Are Defense Contractors Ready for CMMC 2.0?

In response to concerns raised by industry leaders and lawmakers that Cybersecurity Maturity Model Certification (CMMC) places a heavy burden on contractors and small businesses in particular, DoD officials have expressed their own frustration at the lack of readiness across the defense industrial base (DIB). They argue CMMC merely enforces longstanding contractual cybersecurity standards, and the industry has had years to prepare.

CMMC 2.0 was designed to enforce accountability and close those long-standing gaps. With the final rule published in 2024 and DoD officials confirming CMMC is here to stay, requirements are expected to appear in defense contracts any day now.

How prepared is the DIB to meet these requirements? Let’s take a look at recent reports for answers.

The persistent gap in CMMC readiness

Back in September 2024, one of the first authorized CMMC third-party assessment organizations (C3PAOs) conducted a survey on CMMC readiness across the DIB. The findings were concerning.

According to their report, “Aware but Not Prepared: The State of Defense Industrial Base CMMC Readiness,” the majority of contractors did not feel prepared to comply with CMMC 2.0 requirements. More than half (58%) of respondents said they didn’t feel ready for the final rule, with 13% saying they had not taken any steps to prepare to date.

The top challenges to CMMC readiness cited were cost and confusion or inadequate information about CMMC. However, the report showed awareness of CMMC 2.0 was high, with 81% reporting they were very familiar and 17% reporting they were somewhat familiar with CMMC.

While this indicates organizations knew the “what” and “why” of CMMC compliance, the lack of readiness indicates they were less clear on the “how.”

The report also revealed gaps in security measures that have been mandated well before CMMC 2.0. For example, having a system security plan (SSP) has been a DFARS 252.204-7012 requirement for contractors handling controlled unclassified information (CUI) since the end of 2017, but under half (47%) said they had finalized their SSP.

Three months after this survey was conducted, the CMMC final rule did go into effect. Did readiness improve after this effective date?

CMMC readiness isn’t where it should be in 2025

New research based on a survey conducted immediately after the publication of the 32 CFR final rule has found that readiness gaps persist in 2025. A recent report, CMMC 2.0 Preparedness in the DIB, found only 46% of DIB contractors are prepared for Level 2 certification, despite the compliance deadline looming. Another 57% have yet to even complete a gap analysis against NIST SP 800-171 requirements.

The report highlights other concerning gaps, including:

• Only 44% of contractors have implemented continuous monitoring for in-scope systems.
• Less than 53% have fully implemented required access control measures across relevant systems.
• Over 30% lack advanced third-party access controls, putting CUI at risk from supply chain vulnerabilities.
• More than 30% still do not enforce multi-factor authentication (MFA) across all systems processing or storing sensitive data.

These figures suggest, while some contractors have made strides since the fall of 2024, a significant portion of the DIB is still lagging in critical cybersecurity areas.

Five steps to accelerate CMMC readiness

For contractors that are lagging behind in their CMMC readiness journey, it’s not too late to act. Here are five key steps to help close readiness gaps and prepare for CMMC certification:

1. Conduct a gap assessment against CMMC requirements

The report found organizations with completed gap analyses were significantly more likely to be prepared for compliance:

• 77% had documented encryption standards compared to 42% of those that have not started gap analyses.
• 73% had fully documented cybersecurity policies compared to 28% of those not started.

Because of this correlation between gap analysis completion and readiness, the first step should be conducting a formal gap analysis to understand how your current security posture maps to CMMC requirements. A comprehensive assessment helps identify gaps in policies, procedures, and practices and prioritize what needs to be addressed first.

While you can perform a gap assessment manually, this approach involves lots of spreadsheets and documents, status meetings, audits, and regular updates from each team responsible for different areas of remediation. This can be challenging to maintain over the long term without dedicated resources, expertise, and technology. Automation can significantly simplify and accelerate this process.

2. Develop an SSP

Just like conducting a gap analysis, developing your SSP early in the readiness process can help provide a roadmap to certification. It forces you to take a detailed inventory of your information systems, clearly define system boundaries, and document how each applicable control is being met (or not met). By highlighting what’s already in place and what still needs to be addressed, this exercise provides visibility into your security posture and structure to compliance efforts.

Without an SSP, it’s nearly impossible to evaluate readiness or prioritize remediation. It details how your organization implements security requirements and helps assessors understand your environment, policies, and control implementation. Given the accelerating timeline for CMMC 2.0, organizations should treat the SSP as a critical early deliverable that can frame their entire compliance journey.

3. Engage a CMMC expert

Navigating CMMC requirements, documentation, and audit prep can be overwhelming without support. Bringing in a virtual chief information security officer (vCISO), a CMMC registered practitioner organization (RPO), or an experienced consultant can simplify the process and accelerate your readiness.

Notably, organizations managing compliance in-house were far more likely to cite technical complexity (47%) and difficulty understanding requirements (34%) as major challenges, compared to just 31% and 10% respectively among all organizations surveyed. This gap suggests external experts significantly reduce the perceived complexity of CMMC readiness.

4. Turn to automation

For many defense contractors, the biggest barrier to CMMC 2.0 readiness isn’t intent, it’s bandwidth. Between already-strained teams and tight budgets, the idea of devoting hundreds of hours to manual prep work can feel impossible. It’s no wonder cost and time consistently top the list of challenges in CMMC surveys.

It’s true that manual preparation for a CMMC assessment can take potentially hundreds of hours and thousands of dollars. Automating key parts of the compliance process, such as evidence collection, policy management, and continuous monitoring, can reduce costs and resource constraints by eliminating much of the manual work involved in preparing for and maintaining certification.

A compliance automation platform that supports all levels of CMMC can not only significantly reduce the time, effort, and cost required for compliance, it can also improve accuracy and consistency and strengthen your overall security posture.

5. Implement continuous monitoring capabilities

Less than half (44%) of contractors have implemented continuous monitoring for in-scope systems, this is an important step to complete early in the readiness process.

CMMC isn’t just about implementing controls, it’s about maintaining them over time. Continuous monitoring is essential for demonstrating required controls are in place and operating effectively.

Automated tools can alert you of control failures, misconfigurations, or anomalous behavior are essential for proactively identifying and remediating any issues that may affect your compliance status or adherence to contractual obligations.

The urgency behind CMMC readiness

While the DIB has made progress since 2024, far too many contractors are still unprepared for CMMC 2.0. With requirements expected in defense contracts this year, compliance isn’t optional. It’s a strategic imperative for winning deals with defense contracts or organizations supporting the DIB.

Contractors that take decisive steps today by investing in gap assessments, continuous monitoring, expert guidance, and automation will not only meet applicable CMMC requirements, but they’ll also strengthen their security posture and competitiveness in the DIB for the long term.