By Shrav Mehta, Founder and CEO, Secureframe
Phase 1 of Cybersecurity Maturity Model Certification (CMMC) enforcement officially began on Nov. 10 and is ongoing, yet the vast majority of defense contractors and subcontractors are nowhere near ready.
In fact, only 431 organizations had achieved CMMC Level 2 certification as of October 2025. That’s 0.5% of the roughly 80,000 companies the Department of Defense (Department) estimates will need it. Even further, a CyberSheath report found that only 1% of DIB organizations feel fully prepared for CMMC assessments. Nearly half haven’t even completed key documentation like a System Security Plan or implemented all NIST 800-171 requirements.
This readiness gap persists despite the lengthy rulemaking process behind the latest version of the CMMC program. CMMC has been coming since 2020. The underlying security requirements have existed even longer, embedded in DFARS 252.204-7012 since 2017. The Defense Industrial Base (DIB) has had years to prepare. So how did we end up here?
The New Reality: No CMMC = No Contracts
Many contractors saw CMMC as theoretical, something that would keep getting delayed or watered down. The government has a history of postponing enforcement, and that pattern created a dangerous sense of complacency across the defense supply chain.
But the 48 CFR rule changed everything. When it was published in the Federal Register on September 10, 2025, it triggered a 60-day countdown. CMMC assessment requirements are now appearing in defense contracts, and contractors without proper certification are finding themselves locked out of new and existing contracts.
The phased rollout means Phase 1 focuses primarily on Level 1 and Level 2 self-assessments, with some Level 2 third-party assessments required at the Department’s discretion. The Department estimates that 99% of entities getting CMMC certified will fall into Levels 1 and 2, with 63% requiring Level 1 and 37% requiring Level 2.
CMMC’s Complexity Problem
Part of the challenge is CMMC’s technical complexity. Compliance professionals who’ve successfully navigated SOC 2 and ISO 27001 certifications say CMMC Level 2 is on another level entirely.
You’re looking at 110 controls and 320 assessment objectives derived from NIST SP 800-171 for CMMC Level 2. The System Security Plan can stretch beyond 150 pages. Evidence collection across multiple systems, continuous monitoring for configuration drift, subcontractor and vendor compliance verification, and scoping add up fast.
Organizations trying to manage this with spreadsheets, consultants, ad-hoc remediation lists, and manual evidence collection can’t scale in time.
The DoD estimates that Level 2 self-assessment requires approximately 150 labor hours, while formal C3PAO certification assessment can require up to 650 hours for assessment activities alone. When factoring in implementation and remediation, the average timeline extends to six to 12 months or more.
Assessor Capacity Can’t Keep Up
There’s another challenge: there aren’t enough certified assessors to handle the volume of organizations that need CMMC certification. Demand already outpaces supply, and that gap is widening as Phase 1 continues.
There are more Organizations Seeking Certification (OSCs) than authorized assessors available. C3PAO waitlists and costs are rising as demand for assessors grows. Primes are urging subcontractors to prepare for CMMC Level 2 certification ahead of contract flowdowns.
The longer you wait, the harder and more expensive it becomes to get on an auditor’s calendar. Organizations that delay will find themselves pushed to the back of the line, risking certification delays that could cost them revenue.
What Defense Contractors Stand to Lose
Organizations that fail to meet CMMC requirements can’t bid on or maintain DoD work. Noncompliance with CMMC Level 2 increases exposure to False Claims Act penalties, with settlements reaching into the millions. Subcontractors risk losing their place in primes’ supply chains, and every contractor handling sensitive defense information represents a potential entry point for adversaries.
Time is running out. Phase 2 arrives November 10, 2026, requiring third-party assessments for all new Level 2 contracts. Full implementation happens by 2028.
The Competitive Advantage
CMMC is more than just a cost of doing business, it’s a national security imperative.The contractors who moved early and achieved certification are already leveraging it as a competitive differentiator.
Getting CMMC certified, particularly at a higher level, can remove barriers to entry to the defense market, primes’ supply chains, and contracts with more sensitive data. Whether you’re a subcontractor handling sensitive unclassified information or a prime bidding on major defense contracts, prioritizing Level 2 (C3PAO) certification now is the best way to prevent bottlenecks or lost business later. Organizations that act now have time to conduct thorough gap assessments, implement the hundreds of controls and assessment objectives properly, develop complete documentation, and secure assessor calendars before capacity bottlenecks worsen. Those who wait will scramble to catch up while competing for limited assessor availability, facing higher costs, and watching contract opportunities vanish.
