You Just Got the Letter. Now What?

DIBCAC Is Assessing Your NIST 800-171 Compliance, and the Clock Is Already Running

You opened your mail and there it was: a formal notification from the Defense Contract Management Agency announcing a Medium or High DIBCAC assessment of your organization. The pre-assessment coordination call is in five weeks. Evidence submission? Ten days.

Your first thought: "I thought we had more time before CMMC kicked in."

Here's the problem: this isn't CMMC.

This Is About Your Existing Contract Obligations

DIBCAC isn't assessing you against future CMMC requirements under 252.204-7021. They're assessing your compliance with DFARS clauses 252.204-7012, 7019, and 7020, requirements that have been in your contracts for years. Same 110 NIST SP 800-171 controls. Different legal basis.

Many contractors conflated these with "upcoming CMMC" and kept kicking the can down the road. That road just ended.

What DIBCAC Wants From You

The letter includes a detailed action items schedule. Here's the short version:

• A completed Basic (Self) Assessment with your SPRS score
• Your System Security Plan (SSP) explaining how each of the 110 requirements is implemented, not boilerplate, but your actual environment
• POA&Ms for anything not yet implemented (with critical limitations - some controls cannot be deferred)
• For High Assessments: detailed network topology diagrams, technical artifacts, and subject matter experts available for interviews across all security families

DIBCAC explicitly states that copying and pasting requirement language from NIST SP 800-171 into your SSP is unacceptable. They want to see that you understand and have actually implemented each control.

A Reality Check on Timelines

True compliance maturity takes months to build. Much of the evidence assessors look for is found in "muscle memory," documented proof of sustained security practices like vulnerability scans, access reviews, and incident response logs. You can't manufacture six months of operational evidence in 90 days.

But here's what you can do: develop an accurate SSP and an honest SPRS score. That score will likely reflect deficiencies - and that's okay. A defensible position showing gaps with a clear remediation path is infinitely better than an inflated score that exposes you to False Claims Act liability.

Also critical: certain controls cannot exist on a POA&M. Multi-factor authentication, FIPS-validated encryption, basic access controls, these must be in place. Period.

How Pelican3 Can Help Right Now

If you've received the letter, you need to mobilize immediately. We can help you:

1. Develop an accurate, defensible SPRS score based on your actual implementation status
2. Create an SSP that meets DIBCAC expectations with specific, environment-appropriate control descriptions
3. Identify what must be fixed now versus what can legitimately go on a POA&M
4. Prepare your technical documentation including network topology diagrams and supporting artifacts
5. Brief your team so your SMEs can confidently demonstrate compliance during assessor interviews

If you haven't received a letter yet, consider this your warning. These assessments are rolling out across the Defense Industrial Base. The contractors who fare best will be those who prepared before the letter arrived.

Contact Pelican3 Consulting today. These aren't future requirements. They've been in your contracts all along.