New Redspin Report Reveals Slow Progress in CMMC Preparedness Among Defense Contractors

Introduction

The much-anticipated Momentum, but Slow Movement: The State of DIB CMMC Readiness report was recently released by Redspin, a prominent division of Clearwater and a leader in Cybersecurity Maturity Model Certification (CMMC) services tailored for the Defense Industrial Base (DIB). The report delivers a critical analysis of the current readiness status of DIB organizations as they engage with CMMC, particularly following the Department of Defense’s (DoD) enactment of the DFARS 7021 rule, which solidifies CMMC's enforceability in defense contracts.

Key Findings

Redspin's findings suggest that while awareness regarding CMMC is escalating, execution remains sluggish. Approximately 68% of organizations surveyed revealed that preparing for CMMC compliance has taken them over a year, indicating the extensive timeline associated with achieving readiness. Even more concerning is that 37% of respondents either lack a scheduled assessment or are unsure about their next steps, which exacerbates concerns regarding overall readiness.

Financially, preparing for CMMC has proven burdensome for many organizations. A striking 26% reported expenditures between $100,000 and $250,000, while 31% indicated spending exceeding $250,000 at this stage. Despite these investments, many organizations seem to be faltering in their assessment preparations, which may lead to significant delays in certification.

Interestingly, the report highlights that Level 2 enforcement has begun organically across the DIB. Nearly 47% of participants reported receiving flow-down requests from primary contractors, signaling a notable step toward compliance pressures.

Positive Trends

On a positive note, the report indicates that there is a larger number of organizations making observable strides in their CMMC preparations compared to the previous year. Over 54% of the surveyed organizations began their CMMC journey with an existing solid foundation in implementing NIST 800-171 standards and DFARS controls. This solid baseline is crucial as it effectively reduces the workload and complexity of achieving CMMC compliance.

The participation of Cloud Service Providers (CSPs) is also noteworthy. More than 53% of respondents are currently utilizing a CSP to help narrow their CMMC compliance scope, with an additional 14% considering similar partnerships in the near future.

Moreover, the growth in cybersecurity training for staff illustrates a shift in organizational priorities. An impressive 60% of respondents affirmed an increase in cybersecurity training efforts compared to 37% the previous year, underscoring the importance of equipping personnel with the competencies needed to handle compliance requirements.

Challenges Ahead

Despite the evident progress, organizations must maintain momentum in their CMMC journey. Upon achieving certification, sustaining compliance will be critical. Brian McManamon, President of Redspin, expressed, “November 10th, 2025, marked a significant milestone for the defense ecosystem and for CMMC, as Phase 1 enforcement has become active. While we have made substantial progress, this moment only represents the beginning of an extensive journey ahead for the DIB.”

The importance of staying updated and informed regarding CMMC changes cannot be overstated. Organizations are encouraged to leverage available resources to facilitate proper implementation and maintenance of their cybersecurity measures to protect sensitive information.

Conclusion

As the landscape of CMMC continues to evolve, Redspin remains dedicated to guiding countless DIB firms through each phase of readiness and certification, protecting critical data and sensitive information vital to national security. Organizations seeking to benchmark their preparedness against industry peers, and to access useful practices for the CMMC process, can download the full report at redspin.com/annualreport. The path to compliance is challenging, but with the correct support and proactive steps, DIB organizations can successfully navigate these complexities.