Study shows only 4% of defense contractors ready for Pentagon’s new cybersecurity mandate

With the long-anticipated Cybersecurity Maturity Model Certification (CMMC) program imminently publishing to the Federal Register, a study conducted by Merrill Research and commissioned by CyberSheath reveals a startling reality: Just 4% of defense contractors are fully prepared for certification.

With CMMC finalized five years after it was first introduced, contractors across the Defense Industrial Base (DIB) now face an urgent compliance challenge that could jeopardize their ability to secure future Department of Defense (DOD) contracts.

The third annual report, Defense on the Brink, shows that despite the looming certification requirement and an increasing number of cyberattacks, most contractors remain unprepared. The average Supplier Performance Risk System (SPRS) score among respondents is a dismal -12, far below the 110 score needed to meet CMMC standards.

“This is a watershed moment for the defense industry,” says Eric Noonan, CEO of CyberSheath. “The posting of CMMC to the Federal Register means the enforcement is here, and defense contractors need to be compliant to win new contracts with the DOD. Years of independent research and contractor self-reporting show that most defense contractors don’t even have basic cybersecurity controls implemented. With noncompliance now a threat to the bottom line, I expect that to change quickly.”

CMMC is set for enforcement in early 2025, leaving little time for contractors to meet compliance requirements. The report found only 15% of respondents had deployed patch management solutions, 21% had adopted multi-factor authentication (MFA), and 27% had embraced endpoint detection response (EDR) solutions — all of which are required by CMMC. Highlighting the disconnect between reality and belief, 75% of respondents claimed to be compliant via a self-assessment.

The report also shows a shift in priorities and where contractors draw the line when it comes to potential foreign threats. Some 56% of respondents deny the use of China-based SMIC, up from only 26% in the 2023 report, and 41% of respondents deny Huawei, a slight increase from 40% last year. However, only 19% of respondents deny TikTok, which is fighting a lawsuit from the Department of Justice, down from 24% in 2023.

For complete results, read the full report.