New Redspin Report Finds Lagging Execution Despite Increased CMMC Awareness

Data Shows Thorough Preparation Makes Significant Difference in Achieving Certification at First Formal Assessment

NASHVILLE, Tenn., Nov. 18, 2025 /PRNewswire/ -- Redspin, a division of Clearwater and the leader in Cybersecurity Maturity Model Certification (CMMC) services for the Defense Industrial Base (DIB), today issued Momentum, but Slow Movement: The State of DIB CMMC Readiness, the second annual study exploring where DIB members stand in their CMMC journey. The report evaluates the current CMMC ecosystem with regard to the Department of Defense's (DoD's) publication of the DFARS 7021, title 48 Code of Federal Regulations rule, that recently made CMMC enforceable in defense contracts.

The report finds that CMMC adoption is gaining momentum, but execution is slow. According to Redspin's survey:

• A successful CMMC journey takes time. 68% of respondents report that preparing for CMMC has taken them over a year to date
• Concerns remain with assessment readiness and scheduling. Nearly 37% of respondents are not scheduled for a CMMC assessment at all or are unsure of their next steps
• Preparation has been costly. 26% of respondents report spending between $100,000-$250,000, and 31% report spending more than $250,000, to date
• Level 2 "enforcement" is already happening organically. 47% of those surveyed have received flow-down requests from primes already

Momentum, but Slow Movement: The State of DIB CMMC Readiness helps DIB members assess their CMMC standing against peer organizations and offers insights into helpful practices for those still in the initial CMMC process. Redspin conducted the study in late summer 2025, focusing on feedback from DoD contractor organizations that store, process and/or transmit Controlled Unclassified Information (CUI) and Federal Contract Information (FCI).

Despite the slow movement for some, significantly more organizations than in the 2024 study are reporting good progress on their CMMC readiness:

• Over half of respondents (54%) say their starting point was already having a strong implementation of NIST 800-171 standards and DFARS controls when beginning their CMMC journey
• Cloud service providers (CSPs) are playing a key role in supporting CMMC compliance. Over half (53%) of respondents are already using a CSP to minimize their CMMC scope, with another 14% considering it for the future
• Training up staff on cybersecurity has increased significantly (60%) since last year (37%), indicating that respondents see a need to better educate and prepare their people

The report also highlights what organizations should be aware of when it comes to next steps of CMMC certification. Once certification is achieved, it needs to be sustained.

"November 10th, 2025, marked a major milestone for the defense ecosystem and for CMMC, as the CMMC Phase 1 enforcement is now active," said Brian McManamon, President at Redspin. "We've come a long way, and this achievement represents years of collaboration and a shared commitment to our nation's security. While this is an exciting step forward, it's just the beginning. Over the next four years and beyond, CMMC will continue to expand across the DIB. It's critical for contractors to stay informed and seek out the proper resources to help them implement, certify, and maintain the requirements that CMMC validates."

CMMC has officially moved from policy to practice. Redspin's team of experts remain committed to guiding hundreds of DIB companies through every stage of readiness and certification to protect the nation's critical data and sensitive information. To download Redspin's full report, please visit redspin.com/annualreport

About Redspin

Redspin, a division of leading cybersecurity and compliance company Clearwater, specializes in enhancing the cyber readiness and resilience of federal and Defense Industrial Base (DIB) organizations. As the first Authorized CMMC 3rd Party Assessment Organization (C3PAO), Redspin provides expert guidance to organizations seeking to minimize cyber risks and protect sensitive information.

SOURCE Redspin