For more than two years now, we’ve been issuing regular reminders about mandatory CMMC compliance for organizations handling federal contract information (FCI) or controlled unclassified information (CUI). We’ve followed the long and winding journey of the CMMC rule from proposal to revision to adoption as the law of the land.
While some may view CMMC compliance as yet another government-mandated burden on businesses, it really is vital to our national interests. Protecting sensitive information has never been more important, as the defense sector has experienced a 300% increase in cyberattacks since 2018. CMMC compliance can also offer contractors a competitive advantage, especially for those crossing the finish line early.
So where are we in the bigger CMMC picture? It depends who you ask, but it’s safe to say that many organizations still have some work to do.
Remember that CMMC compliance has three levels, depending upon the type of information an organization handles. Level 1 has been described as “basic cyber hygiene,” while Level 3 requires protection against advanced persistent threats (APTs). Many organizations will be required to achieve the “advanced protection” of Level 2.
To put some numbers to that, the Department of Defense (DoD) expects that more than 200,000 contractors will be impacted by CMMC rules (some estimates say as many as 300,000). Of those, roughly 80,000 will require Level 2 certification.
All DoD contracts will require compliance by October of 2026. How many organizations are actually ready as we approach the midway point of 2025? Good question. One survey at the start of this year reported that compliance had been achieved by a meager 4% of affected organizations, but there are no official statistics available. What we do know is that more than half of the contractors impacted by CMMC report that they are “struggling” with the requirements.
The road to compliance begins with an assessment of the gaps between an organization’s current state and the requirements of the appropriate certification level. This is where a qualified consultant can smooth and streamline the path to certification.
With the October 2026 deadline looming and some organizations reporting a 12- to 18-month timeline to compliance, one thing is clear: The time for waiting is over.
Questions about CMMC compliance for your organization? Contact Hill Tech Solutions.
