One week into the Pentagon’s effort to move its cybersecurity compliance program from policy to practice, adoption of the Cybersecurity Maturity Model Certification (CMMC) program is gaining momentum, but execution remains slow, according to a new industry survey.
Redspin conducted the report, “Momentum, but Slow Movement: The State of DIB CMMC Readiness,” in late summer 2025. It offers insights to help Defense Industrial Base (DIB) contractors assess their CMMC posture against peers. Its release comes as the Defense Department – rebranded as the War Department by the Trump administration – began the phased rollout of the long-awaited program on Nov. 10.
The CMMC framework establishes three tiers of cybersecurity requirements tied to the sensitivity of the data contractors handle. The department plans to implement it in four phases over three years.
While awareness and investment in CMMC are growing, the report finds many contractors, particularly small and micro-sized firms, are still far from ready. More than half of the respondents said preparation has taken more than a year. For companies without a strong cybersecurity foundation aligned with the 110 controls from NIST SP 800-171 Revision 2, the process is even slower, with more than a quarter still evaluating or adjusting their approach.
A central element of CMMC compliance is the assessment process. According to the DOD rollout plan, level two certifications that require a third-party assessment will be required starting Nov. 10, 2026. Level one self-assessments are required during this year’s phase one rollout.
Only 28.7% of organizations have completed a formal assessment with a certified assessor, but nearly all who did (93.8%) passed. Another third have assessments scheduled through 2026, while more than one-third have not scheduled at all, raising concerns given limited assessor availability.
Self-assessments are now gaining traction with nearly two-thirds of respondents identifying them as their primary new compliance tactic, and a majority have completed one, though more than a third have not despite annual requirements.
Costs of compliance remain a top concern. Roughly 26% of respondents have spent between $100,000 and $250,000, while 31% report spending more than $250,000. Larger organizations face the highest expenses, often tied to deeper initial implementation of security controls.
Despite some slow progression, the second-round survey shows stronger overall progress on CMMC readiness compared with the 2024 report.
Over half of respondents said they began their journey with a solid foundation in NIST 800-171 and DFARS controls. Cloud service providers are increasingly used to reduce CMMC scope, with 53% already adopting them and 14% considering them. Investment in staff cybersecurity training has also grown, rising to 60% from 37% last year.
“We’ve come a long way, and this achievement represents years of collaboration and a shared commitment to our nation’s security. While this is an exciting step forward, it’s just the beginning,” said Brian McManamon, president of Redspin, in a press release.
“Over the next four years and beyond, CMMC will continue to expand across the DIB,” McManamon said. “It’s critical for contractors to stay informed and seek out the proper resources to help them implement, certify, and maintain the requirements that CMMC validates.”