Introduction
We are proud to present the findings of our second annual study exploring the status of defense industrial base (DIB) preparation for CMMC requirements. Momentum, but Slow Movement: The State of DIB CMMC Readiness presents the findings of a recent survey evaluating the current state of the CMMC ecosystem with regard to the DoD’s publication of the DFARS 7021, title 48 Code of Federal Regulations rule that makes CMMC enforceable as of November 10, 2025.
Research Highlights
The report revealed that CMMC adoption is gaining momentum, but execution is still slow. A few key findings include:
- Thorough preparation makes a significant difference in achieving Level 2 certification. Data confirms that those who started with a strong NIST 800-171 foundation and completed a self-assessment before a formal assessment passed at a higher rate.
- A successful CMMC journey takes time. 68% of respondents report that preparing for CMMC has taken them over a year to date.
- Level 2 “enforcement” is already happening organically. 47% of those surveyed have received flow-down requests from primes.
- Concerns remain with assessment readiness and scheduling. Nearly 37% of those surveyed are not scheduled for a CMMC Level 2 assessment at all or are unsure of their next steps
Despite the slow movement for some, significantly more organizations are reporting good progress on their CMMC readiness when compared to our first study. Cloud service providers (CSPs) are playing a key role in supporting CMMC compliance, with 67% of respondents already using a CSP or considering using one to minimize their CMMC scope. Training up staff on cybersecurity has increased significantly since last year, indicating that respondents see a need to better educate and prepare their people. The report also highlights what organizations should be aware of when it comes to next steps of CMMC certification and maintaining it once achieved.
Recommendations for Organizations Seeking Certification (OSCs)
With CMMC Level 2 assessments underway since January 2, 2025, and Phase 1 officially in effect as of November 10, 2025, CMMC is no longer a distant goal; it’s a live operational requirement. Defense contractors are now confronting the practical realities of implementation, validation, and sustainment under an enforceable model that leaves little room for assumption or delay. Continuous readiness is the new frontier and can’t be treated as a one-time project.
The question is no longer if CMMC applies, but how fast organizations can adapt. Inaction now can directly impact eligibility and contract opportunities.
“If you want to be in the Defense market now, you have to be CMMC compliant” -Director of Government Business Development, Jamaica Bearings Group
To that end, our CMMC experts offer this guidance:
- The mindset for DoD contractors must shift from “getting certified” to sustaining a continuous state of compliance. This requires a living, repeatable maturity discipline, one that evolves with changing threats, updated guidance, and the ongoing need to maintain complete, defensible evidence.
- A bottleneck in C3PAO assessment scheduling, driven by the limited number of Certified CMMC Assessors (CCAs) and amplified by surging demand with the start of Phase 1, means availability is shrinking just as prime contractors begin flowing down CMMC requirements to their subs. Proactive planning for formal assessment is essential, starting with a current (and accurate) SPRS score, conducting a gap or mock assessment, remediating findings, and securing a formal assessment date well in advance.
- Scoping is key to defining CUI boundaries. The ideal CUI boundary separates corporate IT operations from the CUI enclave, ensuring that only systems, people, and data directly supporting defense work fall within scope. Leveraging FedRAMP-authorized cloud environments helps confine this boundary, and we regularly see that organizations using secure cloud enclaves achieve certification more efficiently.
- For small and midsize contractors, sustainable compliance depends on people. Every organization should appoint a CMMC Champion, ideally a Certified CMMC Professional (CCP) and, where possible, a Certified CMMC Assessor (CCA). This individual acts as the internal bridge between policy, process, and practice, ensuring that controls are both understood and applied consistently.
While CMMC enforcement is an exciting step forward, it’s just the beginning. Over the next four years and beyond, CMMC will continue to expand across the DIB. It’s critical for contractors to stay informed and seek out the proper resources to help them implement, certify, and maintain the requirements that CMMC validates.
Redspin’s team of experts remains committed to guiding DIB companies through every stage of CMMC readiness and certification.
To download the full research findings report, please visit redspin.com/annualreport.
How Redspin Helps
We’ve helped hundreds of organizations prepare for CMMC—and we’re one of the first authorized C3PAOs.
Whether you need a readiness assessment, help fixing gaps, or support during your audit, our team can guide you through the process with zero guesswork.
Don’t wait until the RFP drops—start getting compliant now.
Book a meeting to tackle CMMC with Redspin: