Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

CMMC readiness in 2026: why are certified organisations still below 2%?


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: CMMC certification remains below 2% for Level 2 organisations as of May 2026, despite 104 authorized C3PAOs and 988 Certified CMMC Assessors, according to Secureframe’s analysis and survey of more than 800 defence contractors and federal practitioners. The bottleneck is now interpretation, scope definition, and evidence readiness, not assessor capacity.

NHIMG editorial — based on content published by Secureframe: CMMC Has Been in Enforcement for Months. Why Are Less Than 2% of Level 2 Organizations Certified?

By the numbers:

Questions worth separating out

Q: What breaks when CMMC scope is not clearly defined?

A: When scope is unclear, teams usually over-include systems or under-document access paths, and both outcomes create assessment risk.

Q: Why do identity controls matter so much in CMMC readiness?

A: CMMC turns identity governance into something assessors must be able to verify.

Q: How do security teams know if CMMC evidence is actually usable?

A: Evidence is usable when a reviewer can trace a control from policy to implementation to a dated artefact without needing extra explanation.

Practitioner guidance

  • Define CUI scope as an identity boundary Map every system, account, and privileged path that can touch CUI, then remove anything that cannot be defended as in scope.
  • Build assessor-ready evidence packs Create recurring evidence bundles for access approvals, privileged account reviews, offboarding, and control exceptions.
  • Reduce standing access before assessment Replace persistent elevated access where possible, and document every exception with a named owner and expiry.

What's in the full article

Secureframe's full blog covers the operational detail this post intentionally leaves for the source:

  • The survey methodology behind the 800-plus respondent poll, including how defence contractors, primes, and C3PAOs were grouped.
  • The full breakdown of assessment friction by cost, scope, evidence, and interpretation, useful for remediation planning.
  • The practical examples of how organisations are reducing CUI scope and preparing for formal assessment.
  • The timing pressure created by prime contractor notices and the Phase 2 deadline.

👉 Read Secureframe's analysis of why CMMC certification is still lagging →

CMMC readiness in 2026: why are certified organisations still below 2%?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

CMMC’s bottleneck is governance clarity, not just certification capacity. The article’s data shows that assessor supply exists, but organisations still struggle to explain what assessors will evaluate and how scope is defined. That is a control maturity problem, not a market shortage problem. In regulated identity environments, ambiguous scope almost always turns into ambiguous access, so practitioners should treat governance clarity as a prerequisite for readiness.

A question worth separating out:

Q: Who is accountable when CMMC certification slips past contract deadlines?

A: Accountability usually sits with the organisation that accepted the contract obligation, but it often spreads across security, compliance, and programme leadership when scope and remediation were not managed early. In practice, the risk is commercial as well as regulatory: delayed certification can block work, increase cost, and expose weak governance across the supply chain.

👉 Read our full editorial: CMMC enforcement is revealing a readiness gap, not just an assessor shortage



   
ReplyQuote
Share: