The median SPRS score has improved from 20 in 2022’s inaugural report to 60 this year, but 17% of contractors still report negative scores, far below the required 110 benchmark.
CyberSheathFrom Readiness to Reality: The 2025 State of the DIB on CMMC Compliance·Oct 1, 2025
CMMCSPRS
The estimated number of defense contractors that require Level 2 certification is 80,000.
CyberSheathFrom Readiness to Reality: The 2025 State of the DIB on CMMC Compliance·Oct 1, 2025
CMMC
78% of defense contractors lack patch management solutions.
CyberSheathFrom Readiness to Reality: The 2025 State of the DIB on CMMC Compliance·Oct 1, 2025
CMMCSecurity toolsPatch management
The number of organizations that currently hold final CMMC certificates is 270.
CyberSheathFrom Readiness to Reality: The 2025 State of the DIB on CMMC Compliance·Oct 1, 2025
CMMC
The approximate annual budget contractors are investing in compliance, as budgets have grown, is nearly $50,000.
CyberSheathFrom Readiness to Reality: The 2025 State of the DIB on CMMC Compliance·Oct 1, 2025
CMMCInvestmentBudgetsCompliance
42% of contractors have submitted SPRS scores (a fundamental requirement for demonstrating compliance).
CyberSheathFrom Readiness to Reality: The 2025 State of the DIB on CMMC Compliance·Oct 1, 2025
CMMCSPRS
79% of defense contractors lack vulnerability management solutions.
CyberSheathFrom Readiness to Reality: The 2025 State of the DIB on CMMC Compliance·Oct 1, 2025
CMMCSecurity toolsVulnerability management
74% of defense contractors lack data leakage protection.
CyberSheathFrom Readiness to Reality: The 2025 State of the DIB on CMMC Compliance·Oct 1, 2025
CMMCSecurity toolsData leakage protection
Only 1% of defense contractors report being fully prepared for the upcoming CMMC assessments.
CyberSheathFrom Readiness to Reality: The 2025 State of the DIB on CMMC Compliance·Oct 1, 2025
CMMC
30% of contractors completed medium or high assessments that would validate their actual security posture.
CyberSheathFrom Readiness to Reality: The 2025 State of the DIB on CMMC Compliance·Oct 1, 2025
CMMCSecurity posture
73% of defense contractors lack multi-factor authentication (MFA).
CyberSheathFrom Readiness to Reality: The 2025 State of the DIB on CMMC Compliance·Oct 1, 2025
CMMCSecurity toolsMFA
69% of contractors claim DFARS compliance through self-assessment.
CyberSheathFrom Readiness to Reality: The 2025 State of the DIB on CMMC Compliance·Oct 1, 2025
CMMCDFARS
Nearly 9 in 10 defense contractors have already suffered financial, reputational, or business losses due to cyber incidents.
CyberSheathFrom Readiness to Reality: The 2025 State of the DIB on CMMC Compliance·Oct 1, 2025