From Readiness to Reality: The 2025 State of the DIB on CMMC Compliance

The median SPRS score has improved from 20 in 2022’s inaugural report to 60 this year, but 17% of contractors still report negative scores, far below the required 110 benchmark.

The estimated number of defense contractors that require Level 2 certification is 80,000.

78% of defense contractors lack patch management solutions.

The number of organizations that currently hold final CMMC certificates is 270.

The approximate annual budget contractors are investing in compliance, as budgets have grown, is nearly $50,000.

42% of contractors have submitted SPRS scores (a fundamental requirement for demonstrating compliance).

79% of defense contractors lack vulnerability management solutions.

74% of defense contractors lack data leakage protection.

Only 1% of defense contractors report being fully prepared for the upcoming CMMC assessments.

30% of contractors completed medium or high assessments that would validate their actual security posture.

73% of defense contractors lack multi-factor authentication (MFA).

69% of contractors claim DFARS compliance through self-assessment.

Nearly 9 in 10 defense contractors have already suffered financial, reputational, or business losses due to cyber incidents.