Executive Brief
Most defense contractors know Cybersecurity Maturity Model Certification (CMMC) is coming. Fewer are as ready as they think.
- ISI analyzed responses from 100+ defense contractor self-assessments to find out where organizations are actually falling short on CMMC readiness.
- The results reveal a consistent pattern: the gaps showing up most often are not obscure technical controls, but foundational requirements that block certification entirely and cannot be deferred on a Plan of Action and Milestones (POA&M).
- According to our findings, only 9% of contractors said they meet all foundational CMMC requirements.
- With Phase 2 enforcement beginning November 10, 2026, the contractors who identify and close these gaps now will have a meaningful competitive advantage.
- Contractors who wait will face a shrinking window of Certified Third-Party Assessment Organization (C3PAO) availability and compounding remediation costs.
Dig deeper below to learn more.
Why This Matters Now
CMMC enforcement is no longer theoretical. The 48 Code of Federal Regulations (CFR) rule took effect November 10, 2025. Phase 2, which focuses on including Level 2 C3PAO certification requirements in contracts involving Controlled Unclassified Information (CUI), begins November 10, 2026.
Most organizations need 6 to 18 months to prepare for a Level 2 assessment. That includes scoping, gap assessment, remediation, documentation, and C3PAO scheduling. Roughly 100 authorized C3PAOs currently serve an estimated 118,000 organizations that need Level 2 certification, and many are already booked through the end of 2026.
The gaps outlined below are not edge cases. They are the most common gaps we see across the Defense Industrial Base (DIB). If your organization has not specifically checked for them, now is the time.
Gap 1: Skipping the Internal SPRS Assessment
44% of contractors who filled out our CMMC Readiness Signal said they have not completed an internal SPRS assessment.
Submitting your score to the SPRS portal is a required step in the CMMC Level 2 certification process. It is also already visible to primes and Department of Defense (DoD) (also known as the Department of War) procurement officials. A low score or an unsupported score signals elevated risk before you ever reach a formal assessment, affecting teaming decisions and subcontract awards.
Many organizations either have not completed a self-assessment against National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 2, have completed one but have not submitted it to SPRS, or have submitted a score that does not reflect their actual current posture.
All three create risk. An accurate, documented, and submitted SPRS score is not optional. It is a prerequisite to pursuing formal certification. For a deeper look at how SPRS scoring works and what your score signals to the market, see our guide to understanding SPRS scores.
Gap 2: Assuming Cloud Vendor Compliance Without Verifying It
Our findings showed that 42% of contractors have not confirmed their vendor's Federal Risk and Authorization Management Program (FedRAMP) authorization status.
Most organizations rely on cloud platforms such as Microsoft 365 and Enterprise Resource Planning (ERP) systems to run their operations. Fewer have verified whether those vendors are FedRAMP Moderate authorized (or equivalent) and have documented what security controls are inherited versus what the contractor is responsible for managing directly.
Assumed compliance does not satisfy assessors. Using cloud services without confirmed FedRAMP authorization introduces hidden CMMC risk and can delay certification or require unplanned remediation at the worst possible time.
Before your assessment, confirm the FedRAMP authorization status of every cloud service in your CUI environment and document your shared responsibility matrix clearly in your System Security Plan (SSP).
Gap 3: Having an Incident Response Plan That Has Never Been Tested
The data shows that 38% of contractors do not have a tested incident response plan.
Creating an incident response plan and documenting a testing cadence are both required for CMMC certification. Having a plan on paper is not the same as having a tested plan. Some CMMC assessors may treat an untested plan as incomplete, making it a risk worth addressing before your assessment. It is also a control that cannot be deferred on a POA&M, so it is worth resolving before assessors arrive rather than after.
This is also one of the more straightforward gaps to close. Scheduling a tabletop exercise and documenting the results creates traceable evidence that directly supports your assessment. Organizations that check this box early remove one of the most common reasons for assessment delays.
These are just a few of the patterns that emerged from our research. For the full breakdown of where defense contractors are falling short on CMMC readiness, download our Inside the CMMC Readiness Gap report.
What to Do Now
If any of the gaps above sound familiar, the time to act is before an assessment is on the calendar, not after.
Start here:
- Confirm your SPRS score is complete, accurate, and submitted
- Verify FedRAMP authorization status for every cloud vendor in your CUI environment
- Schedule and document a tabletop exercise for your incident response plan
- Begin C3PAO conversations 9 to 12 months before your target certification date
The contractors moving now are not reacting to deadlines. They are creating a competitive advantage over peers who are still waiting for a requirement to show up in a solicitation.
For the full data and a deeper look at where the DIB is falling short, download our Inside the CMMC Readiness Gap report.
FAQs
Are these the only gaps that can block CMMC Level 2 certification?
No. These are the most common gaps identified across 100+ contractor self-assessments. CMMC Level 2 requires full implementation of all 110 NIST SP 800-171 controls and 320 assessment objectives. Any unmet control that cannot be placed on a POA&M can block certification.
Can I use a POA&M to defer these gaps?
Not for most of them. POA&Ms are tightly constrained under CMMC Level 2. They are only permitted for certain low-point requirements, and several foundational controls, including your SSP and key CUI boundary controls, cannot be deferred at all. For a full breakdown of what can and cannot go on a POA&M, see our guide to CMMC POA&Ms.
How long does it realistically take to close these gaps?
It depends on your current posture, but most organizations need 6 to 18 months to complete scoping, remediation, documentation, and assessor scheduling. Some individual gaps like scheduling an incident response tabletop can be closed quickly. Others, like establishing continuous monitoring or resolving FedRAMP authorization gaps, take longer and have downstream documentation requirements.
What if my organization thinks it is already in good shape?
That is exactly when this list is most useful. The gaps showing up most often in our data are the ones organizations tend to overlook because they assume a control is handled when it is not fully documented or tested. If you have not specifically verified each of these areas, it is worth checking before an assessor does.
