A Year in Review + 2026 Trends & Predictions

Redspin's 2025 Wrapped

2025 marked a turning point for CMMC. Enforcement signals intensified, assessments accelerated, and readiness gaps became clearer than ever. This is Redspin’s 2025 Wrapped: the highlights, hard truths, and expert predictions shaping what’s ahead for 2026.

2025 Highlights

What defined the year

2025 was the year CMMC stopped being theoretical.

Redspin supported organizations across the DIB as CMMC moved from preparation to execution with more assessments completed, more readiness gaps exposed, and more urgency across primes and subcontractors alike.

This year we saw: 

Assessments officially started

2025 marked the transition from readiness and the JSVA program to formal CMMC Level 2 assessments, moving compliance from theory into execution. As of the most recent Cyber AB statistics, 459 contractors have completed a CMMC Level 2 assessment.

FAR CUI may be signaling what’s next

The proposed FAR CUI rule is giving the signal that CUI handling and protection requirements are broadening across federal agencies, pointing toward wider adoption of CMMC-aligned expectations.

48 CFR locked CMMC into contracts

The 48 CFR rule (DFARS 2019) finalized and went into effect in November, kicking off Phase 1 and formally embedding CMMC into the DoD contracting process. All this, even as a government shutdown created temporary uncertainty and reinforced the risk of waiting on timelines to stabilize.

Enforcement began organically

Primes moved ahead of formal contract language  with subcontractors increasingly reporting requests for CMMC certification, assessment status, and proof of readiness.

“Yes, we are regularly receiving requests and notifications via questionnaires and flow downs from primes.”  Rand Machine Products

From CMMC Connect live Q&A sessions to real-world Level 2 assessments, the same message surfaced again and again: waiting is no longer a strategy.

What contractors learned

The Hard Truths

See the data behind the hard truths.

Download Redspin’s new CMMC Research Report for insights from hundreds of contractors on where readiness stands, and where organizations are getting stuck.

Download the Report

Not every Wrapped moment is celebratory.

In 2025, readiness gaps became clearer and more costly.

Across assessments, advisory engagements, and ecosystem data, a few realities stood out:

  • Many organizations overestimate their readiness for Level 2

  • Documentation and evidence quality — not tools or CSPs — caused the most failures

  • FIPS, cryptography, and cloud configurations remain frequent blind spots

  • Assessment bottlenecks are real, and they’re not easing in 2026

The biggest takeaway? 

CMMC is no longer about if;  it’s about how prepared you are when it matters. 

Memorable Moments of the Year

These snapshots capture just some of our favorite moments from 2025. To see what didn’t fit on the page, and what’s coming next, follow Redspin on LinkedIn.

Follow along on LinkedIn

CMMC isn’t a moment. It’s the new baseline.
2025 proved that it is no longer optional for the DIB, it’s expected, measured, and here to stay.

2026 Predictions - Holiday Style

What’s coming next (according to the people in the field)

No crystal ball (or Rob’s Magic 8 Ball), just real-world experience and a little holiday humor.

“With FIPS 140-2 sunsetting 21 Sep 2026, I predict a majority of companies doing business and/or wanting to do business with the government are not adequately prepared. FIPS 140-2 validations will be moved to the Historical List, and new submissions for validation may no longer be accepted by NIST.

This may affect a company’s CMMC validation.”

-Van Tatum

“By 2026, CMMC will become a baseline requirement across most federal contracts.

Organizations that fail to operationalize continuous monitoring and external attack surface management will struggle to maintain eligibility.

Expect automation and AI-driven compliance platforms to dominate the market.”

-Abdu Abdelhaq

“In 2026, Santa’s entire Christmas Eve mission gets cancelled because the DoD classifies the Naughty and Nice list as CUI.

The ruling was clear: no gifts until the workshop achieves a clean 110.

Redspin is already working with Santa to help migrate the list into a secure cloud enclave so Christmas 2027 stays on schedule.”

Rob Teague

“Several NPTS sub-contractors… didn’t think CMMC was going to become ‘a thing. The fact is, cybersecurity has always been a thing.

2026 will be a year of playing ‘catch up’ for many sub-contractors who weren’t prepared for the reality of CMMC.”

-Phil Conrad

“Even with a slow rollout, expect CMMC to shape 2026 contracting. Certified DIBs will want that language in solicitations to box out competitors.

That back-and-forth will drive protests, slow awards, and turn source selection into last-minute mall shopping on Christmas Eve.”

-Jim Reid

“The growth in assessor demand… will only increase with the new rule being finalized. Authorized C3PAOs will have the advantage of hiring the most experienced assessors available right now.”

“Should a CISO be a Businessperson or a Techie? The answer is “Yes”. A CISO who understands the technologies to support CMMC compliance and can articulate the business need… is the ultimate value add to an organization.”

This vision promotes top-down organizational buy into the CMMC program and is invaluable.”

-Adam Richards

“The number of assessments able to be completed… will entail the OSCs being ready for assessment, and the number of CCAs in the ecosystem.”

The effective date signals the L1 start date for enforcement, but the bigger item is to see how many contracts the DoD will include L2 requirements in. The assessor demand is not going to slow down.

Oh yeah, and… CMMC adoption across federal agencies – this is coming.”

-Dr. Thomas Graham

“Bruce Wayne… is unsure if his team has properly prepared for the rigor of a CMMC Level 2 Certification Assessment.

He has the option to complete a mock assessment that will identify the scoring associated with each assessment objective.

In 2026, Wayne Technologies will achieve CMMC Level 2 Certification after addressing the assessment objectives that were identified as ‘Not Met’ in the Mock Assessment.”

-Myles Rohleder

Meet the Minds Behind the Predictions

Van Tatum

CCA

Abdu Abdelhaq

Lead CCA

Rob Teague

Director, Consulting Services, Lead CCA

Phil Conrad

Lead CCA

Jim Reid

CCA

Adam Richards

CCA

Dr. Graham

CISO, CCA, PI, C3PAO Advisory Council Accreditation Committee Chair

Myles Rohleder

CCP

CMMC Wrapped

2025 made one thing clear: CMMC is no longer a future requirement. It’s shaping real decisions, real timelines, and real outcomes across the DIB.

Contractors who moved early gained clarity. Those who waited feel the pressure. And across the ecosystem, expectations became more consistent, more measurable, and harder to ignore.

As 2026 approaches, organizations that succeed will be the ones that:

  • Treat CMMC as an ongoing operational program, not a one-time checklist

  • Invest early in readiness and maintain defensible, assessment-ready evidence

  • Recognize that primes won’t wait for contract language to apply pressure

  • Prepare for sustainment, not a single certification event

Redspin’s 2025 Wrapped reflects what we’ve seen across assessments, advisory work, research, and conversations throughout the year, the trends, the challenges, and the progress shaping what comes next.

You’ve seen what changed in 2025.

CMMC is now an operational reality, and CMMC Connect is where contractors get grounded on what to do next.

Visit the CMMC Connect Hub

Thanks for spending your year with us. Here’s to staying ready for what’s next.