A new survey finds two-thirds of contractors prepared for the cybersecurity certification over many years, while nearly 40% have not yet completed required self-assessments. Enforcement of phase one for the Defense Department’s new cyber and supply chain security program is now underway, and a new study finds the industry’s level of preparedness is decidedly mixed.
As of Nov. 10, defense buyers will require Level 1 compliance with the Cybersecurity Maturity Model Certification in new contracts. CMMC is a program that requires companies to certify their compliance with the National Institute of Standards & Technology’s SP 800-171 standard for protecting controlled unclassified information.
Companies can self-certify for Level 1. On Nov. 10, 2026, the Defense Department will start issuing contracts requiring Level 2 certifications and that needs a third-party assessment.
A new study by Redspin finds that CMMC adoption is gaining some momentum, but it is a slow process. Redspin helps companies make their way through the CMMC certification process.
Sixty-eight percent of respondents told Redspin that preparing for CMMC took them more than a year. While that is an improvement from the 2024 survey, there is a gap between awareness and execution.
The survey found 60.6% of respondents reported that their companies had completed the CMMC self-assessment.
“That unfortunately means that 36.6% are not undertaking the annual gap assessment requirement as of now,” according to the survey.
CMMC compliance also is expensive, with 26.1% reporting they have spent between $100,000 and $250,000 to prepare for the requirement. Another 31.9% reported spending more than $250,000 on CMMC.
The survey leaves it as an open question whether those kinds of costs will continue.
Cloud service providers are playing a key role in supporting contractors with 53% saying that they are using a CSP to minimize their CMMC scope. Another 14% are considering it for the future.
The 2025 survey found that 60% of respondents reported an increase in training, compared to 2024’s finding of 37%.
CMMC’s shift from policy to practice is a significant step.
“It’s just the beginning,” said Redspin president Brian McManamon. “Over the next four years and beyond, CMMC will continue to expand across the [defense industrial base].”
]]>
