How High a Hurdle is CMMC Compliance for Today’s DoD Suppliers?

April 23, 2025

Table of Contents

The US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) 2.0 program stands poised to finally launch. Yet suppliers across the Defense Industrial Base (DIB) continue to voice concerns about their cybersecurity posture and preparedness for upcoming third-party certification assessments. Independent audits will be mandatory for most DIB orgs seeking CMMC Level 2 certification, which is required to protect controlled unclassified information (CUI), such as engineering specs or the personal data of DoD staff.

While the control requirements have not changed since 2016, third-party assessments present a higher compliance verification bar than the NIST 800-171 self-attestation scenario that has been in place. Suppliers can no longer “grade their own tests,” and many will need to add and/or modify controls to achieve CMMC Level 2 certification.

How close are most DIB SMBs to being “audit-ready” for CMMC 2.0 certification? This article overviews four of the latest reports on the question.

Radicl’s DIB Cybersecurity Maturity Report 2024

The DIB Cybersecurity Maturity Report 2024 from managed security service provider (MSSP) Radicl surveyed over 400 SMB IT practitioners in the US defense supply chain. Among its key findings:

36% of DIB SMBs acknowledged they still needed one to two years to achieve CMMC Level 2 compliance, and 20% said they would need more than two years. Yet DIB orgs that handle CUI have been required to comply with NIST 800-171—the exact same control requirements as CMMC Level 2—since December 2016.
Only 62% of DIB SMBs consider cybersecurity a high or very high priority. This seems low given that 56% of respondents admitted to knowingly violating DoD contract compliance requirements per the statistics above.
46% of respondents reported experiencing cyber incidents costing $100,000 or more. This is more than it costs most DIB SMBs to achieve CMMC Level 2 compliance and greatly reduce their cyber risk.
71% of respondents outsource some or all of their cybersecurity program to an MSP or MSSP, and 82% of these were planning to replace their vendor partner. This illustrates DIB SMBs’ general dissatisfaction with their vendors’ performance, as well as the challenge of meeting the needs of this price-conscious segment.
Even though the CMMC 2.0 language does not yet appear in DoD contracts, 81% of DIB orgs surveyed have started their CMMC compliance process. However, only 13% of those say they are compliant with CMMC Level 1, and just 11% report compliance with CMMC Level 2.

According to Chris Petersen, Radicl CEO, the ongoing lack of cybersecurity maturity across the DIB shows that, “Absent enforcement and audit mechanisms, compliance doesn’t really move the needle. Only once companies are going to be audited and held to a standard of ‘can’t do business anymore’ do they actually begin to move.”

Another challenge Chris has noted with DIB SMBs is leadership that doesn’t understand cybersecurity and/or is overwhelmed by the prospect of complying with a comprehensive standard like CMMC Level 2. In effect, these firms have accepted the risk of a data breach and are hoping their luck somehow holds out.

But with CMMC’s third-party assessment organization (C3PAO) audit requirement on the horizon, noncompliant companies may be out of the running for defense contracts due to their lax cybersecurity. Not to mention the prospect of facing prosecution under the US Department of Justice Civil Cyber-Fraud Initiative, which uses the False Claims Act to hold defense contractors accountable for cybersecurity shortcomings. This includes misrepresenting their NIST 800-171 compliance score in the DoD’s Supplier Performance Risk System (SPRS) database.

Kiteworks’ State of CMMC 2.0 Preparedness in the DIB

Another recent survey of DIB cybersecurity is Kiteworks’ 2025 State of CMMC 2.0 Preparedness in the DIB. This report assessed a diverse cross-section of 209 DIB contractors and subcontractors on their CMMC 2.0 compliance readiness, including preparation approaches, implementation issues, and resource allocation tactics.

The data highlights strong indicators of compliance readiness. Specifically:

Orgs that conduct comprehensive gap analyses—a key early step to define current cybersecurity capabilities—are significantly better prepared for CMMC compliance. For example, 73% of businesses that “mind the gap” have fully documented cybersecurity policies, versus only 28% of companies that have not yet performed a gap assessment. Likewise, 77% of “gap-aware” firms follow and verify documented encryption standards, compared with 42% of those that have yet to assess their CMMC compliance gap.
Orgs with fully documented policies, an indicator of governance capability, score much higher on important indicators like implementing encryption standards and maintaining robust third-party access controls. For example, firms with minimal policy documentation are 30 times more likely to acknowledge inconsistent CUI encryption—a critical vulnerability in DIB cybersecurity.
62% of large contractors surveyed have dedicated compliance budgets, compared with only 23% of SMBs.
Perceived CMMC implementation challenges show a clear progression paralleling organizational maturity. Early-stage issues center on technical expertise and basic control implementation, while late-stage issues relate to scope definition, managing in-scope partners, and implementing continuous monitoring.

