DIBBS SOLICITATIONS UPDATE: What Foundries Need to Know About CMMC

The date is set and the Defense Logistics Agency (DLA) has formally announced its phased implementation of the Cybersecurity Maturity Model Certification (CMMC) under DFARS 204.75, effective November 10, 2025.  This signals meaningful changes to how solicitations will be structured, evaluated, and awarded moving forward

For the forging, casting, and machining supply chain, understanding how DIBBS solicitations will change is critical to maintaining eligibility for Department of Defense (DoD) contracts, in this article you will be given details about how to prepare.

DLA will introduce CMMC using: DLA Procurement Notes, Standard Text Objects (STOs)and NIIN-level CMMC requirement mapping.  Rather than applying a blanket cybersecurity requirement across all contracts, DLA has conducted National Item Identification Number (NIIN)-level assessments to determine the appropriate CMMC level for specific items. This means cybersecurity requirements will now be tied directly to the product being procured.  What is changing in DIBBS solicitations?

DIBBS’ solicitations will begin to reflect several important structural and compliance changes:

1. CMMC Levels Assigned by NIIN- Each solicitation may include a required CMMC level based on the NIIN associated with the item being purchased. This introduces a new compliance variable into the bidding process.
2. Suppliers will need to verify:
   1. Does the solicitation include CMMC language?
   2. What certification level is required?
   3. Whether certification must be in place at time of award?
3. What to look for: CMMC requirements will appear through updated Procurement Notes and Standard Text Objects (STO) embedded within solicitations.  These additions will:
   1. Specify the required CMMC level.
   2. Reference DFARS 204.75.
   3. Clarify whether third-party certification is mandatory.
   4. Suppliers who are accustomed to scanning solicitations for pricing and delivery requirements must now add cybersecurity compliance review to their bid analysis process.
4. Expanding eligibility screening for Cybersecurity compliance will become an eligibility factor—not simply a post-award requirement.  Organizations lacking the required CMMC certification may be deemed ineligible for award.  This is a shift from self-attestation under NIST SP 800-171 to validated certification requirements for applicable contracts. 

Why does this matter to Foundries, Forgings and Machining Industry?  

Many forging, casing and machining suppliers do not traditionally view themselves as high cyber-risk organizations.   However, Technical drawings, specifications, Defense-related manufacturing data and Quality documentation may constitute Federal Contract information (FCI) or Controlled Unclassified Information (CUI).  If a NIIN has been mapped to a CMMC Level 2 requirement, suppliers handling that item must meet the certification standard—even if their core operations are industrial rather than digital.  CMMC language can appear at any time.

The DIBBS platform itself is not changing operationally, but the compliance environment within it is evolving.  Suppliers should expect:

1. Greater variance in cybersecurity requirements between solicitations.
2. Increased administrative review during award evaluation.
3. Possible delays in award if certifications verification is required.
4. Competitive disadvantage for non-certified suppliers.

Therefore, what are the strategic implications for the Supply Chain?  For NFFS members and the broader forging, casting and machining industry, it is clear. Cybersecurity is now directly tied to market access. NIIN-based mapping means some product lines may require certification while others may not.  Lastly, early preparation provides competitive advantage.  As DLA increases CMMC integration into DIBBS solicitations, suppliers that proactively prepare for Level 1 or Level 2 certifications will be better positioned to be eligible for awards. 

What actions should suppliers take going forward?  Review your current DoD and DLA portfolio, identify whether you handle FCI or CUI.  Assess alignment with NIST SP 800-171 controls.   Be sure to monitor DIBBS solicitations closely for new Procurement Notes and STO language.  

Here is the take away from this article.  DLAs phased CMMC implementation represents one of the most significant compliance changes to DIBBS solicitations in recent years.  For the foundry, casting and machining industry, cybersecurity readiness is no longer optional—it is becoming a condition of participation in the defense industrial base.   Preparation today will determine eligibility tomorrow.