DIBCAC Assessment Requirements

While everyone has been focused on the start of CMMC phase 1, many contractors are discovering that DFARS clause 252.204-7020 has been lurking in their contracts since 2020. DoD reserves the right to show up at any time and audit compliance with DFARS clause 252.204-7012. This week we’re diving into everything that DIBCAC will be asking for when they show up on your doorstep.

---

Transcript

 

[Music]

All right, folks. It is November of 2025, and this is the first podcast of the new normal. CMMC is officially in effect and can be put into defense contracts. CMMC status is now officially and will forever be a condition of contract award. We are now well into phase one of the CMMC uh phased rollout.

And uh everybody’s probably asking now that it’s finally here, now that we’re finally in the roll out of CMMC, what comes next? That’s what we’re going to talk about today. That’s the question that I have because for the past four years, uh off camera and on camera, we’ve been thinking about like what’s going to happen and going out in public and saying, “Hey, we believe based on what we know, this is what’s going to happen.” And now it’s kind of time to put up or shut up, right?

Yeah. I mean, it’s it’s funny because uh right after spending all this time waiting for CMC to happen, the government shutdown. Now we’re waiting for it to reopen. So, of course, we have this sort of staggered start. Couldn’t have CMMC without some sort of weird staggered start thing every time you hit a milestone. But, uh but yeah, that’s coming to an end very quickly.

So, let’s—
The “market roll-out”

Let’s just get everybody caught up really quickly on uh what’s happened so far leading up to the phases roll out.

So, in December of 2024, the CMMC program officially went into effect as a result of many years of rulemaking. Uh, and that meant that companies could voluntarily go get CMMC level two assessments. They could go pay a certified third-party assessment organization, a C3PAO, for a CMC level two assessment, and that would officially count, assuming that they passed all the requirements, as a valid CMMC level two status.

But DoD could not require it in the terms of a contract or a contract solicitation without going through some additional rulemaking to take that policy language and convert it into contract clause language. Interestingly, despite that issue, which was a major issue, the ecosystem over the course of 2025 has grown rapidly all things considered.

So from a certifications perspective, as of October of 2025, there are over 450 level two certifications. That includes people who have final status, where they have no open items, and people who have conditional status, which means they have open items on their POM. You can still win a contract. You can still have a level two status that’s perfectly valid even with open items as long as they comply with CMC policy for the allowable open items.

That is up 280% since May of 2025. So we are uh going up and to the right on the graph very quickly here towards the end of 2025. If we were to just maintain that amount of growth and not have any acceleration whatsoever, you could expect around 700 level two certifications by the end of 2025 and easily about a thousand or more uh uh level two certifications in Q1, which is something we’re going to talk about when we talk about our predictions for phase one coming up here in a little bit.

I mean, these are impressive numbers based off of where we came from. We came from zero, right? Um, yes, still a a minor snippet in what totally is going to happen as the program is fully rolled out, but this is reflective of the forward thinking of people.

Again, this was before the DoD could say, “You have to go get this, right?” So, this was either forward thinking as an organization trying to get competitive advantage or forward thinking of primes trying to get their supply chains in order, saying, “Hey, pay attention to this.” Right.

Yeah. Yeah. I mean, they had to start from zero because when the rule went into effect in December of 2024, you know, it had been published in November of 2024, went into effect 60 days later. Essentially, that restarted everything for C3PAO authorizations, Delta training for assessors, updating the CMMC assessment process guide, all this stuff that had to happen administratively for the ecosystem to be able to handle people who wanted voluntary assessments.

So essentially going from zero to October, you went from zero level two certifications to uh over 450. We should end the year somewhere around 700 or more. And that’s that’s without it being required. It hasn’t been required like it hasn’t been required in a single contract through 2025.

And uh you’re already at almost a thousand companies that have done it. Uh so yeah, that is huge growth on the assessment capacity side.

What’s led up to the beginning of phase one because everybody always goes there’s not enough assessors, there’s not enough assessment capacity. Uh we should end the year at the current rate of growth without any accelerations or anything like that with around 1,400 certified practitioners, around 700 certified assessors, around 400 lead assessors which is really the big constraint on the number of teams.

