CMMC 2.0 Readiness in the DIB: Research Insights on Compliance Foundations

Cybersecurity vulnerabilities in the defense supply chain represent one of the most significant national security challenges facing the United States today. With adversaries increasingly targeting smaller contractors as entry points to access sensitive information, the Department of Defense established the Cybersecurity Maturity Model Certification (CMMC) framework to ensure adequate protection of controlled unclassified information (CUI) throughout the Defense Industrial Base (DIB).

A groundbreaking study from Kiteworks and Coalfire provides unprecedented insights into how DIB organizations are approaching CMMC 2.0 Level 2 compliance. The “State of CMMC 2.0 Preparedness in the DIB” report surveyed 209 organizations across varied sizes and roles, revealing clear patterns in compliance approaches, implementation challenges, and strategic decisions that can guide defense contractors at every stage of their certification journey.

This research arrives at a critical moment—immediately following the December 2024 publication of the 32 CFR Final Rule—capturing organizations’ responses to finalized requirements. The findings reveal that organizations taking structured, systematic approaches to compliance consistently achieve better security outcomes across all measured dimensions, providing a roadmap for effective implementation strategies.

Understanding CMMC 2.0 Level 2 Requirements

CMMC 2.0 represents a significant refinement of the original certification model, streamlining from five levels to three while maintaining rigorous standards for protecting sensitive defense information. Level 2—the focus of this research—directly aligns with NIST SP 800-171 and encompasses 110 security controls across 14 domains.

Evolution of CMMC Framework

The Department of Defense developed CMMC to address persistent cybersecurity vulnerabilities throughout its supply chain. The framework recognizes that adversaries frequently target smaller contractors as entry points to access sensitive information, creating a comprehensive approach to securing defense information across the entire supply chain.

Unlike previous self-attestation models, CMMC provides a verification mechanism to ensure actual implementation of required security practices. This shift from trust-based to verification-based compliance represents a fundamental change in how the DoD approaches supply chain security.

Organizations seeking CMMC Level 2 certification must implement all 110 required practices and undergo assessment either through self-assessment (for select contracts) or third-party assessment conducted by a Certified Third-Party Assessment Organization (C3PAO). These requirements apply to organizations of all sizes within the DIB that handle CUI, from small subcontractors to large prime contractors.

The framework operates alongside complementary federal cybersecurity regulations, including Federal Acquisition Regulation (FAR) clause 52.204-21 and Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. This regulatory ecosystem creates a comprehensive approach to securing defense information across the supply chain.

Survey Methodology and Respondent Demographics

The Kiteworks/Coalfire study provides exceptional validity through its diverse and representative sample of DIB organizations. The research collected responses from 209 participants using 22 targeted questions to assess compliance status, implementation approaches, and challenges.

Comprehensive Organizational Representation

Respondent organizations spanned all size categories within the defense sector:

• Small organizations with fewer than 500 employees (32%)
• Mid-sized organizations with 500-9,999 employees (48%)
• Large organizations with 10,000+ employees (20%)

This distribution allows for detailed analysis of how organizational size influences CMMC readiness approaches and challenges, revealing important patterns in resource allocation and implementation strategies across different organizational contexts.

Diverse Leadership Perspectives

The survey captured insights from across the leadership spectrum:

• CIO/IT Leaders (20%)
• Cybersecurity Leaders (17%)
• CEO/Founders (14%)
• Risk Management Leaders (15%)
• General Counsel/Legal Leaders (8%)
• COOs (4%)
• CFOs (1%)

This leadership diversity enables analysis of how functional roles influence perceptions of compliance readiness and priorities, revealing important differences in how technical specialists and executive leadership approach CMMC implementation.

Data analysis focused on identifying correlations between organizational characteristics and compliance approaches, examining relationships between gap analysis completion, documentation maturity, and implementation of critical security controls. For clearer pattern identification, responses were grouped into three categories: small (<500 employees), medium (500-9,999 employees), and large organizations (10,000+ employees).

