Phase 1 of CMMC enforcement officially starts today—and organizations across the DIB have to get ready fast or risk contracts, sensitive defense information, and regulatory fines.

While compliance can be complex and intimidating, it is a necessity—and not only to continue working with the DoD directly or through prime contractors. Recent high-profile breaches and multimillion-dollar False Claims Act settlements have made it clear that CMMC is an operational necessity to protect the resilience of organizations and national security. 

Yet, a recent survey revealed that only 1% of organizations were fully ready for a CMMC assessment.

With CMMC requirements starting to appear in contracts that don’t already have them today, the DIB faces a readiness gap so large and systemic that traditional, manual approaches to compliance simply cannot scale. Both government and industry leaders are saying the same thing: automation is the only path forward.

CMMC readiness still low, despite enforcement beginning

Back in September 2024, a survey by Redspin, one of the first authorized CMMC Third-Party Assessment Organizations (C3PAOs), showed that 58% of contractors didn’t feel ready for the final CMMC rule, with 13% having taken no steps to prepare. In March 2025, a Kiteworks and Coalfire survey showed that readiness gaps had persisted, with only 46% of DIB contractors saying they felt prepared for Level 2 certification.

Even more recent data from October 2025 shows that readiness across the DIB remains critically low, despite the November 10th deadline. 

As of the October CyberAB Town Hall, only 431 organizations had achieved a final CMMC Level 2 certification—representing just 0.5% of the roughly 80,000 companies the DoD estimates will require Level 2.

Findings from CyberSheath’s 2025 State of the DIB on CMMC Compliance report paint a stark picture of why this number is so low:

• Only 1% of DIB organizations feel fully prepared for upcoming CMMC assessments. 
• Fewer than 50% have completed foundational documentation like an SSP or POA&M.
• The average SPRS score—though improved year-over-year—remains at just 60, far below the required 110. 
• 17% still report negative SPRS scores and 58% haven’t even submitted one.
• More than 2 in 3 organizations (69%) rate compliance difficulty at 7-10.

Why the DIB still isn’t CMMC ready

Here’s some reasons why readiness across the DIB remains dangerously low.

1. CMMC complexity and reality is underestimated

Implementing and documenting 110 NIST 800-171 controls and 320 assessment objectives is far more demanding than many realize. This has led many organizations to delay or overestimate their compliance with NIST 800-171, despite being required under DFARS 7012 since 2017—and organizations have continued to delay their readiness efforts until the CMMC Acquisition rule (48 CFR rule) officially went into effect.

2. Documentation burden is enormous

An average SSP can exceed 150–200 pages, requiring continuous updating and alignment with controls and technical evidence. CMMC also requires POA&Ms, policies, procedure documents, data flow diagrams, and much more.

3. Smaller subcontractors face disproportionate burden

The SBA Office of Advocacy repeatedly warned that the cost and complexity of CMMC threatens small businesses' ability to remain in the DIB in public comments throughout the rulemaking process. 

One of their comment letters specifically called on the private sector to deliver “effective and economically feasible software solutions that reduce the burden of implementing secure enclaves and other CMMC requirements.”

4. Costs are higher than estimated

The DoD estimates that a Level 2 self-assessment costs $37,000–$49,000 and a Level 2 certification (third-party) costs $104,000–$118,000 every three years. But these estimates are only for preparing, conducting, and reporting a CMMC assessment since the DoD assumes organizations have already implemented the security requirements for CMMC Level 2, which have been prescribed in existing DFARS regulations for several years. 

However, since the genesis of CMMC was the IG’s report of widespread noncompliance and more recent reports continue to show gaps across the DIB, we can assume most organizations will need to factor in the one-time cost of implementing CMMC security requirements and the recurring costs of maintaining these requirements and remediating POA&Ms for any unimplemented ones. This could bring the true cost of Level 2 compliance closer to $75,000-$300,000.

5. Compliance can take at least up to a year

Just for the assessment, reporting, and affirmation activities required for Level 2, the DoD estimates that ~152–440 labor hours are required for a self-assessment and ~310–650 labor hours are required for a third-party certification assessment. 

