There is no runway left. Cybersecurity Maturity Model Certification (CMMC) is a final rule set to take effect Nov. 10, and defense contractors can’t consider compliance to be optional if they want to win future Department of Defense contracts. At CMMC CON 2025, industry experts and defense contractors gathered to address what happens when confidence outpaces actual readiness.
A new Merrill Research study commissioned by CyberSheath reveals that just 1% of defense contractors say they are fully prepared for the upcoming assessments. The percentage actually dipped over the past two years despite CMMC deadlines approaching. The 2025 State of the DIB Report also shows that while 69% of contractors claim DFARS compliance through self-assessment, only 30% have completed medium or high assessments that would validate their actual security posture. The median SPRS score has improved from 20 in 2022’s inaugural report to 60 this year, but 17% of contractors still report negative scores, far below the required 110 benchmark.
Eric Noonan, Founder of CyberSheath, VP of Compliance Casey Lang and VP of Service Delivery Rich Baron presented these findings in a session revealing where contractors struggle most. More than 70% of respondents say achieving and maintaining compliance is “very difficult,” and not a single contractor called it easy. Tool adoption remains under 40% across the board, with IT configuration management solutions (37%), IT asset management solutions (33%), and IT change management solutions (29%) leading adoption rates.
Rachel Tobac, renowned hacker and CEO of SocialProof Security, delivered the keynote by breaking down recent cyber attacks and demonstrating how to defend against the latest hacking methods, even when criminals use AI. Her expertise in social engineering defense and service on the CISA Technical Advisory Council brought a critical perspective on the human vulnerabilities attackers increasingly exploit.
Fernando Machado, managing principal and CISO at Cybersec Investments, offered a live mock assessment showing contractors exactly what happens when certified third-party assessor organizations (C3PAOs) conduct evaluations. As a lead certified CMMC assessor with 15 years of DOD cybersecurity experience, Machado demonstrated the specific documentation assessors expect and revealed common mistakes that derail assessments.
The legal dimension took center stage in Michael Gruden’s session. As a Partner at Crowell & Moring and former Pentagon and DHS cybersecurity lawyer, Gruden explained how the DOJ’s Civil Cyber-Fraud Initiative has turned self-attestation into high-stakes legal commitments.
“Many of the cases that we have seen the government bring forth enforcement actions that have resulted in settlements that are publicly disclosed are all contingent upon companies that have misassessed their own compliance,” Gruden said. “And what I mean by that is they have actually completed, at some point in time, an inaccurate assessment of their own compliance and documented that.”
Supply chain compliance demands equal attention. Jeannette Baker, Senior Mission Assurance Engineer at Northrop Grumman, shared how primes help partners prepare. Her approach addresses the confusion many small suppliers face.
“I’ve got suppliers who are confused about what CMMC maturity levels are, what the NIST is, and where the CUI fits into all of this,” Baker said. “We all talk acronyms. Well, I’m working with machine shops or cable assembly houses, and this is not part of their language.
“Lots of times, I see suppliers go in and they’ll put in all the hardware. You’re putting in your firewalls, you’re putting in your dual-factor authorization types of things in your systems, but they’re forgetting to document it all.”
As CMMC implementation approaches in weeks, contractors face a need to act or they’ll lose the ability to compete for DOD work. The sessions at CMMC CON 2025 made clear that compliance requires understanding legal implications, supporting supply chains, and defending against human vulnerabilities.
CyberSheath offers the expertise and tools necessary to achieve and maintain CMMC compliance efficiently and cost-effectively. Learn more about how CyberSheath can help you prepare for CMMC and strengthen your cybersecurity posture. If you missed the event, watch the recordings of every session from CMMC CON 2025.