With the deadline fast approaching for defense contractors to meet looming cybersecurity standards under the Pentagon’s finalized Cybersecurity Maturity Model Certification (CMMC) rule, the question remains: Will they be ready? According to recent reports, the answer is no.
The Department of Defense’s (DOD) – which the Trump administration has rebranded as the Department of War – CMMC final rule is set to take effect on Nov. 10, launching a phased rollout of mandatory cybersecurity standards across the Defense Industrial Base (DIB).
The rule updates the Defense Federal Acquisition Regulation Supplement (DFARS) and applies to more than 337,000 organizations, including nearly 230,000 small businesses. Under the new mandate, contractors must adopt cybersecurity practices proportional to the sensitivity of the data they handle – from basic protections for Federal Contract Information to stringent controls for Controlled Unclassified Information.
Despite the looming deadline, a new Merrill Research study commissioned by CyberSheath reveals a stark reality: only 1% of defense contractors say they are fully prepared for upcoming CMMC assessments.
The 2025 State of the DIB Report outlines a significant gap between perceived and actual readiness – 69% of contractors claim DFARS compliance, but just 30% have completed the required medium or high assessments that validate their cybersecurity posture.
Equally concerning, only 42% of contractors have submitted their Supplier Performance Risk System (SPRS) scores – a key indicator of cybersecurity readiness.
While not directly associated with CMMC, the SPRS scores a contractor’s adherence to NIST SP 800-171 controls – the foundational framework for CMMC compliance. The report acknowledged that the median score has improved from 20 in 2022 to 60 in 2025, but it still falls far short of the required 110.
Even more troubling, 17% of contractors report negative scores, highlighting widespread gaps in baseline security measures.
The report also revealed that nearly 90% of defense contractors have already suffered financial, reputational, or operational harm from cyber incidents – well before CMMC compliance becomes mandatory.
Despite these impacts, many still lack essential cybersecurity tools: 79% have no vulnerability management solutions, 78% lack patch management, 74% lack data leakage protection, and 73% have yet to implement multi-factor authentication.
But these findings are not isolated.
A separate survey – conducted by Kiteworks – of 461 DIB organizations paints a similarly bleak picture, revealing that nearly half are unprepared for CMMC compliance.
Specifically, the survey found that 44% of respondents lack full end-to-end encryption for sensitive data, and 42% lack visibility into their third-party ecosystems. Moreover, 65% continue to rely on manual compliance management processes, making real-time auditing and continuous monitoring nearly impossible.
With the Nov. 10 deadline fast approaching, defense contractors have little time left to evaluate their cybersecurity maturity and address critical compliance gaps. Failure to meet CMMC requirements won’t just mean audit failure – it could mean exclusion from future DOD contracts.