Defense and Munitions Online Exclusive: CMMC 2.0 is here, the Defense Industrial Base isn’t ready

The debate is over. CMMC 2.0 is no longer a future requirement, it’s the price of admission to the defense market. Contractors who can demonstrate compliance are winning work. Those who can't are watching contracts go to competitors who can. Across the Defense Industrial Base, CMMC certification has become the dividing line between companies continuing to grow their defense portfolios or being shut out entirely. If your organization is still treating CMMC as a compliance exercise you’ll get to eventually, you're already behind.

The scale of that problem is staggering. Kiteworks 2026 Data Security and Compliance Risk Forecast Report, which surveyed 225 security, IT, and risk leaders across 10 industries and eight global regions, paints a sobering picture. Just 36% of organizations know where their sensitive data is being processed—a foundational requirement for any CMMC assessment. And 61% cannot consistently enforce data tagging policies, meaning they lack the classification discipline that protecting controlled unclassified information (CUI) demands. These are not outliers. This is the norm across the DIB, and it explains why so many contractors are finding themselves on the wrong side of the compliance divide.

© Kiteworks | https://www.kiteworks.com

This isn’t a framework anymore, it’s contract law
What makes CMMC different from every previous cybersecurity mandate is it functions as contract law. When CMMC requirements appear in a DOD solicitation—and they now appear routinely—compliance isn't a best practice. It's a binding legal obligation. Contractors who self-attest without meeting the underlying controls risk more than losing a contract. They risk prosecution under the False Claims Act, a tool the DOJ’s Civil Cyber-Fraud Initiative has been actively wielding.

That reality has redrawn the competitive landscape. CMMC compliance isn't a cost center. It's a revenue preservation strategy. Companies not demonstrating compliance are being locked out of the defense market. A two-tier DIB has formed: firms invested in meeting NIST SP 800-171 requirements are capturing market share, while those still relying on paper-based self-assessments are losing it.

Assessment bottleneck
Even contractors recognizing the urgency face a logistical problem. Tens of thousands of contractors need Level 2 third-party assessments from certified C3PAOs, but the pool of qualified assessors still numbers in the low hundreds. The queue is real, and it's long. Contractors who haven't already secured assessment slots may find themselves waiting months during which contracts are being awarded to competitors who can prove compliance today.

The supply chain dimension makes this harder still. The Kiteworks report found 89% of organizations have never run a joint incident response exercise with their third-party partners. CMMC’s security requirements don’t stop at your firewall, they follow CUI wherever it travels. Separately, 72% lack a software bill of materials, leaving them unable to demonstrate the supply chain transparency federal cybersecurity directives increasingly demand.

The biggest gaps are the most basic
Here’s what catches many contractors off guard: the most dangerous compliance shortfalls aren’t in exotic technologies. They’re in the basics. Across the DIB, only about one in four organizations has consistently deployed multi-factor authentication. Similar numbers apply for endpoint detection and response and vulnerability management. These are the exact controls CMMC 2.0, built on NIST SP 800-171, tests for.

Chasing advanced tooling while neglecting MFA, access controls, encryption, and audit logging is building on sand. CMMC rewards contractors who can prove their fundamentals work, not those who purchased the most sophisticated product suite.

Audit trails illustrate the point well. The Kiteworks report found a third of organizations lack comprehensive audit trails entirely, and 61% work with fragmented logs spread across disconnected systems. Yet organizations with robust audit trails scored 20 to 32 points higher on every major security and compliance metric in the survey. The lesson is clear: you can't defend what you can't document.

New technology, new exposure
CMMC compliance demands come at a moment when many defense contractors are simultaneously adopting new automation and data processing tools introducing fresh risks. Every organization surveyed in the Kiteworks report has these technologies on its roadmap, yet 63% have no controls to limit how those tools use sensitive data, and 60% can't shut down a process behaving unexpectedly. Among government organizations specifically, a third have no dedicated security controls for these systems at all.

For DIB contractors, this creates a compounding challenge. Achieving CMMC compliance for existing infrastructure is hard enough. Doing it while new tools introduce uncontrolled data flows that could undermine CUI protections makes the task significantly more complex—and the consequences of failure more severe.

Three steps to take now
The path to CMMC readiness isn't mysterious, but it requires discipline. First, conduct a gap assessment against NIST SP 800-171 controls focusing on evidence of implementation, not just policy documentation. Second, invest in the foundational controls—MFA, endpoint detection, vulnerability management, encryption, and audit logging—that form the backbone of any defensible compliance posture. Third, map CUI flows across your supply chain and start building joint incident response capabilities with your key partners.

For small and mid-sized contractors, managed CMMC enclaves and cloud-based compliance environments offer a practical on-ramp that can compress timelines without requiring deep internal expertise.

CMMC 2.0 is the most significant shift in defense contracting cybersecurity requirements in a generation—and it's already reshaping who wins work and who doesn’t. The contractors who treated it as a strategic priority are reaping the rewards. Those who deferred are paying the price. If you are in the second group, the good news is the path to compliance is well understood. The bad news is every week you wait, the line gets longer and the competition gets further ahead.

About the author: Frank Balonis is chief information security officer and senior VP of operations and support at Kiteworks, with more than 20 years of experience in IT support and services. Since joining Kiteworks in 2003, Frank has overseen technical support, customer success, corporate IT, security and compliance, and collaborating with product and engineering teams. He holds a Certified Information Systems Security Professional (CISSP) certification and served in the U.S. Navy. He can be reached at fbalonis@kiteworks.com.