“If you want to stay connected, then you must be inspected.”

The NCMS Annual Conference and Seminar wrapped up on June 12^th, 2025. NCMS, Inc., the Society of Industrial Security Professionals provides development and training for its 7,000+ members in industrial security, cybersecurity, and classification management.

Along with customer meetings and exhibition floor meet-and-greets, a number of keynote speakers and interactive sessions educated industry professionals on updates within the cybersecurity space. Of those, a CORA brief from DCSA was front-and-center.

Critical CORA Briefing by DCSA Cyber Deputy

Effective FY26: All NISP circuits may face inspection unless a passing FY25 mark was achieved. Be advised—up to 15% of inspections will be no-notice. Prepare accordingly. The no-notice inspections serve a few purposes:

The no-notice inspections serve a few purposes:

• Daily operations assessment – a comprehensive look into the contractor’s security program and practices without preparation
• Vulnerability identification – discovering any weaknesses in security that may not be identified during announced inspections
• Compliance – evaluating the contractor to ensure the organization and its employees are abiding by the requirements of the NISPOM

Don’t Risk Failing Your CORA – ODP and Increased Failure Rates

Orders, Directives, and Policies (ODP) are a strong contributor to the 50% failure rate in DCSA-executed CORAs. Failures may be a result of sites being inadequately versed in ODP requirements. Key Indicators of Risk (KIOR) are also new to the CORA program and can negatively impact a grade to disastrous effect.

CORA failures can lead to circuit disconnection, contract losses, and contract eligibility.

Contractors work hard with their government program teams to obtain approval for classified systems, especially SIPRNet. The resources required to obtain approval are too great to have access removed due to non-compliance. That’s why selecting the right partner can make all the difference.

Stay in Consistent Contact With Your CSSP

In addition, DCSA Mission Director and Authorizing Official, William Vaughn noted that CSSPs may be subjected to increased observation and assessment. As the global cyber landscape continues to evolve, CSSPs who do not fulfill their responsibilities may negatively impact contractor scores. CSSPs must meet their required responsibilities as listed in the memorandums of understanding.

Last but not least, the Vaughn recommended companies stay in consistent contact with their CSSPs. The DoD views CSSPs as an integral part of the overall security of information systems and both parties play a crucial role in maintaining compliance.

At SecureStrux, we specialize in guiding organizations through the CORA process. From preparing for boundary reviews to aligning with the latest MITRE ATT&CK mitigations, our team is dedicated to helping you strengthen your cybersecurity posture and stay ahead of evolving threats. If you have any questions or would like to learn more about how SecureStrux can assist your organization, please don’t hesitate to reach out to us.