Report finds large gap in CMMC readiness among defense industrial base
Despite having years to get ready, a majority of defense contractors still feel unprepared to implement necessary protocols required by the Pentagon’s Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) initiative, according to a new report.
The final rule for the revamped CMMC 2.0 program went into effect in December, meaning defense contractors working with controlled unclassified information (CUI) or federal contract information (FCI) must meet one of three levels of CMMC compliance depending on the sensitivity of the information they handle. After nearly five years of high-profile and oftentimes controversial scoping and rulemaking efforts, the Pentagon plans to implement the new cybersecurity requirements for contractors by mid-2025.
However, a report published Tuesday by Redspin — an authorized CMMC third-party assessment organization (C3PAO) — found there is a significant gap in readiness for CMMC 2.0 requirements across the defense industrial base. The assessment is based on a survey conducted in September 2024 that received 107 responses from a range of military contractors.
“The largest share (42%) of respondents feel Moderately Prepared, and 16% still have a long way to go by being Slightly Prepared or Not at All Prepared. This means that 58% of respondents are not ready for a rule that is now final and effective,” according to the report, titled “Aware but Not Prepared: The State of Defense Industrial Base CMMC Readiness.”
Furthermore, 13 percent of participants indicated they haven’t taken any preparatory action to meet CMMC compliance. The report highlighted that as a “critical concern” given companies have been mandated to maintain a Supplier Performance Risk System self-assessment score since 2020, “meaning those companies are significantly behind and at risk of non-compliance and not properly safeguarding their CUI.”
While the statistic is alarming, Redspin Vice President and Chief Information Security Officer Thomas Graham told DefenseScoop that the lack of action isn’t surprising considering the CMMC program’s contentious history, and that companies should not feel like they’re alone if they are unprepared.
“Since CMMC started, you’ve had a lot of misnomers, you’ve had a lot of rumors, you’ve even had a lot of naysayers. And they are even now saying this is never going to happen,” Graham said Monday during an interview. “The reality is, it is a formal program. It’s not your implementation — your implementation has been in place for a number of years now. All CMMC is doing is just verifying that implementation.”
Graham also noted that so many contractors could be feeling unprepared because they’ve just been waiting to see if the program would actually happen.
CMMC was first conceived in 2019 as a way to protect contractor information from being exploited by adversaries by putting these types of cybersecurity requirements for the defense industrial base into federal regulations, with Pentagon leadership arguing that companies should already have those protocols in place simply because they’re working with the department.
However, the program received pushback from others who argued CMMC would be too difficult to follow. The Defense Department later pared down the program’s scope and contractor expectations in 2021, unveiling a three-tiered framework now known as CMMC 2.0.
The new model allows contractors working with less sensitive information to conduct self-assessments of their cybersecurity compliance. More sensitive information will require companies to validate their posture from either third-party assessors or the Defense Industrial Base Cybersecurity Assessment Center.
A key criticism of CMMC has been that the requirements would penalize small businesses that can’t afford to comply with them, but Redspin’s survey found that concern isn’t exclusive to smaller companies and subcontractors. According to the report, 52 percent of respondents who indicated cost as a top preparation challenge were prime contractors and dual-role companies.
Graham said the concern was likely caused by inaccurate information released about CMMC over the years, as well as misunderstandings about what the program is trying to accomplish.
“Larger organizations that I’ve talked with, a lot of times there’s a separation between the decision makers and the folks that are actually implementing this stuff,” he said. “And when you break it down to them, then the light bulbs start coming on and they’re like, ‘Oh my god, I never realized we were supposed to be doing this stuff for years.’ Then it becomes a different conversation.”
Despite the readiness gap, Redspin’s survey did show that three-fourths of respondents have already or are in the process of establishing a required system security plan (SSP), which outlines the cyber defenses needed to protect sensitive information.
Over half of the respondents also indicated that they were working with an external service provider (ESP) to reach CMMC certification, underscoring the importance third-party organizations have and will continue to play in maintaining compliance, according to the report.
That means moving forward, ESPs must also ensure their own cybersecurity protocols meet requirements, Graham emphasized.
“ESPs have got to understand they’re going to be part of this, that they are being given access to information that is not theirs — much like the contractors are being given access to information that is not theirs, either,” he said. “With working with these organizations, there’s going to be certain requirements that they are going to have to provide to the [organizations seeking assessment] so now they can get through their own assessment.”