400 teams or 300 teams or even 200 assessment teams is a lot of teams in terms of initial capacity at the start of phase one. Right?

This is leading up to the beginning of the phase one on November 10th and somewhere around 100 C3PAOs. That’s at the end of 2025. Remember phase one just started in the middle of November of 2025.

So you’ve got these massive increases through 2025, especially the second half of 2025 for a number of voluntary certifications and assessment capacity in the ecosystem uh leading up. So this was all under the banner of what we called the market roll out because DoD couldn’t require it in contracts under the phased roll out but you could of your own valition go to the market and get your assessment.

So uh tremendous growth and expansion in search and capability for the ecosystem without anything having been required whatsoever.

So Jacob, do you know um how many teams do you think Dipk runs with? Like how many—

I don’t know actually. I’ve heard that they’re growing uh significantly, but I don’t actually know how big Dipk is these days. You think it’s around 400?

No. No. You get where I’m getting at here? Like the—yeah we used to and some of the arguments were DICK should just do all of this right and now we’re talking about at the end of the year being at the capability of 400 teams possibly and still saying that we need to grow rapidly and grow more so it’s just—

Yeah you were never going to be able to hire enough full-time employees to work for DICtak to be able to conduct the number of assessments that the DoD wanted even in the reduced number of assessments under CMMC 2.0 0.

The only way to grow that ecosystem is to do it with the third party system that they established and it is working currently so far. Nobody who has needed assessment has been unable to get an assessment.

So until we see that happen then the constraint on assessors is not the number one constraint that we’re seeing so far.

Anyways, we’re in phase one.

Phase 1 and the CMMC model

As of November 10th of 2025, both the CMMC program is implemented and the CMMC contract clause language is effective and it is now a condition of contract award. So on November 10th, the barrier that prevented the DoD from requiring CMMC status in contracts was lifted.

And as the government begins to open back up, which I believe there was a vote yesterday or today it’s happening, the government is allegedly opening back up. New solicitations and contracts will be issued again and CMMC status will be a condition of taking award of those contracts.

Now, very briefly, a refresher on the model and the types of data that it corresponds to. So, if you don’t handle any controlled and classified information—which is a longer conversation that we’ve covered a bunch and we’ll cover again in the future—but if you’re not handling any controlled and classified information, if you’re just a federal contractor, CMMC level one status indicates that you have implemented and complied with the terms of FAR clause 5220421.

This is a set of cyber security requirements that applies to all federal contractors and has applied to all federal contractors unchanged since 2016. All CMMC level one status is saying is you are telling the government, yes, we super duper are complying with the terms of the contract. Right?

It’s not it’s not imposing new requirements or doing anything like that. It’s just a mechanism for giving the government assurance that you are doing the things in that FAR clause because without that mechanism you’re just accepting the terms and the government just doesn’t have any other indication that you’re actually doing those things. Right?

All right. So if you are handling controlled unclassified information then CMMC level two status indicates that you have implemented the requirements in NIST special publication 800171 pursuant to DAR’s clause 252204712.

That contract clause is the one that obligates you to implement those cyber security requirements. CMMC level two status is verifying that you implemented the requirements imposed on you by that contract clause.

We just wrapped up a long series explaining the details of all of the DAR’s cyber series of contract clauses. We’ll link those in the description below so you can check those out if you need a refresher or if that is news to you. CMMC is just making sure that you did those things. It’s not actually imposing those things on you. Those are coming from other contract clauses.

Now, phase one of this phased roll out, this first 12 months from November of 2025 to November of 2026 is supposed to only focus on level two self assessments. And a lot of people have concluded that it will only be level one and level two self assessments.

But we have been pleading with people for a long time now uh to remind them that DoD guidance says that level two certification, level two C3PAO third-party audit status is the minimum requirement if you will be handling any of the DoD categories of controlled unclassified information.

There is nothing that prevents the DoD or your prime from requiring level two certification during phase one. Right?

So, uh if you uh think, oh, there are there will not be any uh third-party certification, so we’re going to maybe take our foot off the gas, uh it depends on your specific situation. It’s not a guarantee.

So, just uh you know, do your research accordingly. Uh, and you know, the last little note here is that you won’t know—you won’t know what the requirement is until the solicitation hits the street.

