Are You Prepared for a DCMA Review of your NIST 800-171 Assessment?

The Defense Contract Management Agency (DCMA) is planning to evaluate the information submitted by contractors on their compliance with NIST 800-171. The goal is to better understand whether the defense industrial base (DIB) is meeting contract requirements for handling Department of Defense (DoD) data.
In this article, we’ll go over what the DCMA is, how it will validate your organization’s NIST 800-171 Assessment and what you should consider in preparing your business
What is the DCMA?
The DCMA, “...provides contract administration services for the Defense Department, other federal organizations and international partners, and is an essential part of the acquisition process from pre-award to sustainment.”
This agency's primary concern is securing the best company for the job delivered on time and within budget.
What to Expect From a DCMA Review
A DCMA Review involves validating a completed NIST 800-171 assessment and the information required to complete an assessment.
The DoD released an Interim Final Rule that took effect on November 30, 2020, that specifies all contractors and sub-contractors post a current, objective assessment into a Supplier Performance Risk System (SPRS) as a prerequisite to submitting bids for new contracts or renewing existing contracts with the DoD.
The DCMA’s Defense Industrial Base Cybersecurity Assessment Center (DIBCAC’s) Nick DelRosso explained the evaluation process at a CMMC Accreditation Body Town Hall meeting...
“the DIBCAC will ask for a company’s system security plan and any associated documentation. We perform a check through the System Security Plan (SSP) and make sure you are likely complying based on what you are saying. Working with our partners, we will be examining companies that have self-assessed at a variety of score levels based on their SPRS input.”
Source: InsideCybersecurity
Once a review begins and the DCMA requests information, contractors should anticipate a quick turnaround for required information. This presents a challenge and major risk for companies with no SSP but completed and submitted a scored self-assessment.
Considerations For Your NIST 800-171 Assessment for a DCMA Audit
If you’re unsure if your company is prepared for a DCMA Review of your NIST 800-171 assessment submission, ask yourself these questions:
- Has your company already submitted its NIST 800-171 Assessment?
- Does your company have a System Security Plan (SSP)?
- Is your submission accurate and based on documented evidence and SSP information?
If You Answered “No” to Any of the Above, SSE Can Help
The experts at SSE can complete a complimentary NIST 800-171 & CMMC Readiness Assessment to ensure your company is ready or identify gaps before the DCMA does.
Let us demonstrate how we can help in preparing your business. Schedule your assessment today!
Additional Blog Posts

DOJ Ramps Up Cyber-Enforcement on Defense Contractors
The Department of Justice’s recent $4.6 million settlement with defense contractor MORSECORP sends a clear message to the Defense Industrial…
SSE Ranked #68 on MSPMentor’s 501 Global List for Top Managed Service Providers in 2025
We’re thrilled to announce that we have been recognized as #68 on MSPMentor’s 501 Global List for Top Managed Service…