The cybersecurity conversation in 2025 shifted from preparation to execution. The Cybersecurity Maturity Model Certification (CMMC) program is now an enforceable requirement, and defense contractors are trying to keep up.
On Nov. 10, Phase 1 of CMMC implementation began, with contracting officers starting to include compliance requirements in new solicitations. Despite this enforcement milestone, our annual study conducted by Merrill Research revealed a troubling readiness gap. Just 1% of defense contractors reported being fully prepared for CMMC certification, down from 4% the previous year. While 69% claimed DFARS compliance through self-assessment, only 30% completed medium or high assessments that would validate their actual security posture.
CyberSheath achieved CMMC Level 2 certification in April this year, proving our compliance methodology works. We’ve helped companies like DMI, Cutting Edge Communications, Kampi Components Co., and others. We can help you through your compliance journey, too.
Among other milestones in 2025, Emil Sayegh joined as CEO, with founder Eric Noonan transitioning to strategic advisor after more than a decade of leadership.
At CMMC CON 2025 in September, CyberSheath brought together industry experts, government officials, and defense contractors to address the compliance challenges ahead. Rachel Tobac, renowned hacker and CEO of SocialProof Security, delivered the keynote by demonstrating how to defend against the latest hacking methods.
CyberSheath’s cybersecurity expertise continued drawing attention from national media throughout the year. Sayegh and Noonan provided commentary for major outlets on critical cybersecurity issues:
- CNN: Noonan explained the implications of cybersecurity vulnerabilities at X following Elon Musk’s acquisition and subsequent security concerns.
- Fierce Network: When Amazon Web Services experienced a major outage, Sayegh detailed the cascading effects on businesses dependent on cloud infrastructure.
- MeriTalk: Industry leaders, including Sayegh, discussed how the CMMC rollout redefines security accountability across the defense industrial base.
Sayegh also authored multiple columns in Forbes addressing evolving cybersecurity challenges, regulatory developments, and the issues affecting defense contractors. His most recent piece looks ahead to cybersecurity strategies in 2026. Read more on his Forbes contributor page.
As we move into 2026, Phase 2 of CMMC implementation approaches, requiring C3PAO-assessed Level 2 certification for applicable new contracts starting Nov. 10, 2026. Defense contractors must take immediate action. CyberSheath offers comprehensive CMMC managed services to help your organization secure and maintain compliance.
Be prepared for 2026. Learn more about our range of offerings to understand and achieve compliance.