But when factoring in the additional time to implement all Level 2 security requirements, remediate POA&Ms for any unimplemented ones, and maintain them, the average timeline to certification extends out to 6-12+ months at least. 

As a result of these and other challenges, many organizations aren’t ready as the rollout begins.

Why CMMC enforcement creates new urgency for readiness

Unlike DFARS 7012 and other existing DoD cybersecurity regulations that relied on a self-attestation model of security, CMMC requires verified compliance before contract award. 

These requirements are rolling out in phases, starting with Level 1 and Level 2 self-assessments required at award and some Level 2 third-party assessments required in select contracts at DoD’s discretion.

If DIB organizations can’t meet CMMC level requirements in their contracts at the time of award, then:

• Primes, subcontractors, service providers, and other DIB organization cannot bid on or maintain DoD work 
• Subcontractors cannot get or keep place in primes’ supply chains, resulting in capacity loss and mission risk for primes
• Noncompliance with CMMC Level 2 increases risk of False Claims Act (FCA) exposure under DFARS 7012
• Capacity bottlenecks for C3PAOs and consultants will push late adopters to the back of the line and risk certification delays
• Sensitive defense information remains vulnerable to unauthorized access or compromise

In short: Every organization at every tier of the defense supply chain must be able to demonstrate CMMC compliance at the required level as soon as possible—or risk losing contract eligibility, revenue, and mission readiness.

As a result, organizations are increasingly looking for ways to fast-track certification. According to CyberSheath’s 2025 DIB readiness report, more than half of organizations are now investing in compliance services and 40% are investing in software. 

Automation and AI is the only scalable path to certification

Across the DIB, contractors, primes, government organizations, and small businesses are converging on the same solution: automation. Here’s why:

1. It compresses timelines

Automation and AI workflows for evidence collection, control mapping, documentation generation and management, risk assessments, and secure enclave provisioning can significantly reduce the average timeline of 6–12+ months for Level 2 certification.

2. It drives down costs

Automation and AI can slash costs as well by reducing the need for:

• multiple consultants
• spending hours creating documentation from scratch
• bespoke enclave builds and management
• manual evidence collection and monitoring for assessment cycles

3. It makes secure enclaves accessible

The Office of Advocacy specifically called for “economically feasible software” for enclaves because building them manually is so complex and cost-prohibitive.

Modern automated enclave solutions can remove this barrier by:

• centralizing CUI handling
• reducing deployment time
• ensuring hardened, compliant configurations
• automating provisioning and management

4. It closes the expertise gap

Most small contractors lack skilled personnel with 2-10+ of experience, like the DoD assumed in its labor estimates. Automation and AI platforms with dedicated customer support like Secureframe enable you to simplify and streamline compliance activities so you don’t have to expand headcount.

For example, Manufacturing Consulting Concepts had to meet NIST 800-171 and CMMC Level 2 requirements with limited internal resources to support U.S. Air Force contracts. Using Secureframe, MCC’s two-person team achieved compliance and saved an estimated 500 hours over two years. 

5. It simplifies assessments

Assessment delays are often caused by common mistakes like:

• over- or under-scoping
• incomplete SSPs
• outdated evidence
• inconsistent controls across systems

The best tools solve these issues by providing automation, AI, and templates that simplify the scoping process, improve the consistency and accuracy of your documentation, continuously pull and update evidence, and monitor the effectiveness of controls over time.

6. It drives continuous compliance

CMMC requires annual affirmations, assessments either annually or triennially, and updated SPRS scores. A comprehensive automation solution like Secureframe can provide everything you need to remain assessment-ready, including:

• continuous monitoring
• drift detection in control implementation
• automated testing and notifications
• ongoing SSP and POA&M management
• live SPRS score tracking

The path forward for the DIB is automation

Every indicator—from breach reports to FCA settlements to the latest survey data—leads to the same conclusion: Without automation, the DIB will not close the CMMC readiness gap in time to keep up with enforcement deadlines or evolving threats.

For many organizations, the question is no longer “Should we use software?” It is now “What software should we choose and how fast can we implement it before enforcement impacts our contract eligibility?”

To learn how organizations are using Secureframe’s purpose-built automation to get CMMC ready fast while keeping costs low, talk to an expert.