And at that point, there are no waiverss because waivers are for entire contracts, not for individual companies. And the waiver decision to remove CMMC requirements from the contract is a pre-solicitation process.

So, they can include level two third party audits in phase one. By the time you find out what the requirement is, it’s too late for them to change it. So plan accordingly.

Okay. Now, if you are handling CUI, CMMC level three status indicates that you have implemented selected requirements from NIS special publication 8001 172 pursuant to 32 CFR1 170 section 170.14.

So if you look up Google Chad GBT, whatever you’re going to do, 32 CFR 170, that is the text of the CMMC program policy. Section 170.14 outlines the requirements that the DoD has said are CMMC level 3.

So they didn’t say do everything in SP8001 172. They said do a selected number of those requirements from SP172. You can find those listed in 1714.

Now, the phase roll out says that level 3 requirements shouldn’t show up until phase 2, which starts in November of 2026 and runs for another 12 months. And even then, at phase two, it will only be at department discretion, but Jason might have a prediction about uh CMOC level 3 requirements during the other phases and in phase one coming up here in a minute.

Like I said, phase 2 begins on November 10th of 2026. So that day is now h hurtling towards us. Uh and there you go. So that’s how the model sort of lines up with the requirements and what DoD allegedly says should happen during this first phase.

I don’t know if you signed up for any other hobbies outside of sitting in your layer and reading regulations or working on your short game. Right. There are other hobbies.

Have you ever signed up for like a community 5K for like a good cause or something like that? Listen, just go with me. Okay.

Have I ever voluntar— I think voluntarily signed up for cardio? Never in my life.

So I feel as though phase one is the community 5K, right? And everybody showing up and then you realize that there are some people there that are ready to sprint the entire 5K.

And I think that the realization that people are going to have is that there are going to be more people from the DoD that are going to be sprinting to get to the finish line than the people from OC’s and OSAs and stuff like that because of evaluation of risk.

What I mean by that is I think that people are going to show up thinking a laxidasical self assessment approach is going to be the way of phase one. And as we are already seeing in the very limited solicitations that we viewed, that’s not the case.

They’re ready to sprint. We’re trying to set the course record, right? Like I I I just don’t know if people are still prepared for what race.

Yeah. I think it’s somewhere between Community 5K and Alex Honold in Free Solo where he’s climbing cliff faces without a rope and it’s like, “Oh, we showed up for like our climbing show going this week.”

Huh. Yeah. They’re like, “Oh, we showed up for our climbing lesson and our maturity model.” And they’re like, “Actually, you got to climb that and we are out of ropes. So, see you at the top. Here’s your pickaxe.”

Yeah. Exactly. Right.

Jacob’s predictions

That’s you know how we got to the market roll out, the general idea of the model and how it you know corresponds to the requirements and the general idea of what DoD has said will happen in phase one.

What do we think is going to happen in phase one? I’ve got a couple ideas. You’ve got a couple ideas. Sure.

My first prediction here is that there won’t be a lot of assessment failures, but there will be a lot of what we call false starts. We’ve been talking about this for a long time in that a CMMC assessment, if you read the assessment process guide, which you should, uh, is conducted in four phases.

And the first phase is really just do you pass the sniff test? Do you display general readiness to even be able to go through an assessment? So, if they say, uh, do you have evidence ready? And you go, we don’t have an SSP, they’re not going to conduct the assessment because you’re not ready for the assessment.

Now that doesn’t count as an assessment failure. You just don’t get an assessment. So we call that a false start. That is not a metric that is tracked by the government or by the cyber AB at all.

Uh anecdotally when we have talked to C3PAOs, we have heard during the market roll out of people voluntarily going—which would allegedly be the people who would be the most ready uh to go get their assessments—it’s somewhere in the neighborhood of like 25 to 40% of companies that signed up for an assessment were told, “Come back later. You’re not ready.”

These are companies that would be paid to have you go through their assessment process. That they literally cannot even take your money to send you through the process.

One of the C3POAs that I talked to at Gold Coast last year, uh I can’t remember how he phrased it. He said something along the lines of, “Uh, we want you—we want you to pass, but we can’t just let you pass.”

