post-feature
Expert InsightsMay 2, 2025

Are Defense Contractors Ready for CMMC 2.0? A Look at the Most Recent Data

In response to concerns raised by industry leaders and lawmakers that CMMC places a heavy burden on contractors and small businesses in particular, DoD officials have expressed their own frustration at the lack of readiness across the defense industrial base (DIB). They argue that CMMC merely enforces longstanding contractual cybersecurity standards and the industry has had years to prepare.

Most recently, Katie Arrington, who is performing the duties of the DoD Chief Information Officer (CIO), said at a summit in Washington, D.C., “If industry had complied with [National Institute of Standards and Technology] Special Publication 800-171, CMMC wouldn’t be so hard.” She cited the DoD’s review of the DIB back in 2020 that uncovered widespread noncompliance with NIST 800-171, including many contractors with Plans of Action and Milestones that wouldn’t have brought them into full compliance until 2099.

CMMC 2.0 was designed to enforce accountability and close those long-standing gaps. With the final rule published in 2024 and DoD officials confirming that CMMC is here to stay, requirements are expected to appear in defense contracts any day now. So how prepared is the DIB to meet these requirements? Let’s take a look at recent reports for answers.

Report found large gap in CMMC readiness in 2024

Back in September 2024, Redspin, one of the first authorized CMMC Third-Party Assessment Organizations (C3PAOs), conducted a survey on CMMC readiness across the DIB. The findings were concerning. 

According to their report, Aware but Not Prepared: The State of Defense Industrial Base CMMC Readiness, the majority of contractors did not feel prepared to comply with CMMC 2.0 requirements. 58% of respondents said they didn’t feel ready for the final rule, with 13% saying they had not taken any steps to prepare to date. 

The top challenges to CMMC readiness cited were cost and confusion or inadequate information about CMMC. However, the report showed that awareness of CMMC 2.0 was high, with 81% reporting they were very familiar and 17% reporting they were somewhat familiar with CMMC. While this indicates that organizations knew the “what” and “why” of CMMC compliance, the lack of readiness indicates that they were less clear on the “how.”

The report also revealed gaps in security measures that have been mandated well before CMMC 2.0. For example, having a System Security Plan (SSP) has been a DFARS 252.204-7012 requirement for contractors handling Controlled Unclassified Information (CUI) since the end of 2017, but only 47% of respondents said they had finalized their SSP.

Three months after this survey was conducted, the CMMC final rule did go into effect. So did readiness improve after this effective date?

Has CMMC readiness improved in 2025? Recent findings say not enough

New research based on a survey conducted immediately after the publication of the 32 CFR Final Rule has found that readiness gaps persist in 2025. A recent report released jointly by Kiteworks and Coalfire, CMMC 2.0 Preparedness in the DIB, found that only 46% of DIB contractors are prepared for Level 2 certification, despite the compliance deadline looming. 57% have yet to even complete a gap analysis against NIST SP 800-171 requirements, which is a critical step early in the process.

The report highlights other concerning gaps, including:

  • Only 44% of contractors have implemented continuous monitoring for in-scope systems. 
  • Less than 53% have fully implemented required access control measures across relevant systems.
  • Over 30% lack advanced third-party access controls, putting CUI at risk from supply chain vulnerabilities.
  • More than 30% still do not enforce multi-factor authentication (MFA) across all systems processing or storing sensitive data.

These figures suggest that while some contractors have made strides since the fall of 2024, a significant portion of the DIB is still lagging in critical cybersecurity areas.

Organizations are still hampered by similar challenges to those they faced in the fall. The top two challenges cited by Kiteworks and Coalfire survey respondents were budgetary limitations (36%) and technical complexity (31%). 

Below we’ll provide some practical ways you can address these challenges and maximize your readiness efforts. 

feature-image

5 steps to accelerate CMMC readiness

For contractors that are lagging behind in their CMMC readiness journey, the good news is that it’s not too late to act. Here are four key steps to help close readiness gaps and prepare for CMMC certification:

1. Conduct a gap assessment against CMMC requirements

Kitework’s and Coalfire’s report found that organizations with completed gap analyses were significantly more likely to be prepared for compliance:

  • 77% had documented encryption standards compared to 42% of those that have not started gap analyses. 
  • 73% had fully documented cybersecurity policies compared to 28% of those not started.
  • 71% had detailed plans of actions and milestones (POA&Ms) in place compared to 33% of those not started. 

Because of this correlation between gap analysis completion and readiness, your first step should be conducting a formal gap analysis to understand how your current security posture maps to CMMC requirements. A comprehensive assessment helps identify gaps in your policies, procedures, and practices and prioritize what needs to be fixed first.

While you can perform a gap assessment manually, this approach involves lots of spreadsheets and documents, status meetings, audits, and regular updates from each team responsible for different areas of remediation. This can be challenging to maintain over the long term without dedicated resources, expertise, and technology. Automation can significantly simplify and accelerate this process. 