Gap Analysis: The Foundation of CMMC Success

The completion of a formal gap analysis against NIST SP 800-171 requirements emerges from the research as the critical foundation for all subsequent compliance activities. Organizations that conduct thorough gap analyses demonstrate significantly higher rates of structured compliance preparation.

Impact of Comprehensive Assessment

Among surveyed organizations, 41% reported having completed a thorough gap analysis, while 37% indicated their gap analysis was currently in progress. More concerning, 16% had not yet started but planned to begin soon, and 6% were unsure of their gap analysis status—suggesting potential communication issues or planning gaps within those organizations.

The data reveals striking differences in readiness between assessment-focused organizations and others:

Organizations with completed gap analyses were significantly more likely to have already engaged experienced external partners, with 62% working with third-party consultants, Registered Provider Organizations (RPOs), or C3PAOs, compared to just 40% of organizations with gap analyses in progress and 21% of those that had not yet started. This pattern suggests that thorough gap analyses help organizations recognize compliance complexities and the value of specialized, external expertise.

The correlation between gap analysis completion and documentation maturity reveals another critical pattern. Organizations with completed gap analyses reported higher rates of fully documented cybersecurity policies and procedures (73%) compared to those with analyses in progress (44%) or not yet started (28%). This correlation highlights how gap analyses drive concrete documentation improvements by identifying specific deficiencies requiring remediation.

Gap analysis status also correlates strongly with encryption implementation. Among organizations with completed gap analyses, 77% reported following documented encryption standards with verification of implementation. This percentage drops to 63% for organizations with gap analyses in progress and just 42% for organizations that had not yet started. These differences emphasize the role of gap analyses in identifying and driving remediation of specific technical control deficiencies.

Plan of Action and Milestones (POA&M) development shows perhaps the strongest correlation with gap analysis status. Organizations with completed gap analyses were more than twice as likely to have detailed POA&Ms with assigned responsibilities and timelines (71%) compared to those that had not yet started gap analyses (33%). This finding underscores the practical operational value of gap analyses in structuring remediation efforts. DIB organizations need to seek out experienced and trusted third-party experts to guide them through the CMMC 2.0 Level 2 compliance assessment and implementation processes.

Gap Analysis Approaches by Organization Size

The survey also revealed interesting patterns in the relationship between gap analysis completion and organizational size:

Large organizations (10,000+ employees) reported the highest rate of completed gap analyses at 47%, compared to 40% for medium organizations (500-9,999 employees) and 38% for small organizations (<500 employees). However, medium-sized organizations showed the highest percentage of in-progress gap analyses (42%), suggesting active engagement with compliance requirements but potential resource constraints in completing assessments.

The survey data makes clear that organizations at different stages of gap analysis completion face significantly different CMMC readiness challenges. Organizations that have not completed gap analyses tend to struggle with fundamental questions about requirements applicability and scope, while those with completed analyses focus more on specific technical implementation challenges and resource allocation. This progression underscores the critical role of gap analyses in moving organizations from general awareness to specific, targeted compliance efforts.

Documentation Maturity: The Critical Link to Implementation

The survey results reveal a fundamental relationship between the maturity of an organization’s cybersecurity documentation and its effectiveness in implementing specific security controls required for CMMC 2.0 Level 2. Documentation maturity serves as both an indicator of overall cybersecurity governance and a practical foundation for consistent control implementation.

Documentation Status Across the DIB

Among surveyed organizations:

• 61% reported fully documented and regularly updated cybersecurity policies and procedures
• 32% indicated partial documentation with updates ongoing
• 2% reported minimal documentation with plans for significant updates
• 5% were uncertain of their documentation status

These figures suggest that while a majority of DIB organizations recognize the importance of comprehensive documentation, a significant portion still face documentation gaps that may impact their certification readiness.

The survey revealed interesting variations in documentation maturity across company sizes. Large organizations (10,000+ employees) reported the highest rate of fully documented policies at 68%, compared to 63% for medium organizations (500-9,999 employees) and 58% for small organizations (<500 employees). However, the percentage of organizations with minimal or uncertain documentation remained consistently low across all size categories (3%-4%), suggesting that basic documentation awareness exists regardless of organizational resources.