Kiteworks extrapolates a number of recommendations from its survey data, including:

Implementing advanced governance for CUI access
The importance of a layered cybersecurity strategy that includes encryption alongside complementary controls like multifactor authentication
The benefits of engaging specialized third-party expertise to accelerate compliance timeframes, especially early in the process
The importance of zero-trust data interchange procedures around third-party CUI access
Completing a thorough gap analysis against all 110 NIST 800-171 controls early on, i.e., after determining your CMMC level (1 through 3) and CUI scope

Kiteworks summarizes the key takeaways from its report as follows:

The findings clearly indicate that early investment in thorough assessment, comprehensive documentation, and appropriate external expertise significantly enhances an organization’s ability to achieve and maintain compliance while improving overall security posture to protect sensitive defense information throughout the supply chain.

Redspin’s “Aware but Not Prepared” report

Another recent look at CMMC readiness in the DIB is Redspin’s research, Aware but Not Prepared: The State of Defense Industrial Base CMMC Readiness.

Conducted in 2024 with 107 respondents, this report reveals that 58% of respondents are not ready for the CMMC 2.0 compliance requirements. 42% of respondents feel “Moderately Prepared,” while 16% consider themselves “Slightly Prepared” or “Not at All Prepared.”

Astonishingly, 13% of DIB orgs surveyed say they have yet to take any preparatory steps toward CMMC 2.0 compliance. The report highlights this as a “critical concern” given that defense suppliers have been contractually obligated to maintain a self-assessment score of their NIST 800-171 compliance since 2020.

A possible reason for the lack of preparation could be that many contractors are simply waiting to see if CMMC 2.0 ever becomes law. Meanwhile, most of them are presumably in violation of their current DoD contracts and at risk of regulatory sanctions, contract cancellation, and a cybersecurity incident involving CUI.

On the plus side, the Redspin research indicates that over half of the respondents are working with an external service provider to achieve CMMC certification. This emphasizes the advantages that consulting expertise can offer towards establishing and maintaining a comprehensive cybersecurity program to safeguard CUI and other sensitive data.

The MxD 2024 Survey of US Manufacturers’ Cyber Resilience

The National Center for Cybersecurity in Manufacturing (MxD) has reported on US manufacturers’ cyber resilience annually since 2019. MxD’s 2024 research calls out an ongoing problem: DIB contractors are shockingly overconfident about their cybersecurity.

The MxD 2024 report surveys 750 US manufacturers, including 102 defense suppliers. 81% of DIB orgs professed high confidence in their cyber resilience. Yet, less than half the DIB respondents leveraged foundational cybersecurity best practices like regular training, vendor risk management (VRM), and integrating cyber risk assessments into their business continuity plans.

This longstanding disparity calls into question the effectiveness of self-attestation programs for the DIB. The DoD currently accepts self-attestations of compliance in its Supplier Performance Risk System (SPRS) for NIST 800-171, CMMC 2.0 Level 1, and (for a very small percentage of companies handling only non-defense CUI) CMMC Level 2.

Key findings from the MxD report include:

Only 24% of DIB orgs surveyed—and just 2% of DIB SMBs—conduct mandatory quarterly cybersecurity training, which is required for NIST 800-171 compliance.
Only 36% of DIB orgs reported having inclusive system security plans (SSPs) for all critical systems, meaning that 64% of contractors handling CUI are noncompliant with the DFARS 7012 clause in their contracts, as well as with NIST 800-171 and CMMC.
72% of DIB orgs say they have at least a basic incident response plan. But just 16% have a comprehensive plan, which is essential for firms that handle CUI and other sensitive data.
Just 30% of DIB orgs put cybersecurity requirements in their third-party contracts, making supply chain security a major weakness across the DIB.
Only 40% of DIB orgs actively monitor updates to cybersecurity regulations (e.g., CMMC 2.0), while 20% do no monitoring at all.
23% of DIB respondents claimed they can detect and contain a cyberattack within hours, which greatly overstates the likely reality given reported industry figures.

Looking at the root causes of these discrepancies, the MxD data highlights a pervasive lack of commitment to cybersecurity compliance among DIB senior leaders. A key contributory factor is the DoD’s reliance on compliance self-attestation regimes, which provide little incentive to accurately report cybersecurity capabilities or invest in improving them. This is why CMMC’s independent verification program is so important going forward.

What’s next?

As a CMMC Registered Provider Organization (RPO), CBIZ Pivot Point Security stands ready to support DIB SMBs on a successful CMMC certification journey. We adapt our consulting services to fit your unique business requirements, based on our “proven process” and over 20 years’ experience helping our clients become provably secure and compliant.