Half the defense base still builds security around compliance

CMMC requirements are appearing in defense contracts and moving down through supplier networks to thousands of companies new to this kind of compliance work. Many run on limited budgets with lean security teams. The picture comes from nearly 900 defense contractors, C3PAOs, federal suppliers, and cybersecurity professionals who attended the 2026 Secureframe National Cybersecurity Summit.

Where CMMC adoption stands

Adoption varies across the defense industrial base. A small share have completed third-party certification at Level 2, with 16% certified through a C3PAO in SPRS. About a third hold a Level 2 self-assessment, and roughly a quarter hold a Level 1 self-assessment. Close to half have started compliance conversations with their suppliers, a sign that pressure moves down supply chains ahead of formal government enforcement.

Cost is the friction point named most often. Just over half called the cost of readiness and assessment prohibitive, at 51%. Assessor inconsistency ranked nearly even with it. For a company that spends heavily on preparation and then meets an assessor who reads the requirements differently, the bill grows.

Scope is where many companies get stuck. About one in five have yet to define where their controlled unclassified information lives across their systems. CUI scope is the foundation for every later step, and getting it wrong makes the work that follows harder and more expensive.

The threats hitting hardest

Phishing remains the threat companies encounter most, named by 65% of respondents as a top impact over the past year. The character of that threat has changed. Autonomous agents now pick targets, write messages, watch for responses, and adjust in real time.

Vendor and third-party risk stands out as the largest open gap, named by 58% of respondents as their biggest unresolved weakness. Supply chain compromise was among the most common incidents reported over the past year, and about a quarter said they experienced one.

Defenses for software supply chains run thin. About a third have none of the standard practices in place, such as vendor attestations or secure development policies. SBOM generation sits especially low, used by a small share of respondents. The polling does not point to which companies sit inside that gap. Shrav Mehta, Secureframe’s CEO, told Help Net Security that he survey “didn’t ask respondents to identify their organization size,” which leaves no way to break that share down by company size from the poll data. The weakness shows up across the base, with the data leaving open whether the smallest subcontractors carry more of it.

Rob Joyce, the former director of NSA cybersecurity, put it this way: “The adversary doesn’t care about your headcount, they care about which path to CUI is the easiest. Today, that path runs to the supplier with the part-time MSP, because that CUI is the same, but the defense isn’t.”

Confidence in spotting nation-state activity

Confidence in detecting nation-state intrusions runs low. About 28% described their detection and response capabilities as mature against that level of threat. The campaigns most active against the defense base, including Volt Typhoon and Salt Typhoon, are built to blend in by mimicking the everyday tools IT staff rely on.

General Paul Nakasone, the former NSA director, said: “There are likely adversaries in your network, and you probably don’t know it.”

Gaps in intelligence and awareness

Threat intelligence consumption leans on government feeds. Most respondents draw on CISA alerts and FBI flash reports, which carry an inherent lag. Close to three in ten take part in ISAC sharing, a source that runs more current and more defense-specific. A small share go without structured intelligence of any kind.

Awareness of FedRAMP 20x runs low among this group. More than half were unfamiliar with the program, at 53%, even as most already run workloads in government cloud environments such as Microsoft 365 GCC High. The program changes how cloud providers earn federal authorization, which affects the tools these companies depend on.

Compliance as the starting point

Many security programs are built around the compliance checklist. Close to half said their program runs entirely on compliance requirements or has yet to be defined. For small businesses with thin resources, that approach is rational, since it meets contract requirements. Compliance shows whether a company has met a defined set of requirements. Whether those requirements match the threats in front of it is a separate question.

From compliance to resilience

Certification captures a moment in time, and the posture it measures drifts as staff turn over, vendors change, and configurations move. About 20% lack a formal process for staying compliant between assessments, which leaves them certified on paper with thin visibility into whether the posture holds. A quarterly internal review against an SPRS score gives smaller teams a starting point.

Bracing for AI-driven attacks

AI-powered attacks top the list of concerns for the next two years. The figure reaching 85% is the one point of near consensus across company sizes and roles. That number measures how the defense base views the threat coming at it. Mehta said the survey’s AI data “focuses on how organizations view AI within the threat landscape rather than their own internal adoption of AI for defensive use.” How far these same companies have brought AI into their own defenses remains an open question.

Agentic frameworks let AI run attack chains from start to finish with little human direction, and vulnerability discovery has been industrialized at a scale no human team can match. The same tools sit within reach of defenders. Joyce told the audience: “The people that are using AI will outperform those who are not. I don’t care if you’re on offense or defense. Start adopting and integrating them into your workflows because it will help your defense.”

Expanding regulatory requirements also drew strong responses, cited by 48% of respondents. Quantum computing concerns ranked high as well, and harvest now, decrypt later collection means data crossing defense networks may already sit in adversary hands.

Demo: Prophet Agentic AI SOC Platform transforms alert triage and investigation