The Cybersecurity Maturity Model Certification (CMMC) program has advanced to a final rule and will be required of new defense contracts starting in November. The Defense Industrial Base’s era of preparation is over. The time for action has arrived.
But new research shows contractors are nowhere near ready.
According to the State of the DIB Report 2025, conducted by Merrill Research and commissioned by CyberSheath, only 1% of defense contractors feel fully prepared for the assessments that will determine whether they can continue working with the Department of Defense (DOD). Shockingly, this percentage has actually decreased from 8% in 2023 and 4% last year, even though CMMC is closer than ever.
Despite years of lead time, most contractors are still struggling to meet even the most basic requirements:
- 69% claim DFARS compliance through self-assessment, but only 30% have completed medium or high assessments that would validate their actual security posture.
- Just 42% have submitted Supplier Performance Risk System (SPRS) scores.
- The median SPRS score has improved from 20 in 2022 to 60 this year, but that still falls far short of the required 110. Alarmingly, 17% of respondents reported negative scores.
- Only 27% have deployed multi-factor authentication, 25% have deployed endpoint detection and response solutions, and 21% vulnerability management solutions.
The study also revealed the cost of inaction, as a whopping 89% of contractors reported suffering reputational, financial, or business losses from cyber incidents. This disconnect between confidence and reality sets the stage for widespread disruption across the DIB.
“The Defense Industrial Base is running out of time,” said Emil Sayegh, CEO of CyberSheath. “Eighty thousand defense contractors need Level 2 certification, yet only 270 of these organizations currently hold final CMMC certificates. The math is simple and alarming. Contractors that aren’t prepared will be locked out of billions in DOD contracts while their competitors who invested in real compliance and cybersecurity capture the business.”
The compliance window is closing, and the consequences of delay are clear. CMMC is no longer a policy discussion — it’s about to be contract law.
Read the full report for complete findings.