Most Commonly Failed Controls (DIBCAC Findings)

Top “Other Than Satisfied” Requirements
from DIBCAC High Assessments

The Defense Contract Management Agency (DCMA) conducted DIBCAC High Assessments between 2019–2022 to measure real-world adherence to NIST SP 800-171. The results revealed the most commonly failed requirements among contractors.

Presented By:

Defense Contract Management Agency (DCMA)
Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)

December 2022

Detailed Pie Chart

Data taken from 117 High Assessments (2019 – 2022)

Total number of OTS = 883

Segment Breakdown

Commonly Failed Controls

3.13.11, FIPS-validated cryptography  [Systems and Communication Protection (SC)]

3.5.3, Multifactor Authentication  [Identification and Authentication (IA)] 

3.14.1, Identify, report, correct system flaws  [System and Information Integrity (SI)]

3.11.1, Periodically assess risk  [Risk Assessment (RA)]

3.11.2, Scan for vulnerabilities  [Risk Assessment (RA)]

3.3.3, Review and update logged events  [Audit and Accountability (AU)]

3.3.4, Audit logging process failure alerts  [Audit and Accountability (AU)]

3.3.5, Audit record review, analysis, and reporting processes  [Audit and Accountability (AU)]

3.6.3, Test incident response capability  [Incident Response (IR)]

3.4.1, Establish/maintain baseline configuration  [Configuration Management (CM)]

Percentage of Companies with Top 10 OTS Requirements

High Assessments Chart

Data taken from 117 High Assessments (2019 – 2022)