Documentation as a Security Predictor

The correlation between documentation maturity and security implementation effectiveness emerges as one of the most significant findings in the research. This relationship is particularly evident in critical security domains:

The correlation between documentation maturity and encryption implementation stands out as particularly significant. Among organizations with fully documented policies and procedures, 83% reported following documented encryption standards with verification of implementation. This percentage drops dramatically to 49% for organizations with partially documented policies and 0% for those with minimal documentation.

Even more telling, organizations with minimal documentation were 30 times more likely to report inconsistent encryption of CUI (60%) compared to organizations with fully documented policies (2%). These stark differences highlight how comprehensive documentation creates the foundation for consistent, verifiable security control implementation.

Third-party access controls show similar patterns related to documentation maturity. Of organizations with fully documented policies, 75% reported having advanced controls and systems to ensure third parties can only access authorized CUI. This percentage decreases to 56% for organizations with partially documented policies and just 20% for those with minimal documentation. This pattern demonstrates how mature documentation practices support the implementation of complex technical controls that require clear definitions, processes, and verification mechanisms.

Documentation maturity also correlates strongly with stakeholder involvement in CMMC readiness efforts. Organizations with fully documented policies were more than twice as likely to report highly collaborative approaches with regular cross-functional meetings (56%) compared to those with partially documented policies (26%). This relationship highlights how mature documentation practices both require and facilitate broader organizational engagement, creating a positive feedback loop that enhances overall security governance.

Perceptions of documentation maturity varied notably based on respondent role, revealing important differences in how functional areas assess documentation quality. CEO/Founders reported the highest rate of fully documented policies (80%), while Cybersecurity Leaders reported a significantly lower rate (54%). This disparity suggests potential communication gaps or differences in assessment standards, with technical specialists likely applying more rigorous criteria than executive leadership. COO respondents reported the lowest rate of fully documented policies (33%) and the highest rate of partial documentation (67%), possibly reflecting operational concerns about policy implementation challenges.

The relationship between documentation maturity and Plan of Action & Milestones (POA&M) development provides another indicator of documentation’s role in structured compliance approaches. Organizations with fully documented policies were three times more likely to have detailed POA&Ms with assigned responsibilities and timelines (67%) compared to those with partially documented policies (22%). This pattern suggests that mature documentation practices facilitate the transition from general awareness to specific, actionable compliance planning.

Key CMMC 2.0 Compliance Takeaways: Building Your Foundation for Certification Success

The Kiteworks and Coalfire research offers compelling evidence that organizations embracing structured compliance approaches achieve superior results across all security dimensions. The data clearly demonstrates that gap analyses provide the essential foundation for compliance success, with organizations completing comprehensive assessments achieving markedly better outcomes in documentation, encryption implementation, and third-party controls.

Equally important, the research reveals documentation maturity as a critical predictor of security implementation effectiveness. Organizations with robust documentation show dramatically stronger performance in implementing technical controls, suggesting that comprehensive policy development represents a fundamental step in the compliance journey.

For organizations beginning their CMMC 2.0 Level 2 preparation, the message is clear: start with a thorough assessment of current security posture against all 110 NIST SP 800-171 controls and prioritize comprehensive documentation development. Those already in progress should evaluate their documentation maturity and ensure alignment between executive perceptions and technical reality.

Additional Resources

• Blog Post CMMC Compliance for Small Businesses: Challenges and Solutions
• Blog Post If You Need to Comply With CMMC 2.0, Here Is Your Complete CMMC Compliance Checklist
• Blog Post CMMC Audit Requirements: What Assessors Need to See When Gauging Your CMMC Readiness
• Guide CMMC 2.0 Compliance Mapping for Sensitive Content Communications
• Blog Post 12 Things Defense Industrial Base Suppliers Need to Know When Preparing for CMMC 2.0 Compliance