a knowledge, general knowledge, of what\u2019s out there \u2014 what the differences are,\u201d DelRosso said. \u201cNo assessor is going to be able to know all technology. But there\u2019s also a process that, if you don\u2019t know a technology, how do you get to the answer? And so you kind of drill down through and you identify what the requirements are, what the objectives are, and then you start mapping \u2014 how does this technology meet those requirements \u2014 through discussion or demonstrations with the contractors.\u201d]]><\/p>\n

A key focus for DIBCAC is consistency, he said.
\n\u201cContractors know what to expect, and that they should be expecting the same type of assessment, whether it\u2019s a team from the east coast or a team from the west coast, they should be performing very similarly,\u201d DelRosso said. \u201cYou\u2019re always going to have some nuances based on individuals in terms of how they ask questions, but that\u2019s really more on the communication side. The process needs to flow consistently.\u201d
\nDiscover more articles and videos now on the Risk & Compliance Exchange event page.
\n Copyright
\n \u00a9\u00a02026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.<\/p>\n

<\/p>\n","protected":false},"excerpt":{"rendered":"

Risk & Compliance Exchange 2026: DIBCAC\u2019s Nick DelRosso on evolving role of CMMC assessments https:\/\/federalnewsnetwork.com\/it-modernization\/2026\/05\/risk-compliance-exchange-2026-dibcacs-nick-delrosso-on-evolving-role-of-cmmc-assessments\/…<\/p>\n","protected":false},"author":1,"featured_media":217458,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/federalnewsnetwork.com\/wp-content\/uploads\/2026\/05\/2.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24],"class_list":["post-217457","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/217457"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=217457"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/217457\/revisions"}],"predecessor-version":[{"id":217459,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/217457\/revisions\/217459"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/217458"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=217457"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=217457"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=217457"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}