Right? Is sort of how he how he phrased it, right?

Where he’s like, “It’s so egregious that they can’t even take your money. It really is the nicest thing, even though it is dictated by the cap. It really is the nicest thing the C3PA can do for you because they could just go through it and be like, ‘You’re absolutely awful at this. Try again in a couple months and that’s it.'”

So, yeah. So, we’ve seen that already through the market roll out. On the ABS monthly town hall that you and Joy go over uh every month is that the fall—the failure numbers are very low. They’re like singledigit percentages.

I think that it will remain singledigit percentages of failures, but a lot of people won’t even qualify. Uh, and so when you—and it’s because of that. It’s because of the false starts is why we’re not getting as many failures. Just to your point.

Yeah, absolutely. And so anytime that anybody would evaluate the program, the program is going to look like a massive success because most people pass and it’s not a big deal.

And they’ll go, well, yeah, the people who are ready pass it just fine and the people who haven’t implemented the requirements wouldn’t be ready for assessment anyways.

And so I don’t think that there’s going to be some massive disruption to the roll out of the program because everyone’s failing because there just won’t be a lot of failures.

So I I agree.

Yeah. So second idea here, the people who are the early adopters—that 700 to a,000 to,500 people by the end of Q1 of uh 2026—are going to grow rapidly.

They are going to win a lot of work. They are easy to do business with. They don’t ask for special treatment. They’re not asking for exceptions. They’re not hoping for waiverss. They’re not begging their contract office or their purchase order to stick their neck out with them.

They’re not negotiating with PMS or whatever. They just have it, right? They just—they just have it. It makes it easier for your customer to give you the work.

And so, I think that they’re going to grow a lot and that people who are lagging behind are going to be betting on getting away or having more time or getting, you know, special treatment or whatever it happens to be.

And that is a dicey propaganda or dicey strategy the longer we go on through the timeline. So I think the early adopters are set up to grow significantly.

I I I think that you left out the negative connotation in that you know betting for an extension doing all this—all of the things that you mentioned there—or they’re just fell too far behind and they don’t exist.

All right, last prediction for me here. There will be no subsidies, no appropriations, no cost offsets, no tax breaks, no assistance whatsoever. Right.

The ultimate ace up the sleeve, if you will, that the government has is that the costs for CMC assessment, the costs for complying with DAR 712 are supposed to be rolled up in the contractor’s rate that they submit on the bid.

That’s why they’re always saying that it’s an allowable cost. That’s why they also say it’s a question of fairness because people who don’t uh impose those costs or don’t incur those costs uh have artificially low rates compared to their competitors who are complying with their cyber security requirements.

And so the government’s going to turn around and say, “Why do you need assistance for the thing that we’re paying you for? Did you submit a bid that was artificially low? Did we pay you for the thing you said you were going to do and you’re not doing it?”

And then you start to get into discussions about fraud and false claims and all this mess back and forth.

So, I don’t think there’s going to be any appropriations whatsoever because of the fact that these are terms of a contract.

When we’ve been talking to people through the grapevine, there seems to be no appetite for this whatsoever outside of the DoD CIO’s office. Ironically, they would love it if people had the money or if they could pay them the money to be able to work with these requirements, but the colors of the money in the current appropriations aren’t right.

There doesn’t seem to be any appetite for creating new appropriations from folks in Congress. And so I would not bank on there being any kind of cost offset buckets of money or anything like that anytime soon uh to comply especially with DR712 requirements but also the cost of CMMC assessment.

So just keep me sane here for your prediction uh like these uh appropriations these offsetting cost uh movements right those are things that have to appear in a budget right?

Yeah. So, you know, you would—you would imagine that in the uh the annual uh National Defense Authorization Act, so the annual NDAA, there would be something in there that would say, “Here’s a bunch of money to help the DIB with cyber security requirements.”

Right.

QuickF doesn’t—Yeah, it it’s not in there. Right.

The only thing that is ever in the NDAA since this whole thing is kicked off is contractors aren’t doing the things that they said they were doing. So, we want a program that makes them prove that they’re doing them, not we’re going to come up with a bunch of money to give to people for the thing that we already paid them for. Right?

So, uh that’s not the perspective that a lot of contractors have, but that is the perspective that the government has. Right?

