By most measures, the CMMC ecosystem is maturing. There are enough C3PAOs to handle current assessment demand. Official DoD guidance and FAQs exist. Contracts are already requiring certification and compliance pressure is flowing down the supply chain.

So why, as of May 2026, have fewer than 2% of the organizations that need Level 2 certification achieved it?

At our 2026 National Cybersecurity Summit, we polled over 800 defense contractors, primes, C3PAOs, and federal cybersecurity practitioners to get a clearer picture of where the real readiness challenges lie.

Debunking the C3PAO bottleneck myth

The assumption baked into a lot of CMMC coverage is that the certification rate is low because there aren't enough assessors to go around. The data doesn't support that.

As of May 2026, there are 104 authorized C3PAOs and 988 Certified CMMC Assessors. Based on our analysis of Cyber AB marketplace data, those assessors are operating at well under half their realistic capacity. Monthly certification output has moved independently of assessor pool growth, sometimes dropping sharply in the same months the credentialed pool was expanding fastest. If assessor availability were the binding constraint, you'd expect those trendlines to move together. They don't.

Our poll data points to the same conclusion: only 23% of respondents cited a shortage of qualified C3PAOs as a top challenge. The ecosystem has scaled to meet demand. So where is the real friction?

44% of organizations don't know what assessors will look for 

When we asked respondents about their biggest assessment preparation challenges, the top answer wasn't cost or scheduling. It was understanding exactly what assessors will look for, cited by 44%. Scope definition came in at 36%, tied with evidence collection and documentation.

The more you look at this data, the more it points to something CMMC-specific: this is a brand new framework, and both contractors and assessors are still developing a shared understanding of what compliance requires in practice. NIST SP 800-171 provides the controls, but it doesn't provide a universal standard for how those controls should be implemented, documented, or evaluated, and that ambiguity is showing up in the numbers. 50% of respondents cited inconsistency in how assessors interpret requirements as a top concern, making it nearly tied with cost as the leading friction point.

When the DoD started verifying contractor compliance rather than taking self-assessments at face value, the results were eye-opening. As Stacy Bostjanick, former Director of CMMC Policy at the DoD, put it: “They hadn't done half the thing. They told us what they thought we wanted to hear.”

That gap between how organizations understand their own compliance posture and how assessors evaluate it explains a lot: why organizations that feel prepared still fail assessments, why cost estimates range from under $50k to over $500k, and why 22% of respondents are still defining their CUI scope despite enforcement being underway. 

Contractors say compliance is too expensive. The DoD says the bill is overdue

Cost was the single most commonly cited barrier in our poll, with 51% calling it prohibitive. That's a real problem, especially for small and mid-size contractors navigating this level of compliance scrutiny for the first time.

The DoD sees it differently: CMMC isn't introducing new requirements. Contractors with DFARS 7012 clauses in their contracts have been required to comply with NIST 800-171 since 2017. CMMC just adds third-party verification to security controls that were already supposed to be in place. As Katie Arrington put it at an AFCEA DC luncheon earlier this year: "If you go on LinkedIn one more time and tell me how hard CMMC is, I'm going to beat you. That ship sailed in 2014."

The practical reality is more complicated. Many small contractors never fully implemented all 110 NIST 800-171 controls, either because they weren’t aware of the type of sensitive data they were handling, enforcement was absent, or the requirements felt abstract. Now those costs are real and front-loaded, and organizations are paying for years of deferred investment all at once.

The cost picture will improve as the framework matures, tooling gets better, C3PAO pricing becomes more competitive, and institutional knowledge accumulates across the ecosystem. Arrington made the comparison herself to Summit attendees: "Remember the first version of the iPhone, and then Google and Samsung came out? The cost of the technology went down. Industry will meet the need, and they will reduce the cost by the quantity of people that need it." 

The growing pains of the CMMC ecosystem

Both of these problems — the knowledge gap and the cost burden — are symptoms of the same underlying reality: CMMC is new, and the ecosystem is still developing the consensus and tooling that make any compliance framework manageable at scale.

That's not an excuse for inaction, and the enforcement timeline isn't going to wait for the ecosystem to fully mature. The Phase 2 deadline is November 10, 2026, and primes aren't waiting even for that. Lockheed Martin, Elbit America, Northrop Grumman, Boeing, and others have already issued formal notices requiring their suppliers to demonstrate CMMC compliance as a condition of continued work, in some cases months ahead of the federal deadline. For many subcontractors within the DIB, the effective CMMC compliance deadline has already passed.

What it does mean is that the organizations navigating this transition well aren't necessarily the ones with the biggest budgets or the most experienced security teams. They're the ones that started early, engaged with C3PAOs before their formal assessment to understand what would actually be evaluated, reduced their CUI footprint to keep scope manageable, and treated documentation as an ongoing practice rather than a pre-assessment scramble. Tools like Secureframe Defense were built specifically to help DIB organizations do exactly that: automating the scoping, control implementation, infrastructure deployment, and documentation that make the assessment preparation process faster and less dependent on institutional knowledge that most small contractors don't have yet.

For the full picture of where DIB organizations stand in 2026, including the threat landscape, the intelligence gap, and the emerging risks that go well beyond CMMC readiness, download our 2026 Federal Cybersecurity Report.