This is an important cybersecurity update that may impact your federal contracts.

DIBCAC has started issuing 90-day audit notices to defense contractors across the country—well before CMMC is finalized.

These audits are not optional, and they are already happening.

Unlike CMMC (which validates future readiness), these DIBCAC audits look backward to confirm that contractors have met long-standing DFARS cybersecurity requirements and submitted accurate SPRS scores.

What This Means for Executive Leadership

If your organization has handled CUI or held a defense contract at any time since 2017, you may be selected for a week-long on-site federal audit of:

The government will expect complete documentation, evidence, policies, procedures, and proof that all cybersecurity requirements were actually implemented—not just planned.

Why This Matters

These audits have teeth.

If the government determines that your submitted SPRS score was inaccurate or your DFARS requirements were not met, consequences can include:

The Risk Window: Only 90 Days

From the moment a notice arrives, your organization will have:

This timeline is extremely compressed for any organization that does not already have complete evidence and documentation prepared.

How the ISM Team Can Help

We strongly recommend a pre-audit readiness review to ensure your:

If you'd like ISM and their CMMC team to conduct a readiness check or help strengthen documentation before an audit notice arrives, please let us know.

Final Thought

Federal auditors have already begun unannounced DFARS assessments nationwide. Being proactive now is far less costly than responding under a 90-day deadline.

We’re here to help your organization stay compliant, protected, and prepared: https://www.infosysmt.com/contact-us/