And so, depending on what hat you’re wearing, it’s a very different conversation.

I have heard no rumors about people who are eager to uh create any kind of cost offset or bucket of money to help with DAR 7012 or CMMC assessments. So I would not bank on that being a thing.

Like some people might think well we’ll delay delay delay as long as we can. There won’t be enough assessment capacity in the ecosystem. Things will get drawn out to the right. People will realize that uh there aren’t enough resources and there needs to be cost offsets and then we can use that cost offset money instead of our own money in order to comply with the requirements.

That is a astronomically unlikely scenario. I wouldn’t bet my company or the livelihoods of my employees on that being how it plays out.

Uh it’s a very long—it’s a super long shot, right? That’s a that’s a multi-leg parlay that I don’t think is going to hit.

Yeah. Yeah. Yeah. It’s a bold strategy.

Yeah. So there you go. What do you think?

Well, I I think just like you, well, first and foremost, that budget covers this year. This year basically covers phase one. No money in the budget, no appropriations, phase one. Get out and do it. Right.

Mine aren’t quite as cynical as yours, or mine aren’t as as detailed as yours.

Jason’s predictions

My first one is kind of the obvious that we’re seeing already and I know that we’re only realistically two days into the program being live and we’ve seen some solicitations, but I think that requirements being applied to contracts prior to the scheduled phase in which they’re supposed to be there.

So level two certification appearing, even level three certification appearing in contracts um based on political climate and things like that. I think it’s going to be more common than people expect.

It’s not going to be the the unicorn in the group. I think it’s actually going to be the herd of goats.

Yeah. So, you think that um level three could even show up in phase one?

I think so, just because look at the memos that we we we’ve looked at over the past year and some of the business that’s going to try to be garnered there.

I also think that like um it’s going to be more I guess preempted, right? Because we know that you have to get level two to get level three. So, they may mention the level three so that you get your button gear for level two now so that you’re prepped for level three.

Yeah. I mean, you got to remember too is like when the text of the rule was written was a long time ago and then it’s got to go through all that red tape before it’s finalized and then it goes into effect.

So the original idea for the phase to roll out might have been there won’t be any level three in phase one. It’ll only be discretionary in phase two.

But then you fast forward to a couple months ago when this uh memo about Golden Dome came out and then all of a sudden they’re saying a lot of the contractors in the Golden Dome supply chain will definitely need level three.

Well, that’s an update that the rule making lags behind because that got—that got finalized. The text of the rule got finalized a year or more before that memo came out.

So, sure. Yeah. I mean, I could absolutely see it happening if the DoD says it’s important enough.

There isn’t anything in DoD policy or some sort of statutory limit that says you can’t require X in phase one or phase two. You can only require A, B, or C. That’s that’s not how it works.

That was the idea. But like we’ve said, it’ll be highly situational, right?

So, if you’re doing super cool high-speed stuff under Golden Dome, then, you know, ask around and see—see, you know, what what they think is going to happen.

We know that Dipk, who are the teams who run the level three assessments, are already running their level three pilots and getting the wrinkles worked out.

They’re already asking for people to email them to get on the schedule for level three. So, you can go ask them for level threes when they’re ready.

But yeah, I could see that happening. I could see level three in phase—in phase one. Definitely in phase two.

All right, so I’m one for one. Let’s see if I can go two for two.

Two for two.

I kind of—This is a little bit of a layup, right? Uh we’re encroaching on 100 authorized C3POS right now at the end of this year.

Uh one full calendar year. I think it’s safe to say we’ll have another hundred at least 200 authorized C3PAOs in the ecosystem by the end of phase one.

That’s it.

Uh yeah, I a year over a year from now having another 100 C3PO. I could see that.

Do you think that we’re going to hit uh thousand um uh a thousand level twoerts in Q1 of 2026?

I do. And the the reason that I—Oh, wait. Hold on.

So, we’re—we should be around 700 by the end of this year and then by the end of March, so by the time we’re we’re setting resetting our clocks again for daylight savings time, do you think we’ll be at a thousand?

So, another 300 companies.

Doing my best Jacob Horn fuzzy math here, right? Like I’m just trying to figure out like we’ve seen the growth every month.

It’s uh been about a 66% increase in the output of assessments uh to that point.

So given the trend and given the fact that now it’s live so there should be more motivation. Yeah, I think it’s 100% safe to say by the end of Q1 we’re going to—I’m going to say we’ll be close to 1500 by the by March.

That’s that’s crazy.

I mean I I don’t think it’s impossible but somewhere between a,000 and 1500. Let’s put it.

That’s a that’s a safe assessment.

I I I agree.

There we go. All right. What—What else do you think?

So, uh three um is kind of uh backpacking on number one where we’re seeing accelerated requirements, but the number one pertain to indd solicitations.

I think that the primes are going to absolutely ramp up the speed on the requirements for certifications during phase one.

Uh, I don’t think that you are safe with whatever the DoD puts out because the prime is going to be uh hopefully one step ahead of the the DoD which they’re going to have to answer to.

I’ve said this for months. I’m going to stand by it because I 100% firmly believe it and we’re seeing evidence of it.

Uh, prime contractors are going to put the the gas pedal down to the floor, I believe.

Yeah. And you know, we’ve said that whatever DoD’s idea that the phase roll out should be will deteriorate as that policy guidance goes to individual DoD components and programs and program managers.

Some might try to bend the rules. Some might be very strict with the rules. Some might try to squeeze out phase one as long as they can. Some of them might not even care because it’s at their discretion and they’re they really care about what’s going on.

So, it’s hard to predict.

Another X factor is what your prime decides to do because they’re going to say, “We don’t know if or when you need the CUI, and by the time we do know, we can’t wait for you to then turn around and take 18 months to get ready. So, go ahead and get ready now.”

Uh, which is basically the reason why they’re telling a lot of people to go get CMC level two certification before the phase roll out even started.

Uh, so yeah, I absolutely think that the primes will accelerate the timeline.

And since most people work for the primes and not for the DoD, it doesn’t really matter what the DoD says the phase rollout should be. It matters what your prime says they’re going to do.

And if you haven’t asked them in a while, you should because it might be very, very different from what you hear Stacy or Katie or the DoD saying they think is going to happen.

And because on this show, I can’t let the list only be six things. I added one for good measure, so we have seven, right?

And it goes with what we’ve said, and I believe this very much so, especially in the first phase of the program.

I don’t think there are going to be any waiverss, especially in phase one.

I don’t think they’re going to kick off the program with making concessions for people um for a couple reasons.

One, because the timeline, two, because we’ve already behind the the the curve, right, because of the shutdown, everything like that, right?

They’re going to have to be pushing out.

I just don’t think there’s going to be any time or any resources they’re going to be able to absorb waiverss or anything like—I just—it’s not going to happen.

Yeah. I think that there will be DoD components and there will be solicitations that opt for self assessment over certification assessment because they can bend the rules.

That won’t be true everywhere. And so that’s why it’s dangerous to bet on that being the case all the time.

But I also agree—I don’t think anybody is going to say there are no CMMC requirements in this solicitation whatsoever and they’re just—it’ll be literally it won’t be included at all.

I know that, you know, now that the phase rollout started, like on the first day, people were messaging me and they were like, “Hey, we got this solicitation from the Navy and it doesn’t have CMMC requirements in it, but it’s supposed to be awarded in phase one.”

And I was like, “It’s going to get revised.”

Like, as soon as the government opens up again, it’s going to get revised and you’ll have even more time or even less time to sort of calculate that increased cost.

So uh it it is not a perfect flare gun went up, air horn went off and now everything is like universally smooth in terms of its roll out.

It’s all very sort of situational and sporadic. Um but that’s the policy and so it’s definitely going to be coming in in different forms.

So yeah, I don’t think we’ll see waiverss.

Uh but I I think you’ll see some people bending the rules for sure, but it’s a dangerous game to bet on that being uh you know the situation all the time everywhere for everybody.

So Mhm.

Outro

Plan accordingly.

All right. What do you think? Do you think that the seven things that we thought were going to happen in phase one are going to happen that way?

Do you disagree? Do you agree? You think something else going to happen?

Let us know in the comments. Like and subscribe and we’ll see you next week.

See you next week.

[Music]