2. Develop an SSP

In Redspin’s September 2024 survey, 75% of respondents had a System Security Plan (SSP) either in place or in progress, making it one of the most widely adopted CMMC readiness steps among DIB contractors at that time. This makes sense given that an SSP is a foundational document required for CMMC compliance. It details how your organization implements security requirements and helps assessors understand your environment, policies, and control implementation.

Just like conducting a gap analysis, developing your SSP early in the readiness process can help provide a roadmap to certification. It forces you to take a detailed inventory of your information systems, clearly define system boundaries, and document how each applicable control is being met (or not met). By highlighting what’s already in place and what still needs to be addressed, this exercise provides visibility into your security posture and structure to your compliance efforts.

Without an SSP, it's nearly impossible to evaluate readiness or prioritize remediation. Given the accelerating timeline for CMMC 2.0, organizations should treat the SSP as a critical early deliverable that can frame their entire compliance journey.

3. Engage a CMMC expert

Navigating CMMC requirements, documentation expectations, and audit preparation on your own can be complex. Engaging a virtual Chief Information Security Officer (vCISO), CMMC Registered Practitioner Organization (RPO), or consultant with CMMC experience can help address this complexity and dramatically accelerate your readiness.

Findings from Kiteworks and Coalfire’s research demonstrate the value of engaging with external partners. 

Organizations handling compliance in-house more often identified technical complexity of implementing controls (47%) and understanding requirements and documentation (34%) as key obstacles to their readiness efforts. When surveying all organizations, only 31% cited technical complexity and 10% understanding requirements as the greatest perceived CMMC challenges.  This suggests that external partners help effectively reduce the complexity of CMMC. 

Furthermore, organizations working with external partners are more likely to have achieved compliance readiness across multiple dimensions, including:

  • Following verified encryption standards (84% of organizations working with partners vs 61% handling compliance in-house)
  • Achieving fully documented policies (76% of organizations working with partners vs 46% handling compliance in-house)
  • Having advanced third-party access controls in place (76% of organizations working with partners vs 66% handling all compliance in-house)
  • Having a formal third-party risk management program (72% of organizations working with partners vs 39% handling all compliance in-house)
  • Completing a gap analysis (62% of organizations working with partners vs 40% handling compliance in-house)

Since partner engagement correlates with substantially better security outcomes, consider engaging with an experienced CMMC partner as early as possible in the readiness process.

4. Leverage automation 

Both the Redspin and Kiteworks and Coalfire reports identified cost and time as major roadblocks for organizations preparing for CMMC. In the RedSpin survey, cost was the number one challenge at 57%. Time constraints were mentioned by 11% of respondents. Several months later, Kiteworks and Coalfire survey respondents once again identified budgetary and resource constraints as the biggest challenge DIB organizations face in addressing CMMC 2.0 compliance (36%).

It’s true that manual preparation for a CMMC assessment can take potentially hundreds of hours and thousands of dollars. Automating key parts of the compliance process—such as evidence collection, policy management, and continuous monitoring—can reduce costs and resource constraints by eliminating much of the manual work involved in preparing for and maintaining certification. 

A compliance automation platform that supports all levels of CMMC can not only significantly reduce the time, effort, and cost required for compliance. It can also improve accuracy and consistency and strengthen your overall security posture. 

5. Implement continuous monitoring capabilities

While Kiteworks and Coalfire found that less than half (44%) of contractors have implemented continuous monitoring for in-scope systems, this is an important step to complete early in the readiness process.

CMMC isn't just about implementing controls, it’s about maintaining them over time. Continuous monitoring is essential for demonstrating that your controls are in place and operating effectively. 

Automated tools that can alert you of control failures, misconfigurations, or anomalous behavior are essential for proactively identifying and remediating any issues that may affect your compliance status or adherence to contractual obligations. 

The time to get CMMC ready is now

While the DIB has made progress since 2024, far too many contractors are still unprepared for CMMC 2.0. With requirements expected in defense contracts this year, compliance isn’t optional. It’s a strategic imperative for winning deals with defense contracts or organizations supporting the DIB.

Contractors that take decisive steps today by investing in gap assessments, continuous monitoring, expert guidance, and automation will not only meet applicable CMMC requirements. They’ll also strengthen their security posture and competitiveness in the DIB for the long term.

Featured Newsrooms

Expert InsightsMay 2, 2025

The Importance of Automation in Scaling CMMC 2.0 Compliance Across the DIB

post-feature
Expert InsightsMay 2, 2025

CMMC 2.0 and Risk Management: How to Shift from a Reactive to Proactive Approach

post-feature
Expert InsightsMay 2, 2025

Why CMMC 2.0 Certification Will Become a Key Differentiator in the Federal Market