October 7, 2021

Last Updated on January 15, 2024


A lot of DIB members are anxiously awaiting the results of the DoD’s review of CMMC.  The guidance that I have been giving our clients is that the review is less likely to impact you than the C3PAOs.  My argument is simple: the most likely impact, if any, is some reduction in the role of the C3PAO and the extent/rigor of the audit they perform.

That doesn’t matter to the DIB because I can’t possibly see where the review would impact DFARS 7012, 7019, and/or 7020.  So, being fully compliant with DFARS 7012/NIST 800-171, attesting to that by entering a score in SPRS, and being prepared for an audit by the DIBCAC are still going to be the minimum requirements for DIB entities that process CUI.

There may also be additional scrutiny of your security posture by prime contractors, which we are already seeing. Take a look at this recent (scrubbed) communication below from a prime to one of our clients, which I think reinforces my assertion that all DIB members are going to need to be provably secure and in a position to withstand a comprehensive audit to remain in the DIB.


Dear Robert,

As of Monday, September 21st, PRIME-C is enforcing compliance with DFARS 252.204-7020, DFARS 252.204-7012, Fiscal Year 2019 NDAA Section 889, and FAR 52.204-25.

After reviewing your profile, I have determined that your organization is non-compliant with the NIST 800-171 and telecommunications requirements.

Please update your profile ASAP to prevent any interruptions in PO placement. We cannot issue any solicitations or purchase orders until the Company is compliant.

If you have any questions regarding Supply Chain Cybersecurity, contact XXXX.

John Doe

Subcontract Management Office



What’s Next?


The good news is that the process to move to DFARS 7012/7019/7020/NIST 800-171 compliance is the same as for DFARS 7021/CMMC Level 3 compliance.  CMMC adds about 20% more effort on the backend, and moving to a score in SPRS and then continuing to CMMC Level 3 after that is the right approach for most DIB members. So, beginning that process now will put you in a great position whatever the eventuality is.


Looking for some more information on the process to move to DFARS 7012/7019/7020/NIST 800-171 compliance? Check out these blog posts:

What Happens If You Fail Your CMMC/DIBCAC Assessment? – Pivot Point Security

We Passed Our CMMC/NIST 800-171 Assessment! Now What? – Pivot Point Security


Or listen to this podcast to learn about a proven process for achieving compliance:

EP#59 – John Verry – Governing Cybersecurity: A Process for Becoming Provably Secure & Compliant – Pivot Point Security

New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.