An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

News | June 24, 2019

Building a cybersecurity assessment capability

By Patrick Tremblay DCMA Public Affairs

A small group of professionals assembled here in early June to begin work on an expanded cybersecurity role for the Defense Contract Management Agency. The team will stand-up a new Defense Industrial Base Cybersecurity Assessment Center, designed to ensure contractor compliance in safeguarding information about the weapons, equipment and systems they build.

The group creating the structure of the DIBCAC are volunteers, some hand-picked, working mostly on special 120-day assignments, according to Darren King, the center’s interim lead.

“We’ll be looking at contractor compliance with industry-standard cybersecurity efforts,” said King, “so we needed to get the right people to get us started. This group will be establishing processes, writing training, and conducting the first of our assessments.”

The initial team includes DCMA headquarters and field personnel who have an understanding of both cybersecurity and the contracting process. People like Tim Sisson, an information technology specialist who has been performing software surveillance at DCMA Boeing St. Louis for the past six years.

“We’ve been doing this particular type of assessment since 2016, when the (Defense Federal Acquisition Regulation Supplement) cybersecurity clause was issued,” said Sisson, “the difference now is we’ll be performing the work on a contractor level, rather than on a contract level.”

The change is significant, driven by a February memorandum from Ellen Lord, undersecretary of defense for acquisition and sustainment that clarifies DCMA’s role. It’s also welcomed by King and the rest of the team.

“Outside of this assignment, I’m the cybersecurity director for DCMA,” said King. “I understand the importance of securing an organization’s information systems, and that holds true for our contractors, as well.”

At risk is what’s called controlled unclassified information. “Most contractors have proper protection for classified data, but there is a lot of CUI that is too easily accessible. Once aggregated, this information can show more of our defense capabilities than we want to make available,” said King. 

“We deliver equipment and systems to our warfighters, but surrounding these items are a trove of information that has been undervalued,” explained Navy Vice Adm. David Lewis, DCMA director. “Protecting this information will now be a regular part of the contract administration process – just as we ensure other (Federal Acquisition Regulation), DFARS and contract requirements are met.”

The DFARS cybersecurity clause identifies a common, industry-standard set of 110 requirements for cybersecurity outlined in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”

Sisson said a key element of the DIBCAC is that it is an assessment organization. “DCMA will conduct a review of a contractor’s adherence to the NIST standards, and if they are non-compliant in any area, this is reflected on a scorecard (designed by OSD),” he said. The end state vision is to be able to share this information with the contractor and with of our customers — the services and defense buying commands — to help them make fully-informed, risk-based decisions when entering into contracts.

As the initial handful of 120-day volunteers are setting the groundwork for the center, the first group of permanent DIBCAC team members are being sought.

“We have job announcements now for our first 46 permanent members,” said King, “many of whom we want to have on board as early as the end of June.” These positions can be located almost anywhere there is a secure internet connection, and the actual assessments will be done on-site at contractor facilities.

Ultimately, the team will grow to 274 people. King said there will be openings starting at the GS-11 level for management analysts, and assessors at the GS-12/13 level. “We want to build this capacity smartly over the coming years. To do this, we’re designing a career path into the DIBCAC from the beginning. This is important work for the agency and for national defense.”

For more information on opportunities to join the DIBCAC team, contact All positions will be competitive and listed at