Research Shows 58 Percent of Defense Supply Chain Members Feel Unprepared for CMMC
Nashville, TN (January 28, 2025) – Redspin, a division of Clearwater and the leader in Cybersecurity Maturity Model Certification (CMMC) services for the Defense Industrial Base (DIB), today issued its inaugural report, Aware but Not Prepared: The State of Defense Industrial Base CMMC Readiness. The report measures the attitudes, experiences, and preparedness of defense supply chain members in handling CMMC’s requirements, which were finalized with the completion of rulemaking in October 2024 and the initiation of enforcement last month.
Redspin conducted the study in fall of 2024, focusing on members of the defense supply chain known as organizations seeking certification (OSCs). This includes prime contractors, subcontractors, dual-role companies acting as both primes and subs, and External Service Providers (ESPs) to those organizations. Aware but Not Prepared: The State of Defense Industrial Base CMMC Readiness provides first-hand insights from cybersecurity and technical senior leaders in companies selling to the US Department of Defense (DoD).
The report finds that there is still a significant CMMC readiness gap despite CMMC’s almost five-year scoping and rulemaking process. According to Redspin’s survey:
- 58% of respondents feel they are not ready for a rule that is now final
- 13% of respondents have not taken any preparatory action at all
- 35% of respondents either don’t know what they have spent to date on preparing for CMMC or say they have invested nothing or less than 1% of their budgets
Despite challenges, some organizations are reporting positive forward momentum in their CMMC readiness journey:
- Over 50% of respondents indicated that they worked with an ESP, underscoring the value in third-party partnerships
- 75% of respondents have a CMMC-required System Security Plan (SSP) in place or in process. An SSP encapsulates ‘the what’ of their needed cyber defenses
The study offers insights on additional topics such as supply chain security, the perceived value of CMMC compliance, plans for maintaining CMMC certification, and more.
“After several years in development and with the entire defense industrial base watching, there have been a lot of disparate opinions on CMMC,” said Brian McManamon, President at Redspin. “With the final rule coming into effect this past December, we’ve come to a critical step within the CMMC journey. This report indicates to the ecosystem that there are concerns related to the level of CMMC readiness. As organizations prepare for what’s ahead, it’s crucial for companies and security leaders to evaluate what steps they need to take to become compliant. OSCs must promptly attain their certification to show they are meeting all of the requirements validated by CMMC in order to safeguard our nation’s sensitive data.”
Redspin’s team of experts provides end-to-end support, from assessment preparation and training to managed cloud services, certification, and beyond, ensuring OSCs are fully prepared to meet CMMC’s requirements. Redspin’s report supplies clear evidence that the support of service provider organizations is seen as a valuable tool in not only establishing but maintaining CMMC certification. To view Redspin’s full report, please visit https://redspin.com/aware-but-not-prepared-cmmc-research-report/.
About Redspin
Redspin, a division of leading cybersecurity and compliance company Clearwater, specializes in enhancing the cyber readiness and resilience of federal and Defense Industrial Base (DIB) organizations. As the first Authorized CMMC 3rd Party Assessment Organization (C3PAO), Redspin provides expert guidance to organizations seeking to minimize cyber risks and protect sensitive information. To learn more, visit www.redspin.com.
For more information or press inquiries, please contact:
Would you like to benchmark your company’s CMMC readiness? Fill out this form, and we will connect with you!