DIBCAC

The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is the Department of Defense's in-house cybersecurity assessment team. It is part of the Defense Contract Management Agency (DCMA) and conducts NIST SP 800-171 assessments of defense contractors directly, as opposed to relying on commercial C3PAOs.

DIBCAC has three main roles in the CMMC ecosystem: (1) conducting CMMC Level 3 assessments, which are not delegated to commercial C3PAOs; (2) conducting Joint Surveillance Voluntary Assessments (JSVAs) for contractors who want a government-led Level 2 assessment; and (3) authorizing C3PAOs themselves by conducting their initial Level 2 assessments before the Cyber AB grants C3PAO status.

DIBCAC assessors are seasoned government cybersecurity professionals. A DIBCAC assessment carries the same weight as a C3PAO assessment for Level 2 purposes and is sometimes considered more rigorous.