New Study Reveals Only 1% of Defense Contractors Fully Ready for Imminent CMMC Deadline

RESTON, Va.--(BUSINESS WIRE)--With the Cybersecurity Maturity Model Certification (CMMC) final rule set to take effect Nov. 10, a new Merrill Research study commissioned by CyberSheath reveals that just 1% of defense contractors say they are fully prepared for the upcoming assessments. The percentage dipped over the past two years despite CMMC deadlines approaching and signals a dangerous disconnect between contractor confidence and actual preparedness across the Defense Industrial Base (DIB).

The 2025 State of the DIB Report shows that while 69% of contractors claim DFARS compliance through self-assessment, only 30% have completed medium or high assessments that would validate their actual security posture. Adding to the concern, just 42% have submitted SPRS scores — a fundamental requirement for demonstrating compliance. The median SPRS score has improved from 20 in 2022’s inaugural report to 60 this year, but 17% of contractors still report negative scores, far below the required 110 benchmark.

“The Defense Industrial Base is running out of time,” said Emil Sayegh, CEO of CyberSheath. “Eighty thousand defense contractors need Level 2 certification, yet only 270 of these organizations currently hold final CMMC certificates. The math is simple and alarming. Contractors that aren’t prepared will be locked out of billions in DOD contracts while their competitors who invested in real compliance and cybersecurity capture the business.”

“Our fourth wave of research shows that while awareness of CMMC has never been higher, true readiness remains alarmingly low,” said Dr. David M. Schneer, CEO of Merrill Research. “Interestingly, contractors are investing more as budgets have grown to nearly $50,000 annually, and SPRS scores are improving, but fundamental gaps persist. Without validated compliance, thousands of companies risk losing defense contracts and exposing the supply chain to continued cyber threats.”

The study’s most terrifying finding is that nearly 9 in 10 defense contractors have already suffered financial, reputational, or business losses due to cyber incidents, underscoring the urgent need for compliance and stronger cybersecurity across the DIB. Many critical solutions are under-deployed, including:

• 79% lack vulnerability management solutions
• 78% lack patch management solutions
• 74% lack data leakage protection
• 73% lack multi-factor authentication

Read the full report for complete results and register for a webinar on Oct. 29, 2025, at 12:00 p.m. ET, where we will dive deeper into the report findings.

About CyberSheath

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients' information security and regulatory compliance needs. Learn more at www.cybersheath.com.