Half of defense sector still prioritizes compliance over security

▼ Summary
– CMMC requirements are expanding to thousands of smaller defense contractors with limited budgets, with adoption varying widely: 16% have Level 2 third-party certification, while close to half have started compliance conversations with suppliers.
– Cost is the top friction point, cited by 51% as prohibitive, followed closely by assessor inconsistency, while about one in five companies struggle with defining the scope of their controlled unclassified information.
– Phishing is the most common threat, reported by 65% of respondents, now driven by autonomous AI agents, while vendor and third-party risk is the largest unresolved gap, named by 58%.
– Confidence in detecting nation-state intrusions is low, with only 28% describing their capabilities as mature, and threat intelligence consumption relies heavily on lagging government feeds.
– AI-powered attacks are the top concern for the next two years, cited by 85% of respondents, yet many security programs are built around compliance checklists rather than resilience, with 20% lacking a formal process to maintain compliance between assessments.
Half of the defense sector still prioritizes compliance over security, according to data from nearly 900 defense contractors, C3PAOs, federal suppliers, and cybersecurity professionals who attended the 2026 Secureframe National Cybersecurity Summit. The findings reveal a landscape where CMMC requirements are increasingly embedded in defense contracts, cascading down through supplier networks to thousands of companies new to this compliance work, many operating on limited budgets with lean security teams.
Where CMMC adoption stands, the picture shows uneven progress across the defense industrial base. A small share have completed third-party certification at Level 2, with only 16% certified through a C3PAO in SPRS. Roughly a third hold a Level 2 self-assessment, while about a quarter have a Level 1 self-assessment. Close to half have initiated compliance conversations with their suppliers, signaling that pressure is moving down supply chains ahead of formal government enforcement.
Cost emerges as the most frequently cited friction point. Just over half of respondents, 51%, called the cost of readiness and assessment prohibitive. Nearly tied with cost is assessor inconsistency, where companies invest heavily in preparation only to meet an assessor who interprets requirements differently, driving up expenses further.
Scope remains a major stumbling block. About one in five respondents have yet to define where their controlled unclassified information (CUI) lives across their systems. CUI scope is foundational for every subsequent step, and getting it wrong makes the work that follows harder and more expensive.
The threats hitting hardest include phishing, named by 65% of respondents as a top impact over the past year. The character of that threat has evolved. Autonomous agents now pick targets, write messages, watch for responses, and adjust in real time. Vendor and third-party risk stands out as the largest open gap, cited by 58% of respondents as their biggest unresolved weakness. Supply chain compromise was among the most common incidents reported over the past year, with about a quarter experiencing one.
Defenses for software supply chains run thin. About a third have none of the standard practices in place, such as vendor attestations or secure development policies. SBOM generation sits especially low, used by a small share of respondents. The polling did not ask respondents to identify their organization size, leaving no way to break that share down by company size from the poll data. The weakness shows up across the base, with the data leaving open whether the smallest subcontractors carry more of it.
Rob Joyce, the former director of NSA cybersecurity, put it bluntly: “The adversary doesn’t care about your headcount, they care about which path to CUI is the easiest. Today, that path runs to the supplier with the part-time MSP, because that CUI is the same, but the defense isn’t.”
Confidence in detecting nation-state intrusions runs low. Only 28% described their detection and response capabilities as mature against that level of threat. The campaigns most active against the defense base, including Volt Typhoon and Salt Typhoon, are built to blend in by mimicking everyday IT tools. General Paul Nakasone, the former NSA director, offered a sobering assessment: “There are likely adversaries in your network, and you probably don’t know it.”
Threat intelligence consumption leans heavily on government feeds. Most respondents draw on CISA alerts and FBI flash reports, which carry an inherent lag. Close to three in ten take part in ISAC sharing, a more current and defense-specific source. A small share go without structured intelligence of any kind. Awareness of FedRAMP 20x runs low among this group, with 53% unfamiliar with the program, even as most already run workloads in government cloud environments like Microsoft 365 GCC High. The program changes how cloud providers earn federal authorization, which affects the tools these companies depend on.
Many security programs are built around the compliance checklist. Close to half said their program runs entirely on compliance requirements or has yet to be defined. For small businesses with thin resources, that approach is rational since it meets contract requirements. Compliance shows whether a company has met a defined set of requirements, but whether those requirements match the threats in front of it is a separate question.
Certification captures a moment in time, and the posture it measures drifts as staff turn over, vendors change, and configurations move. About 20% lack a formal process for staying compliant between assessments, leaving them certified on paper with thin visibility into whether the posture holds. A quarterly internal review against an SPRS score gives smaller teams a starting point.
Looking ahead, AI-powered attacks top the list of concerns for the next two years, with 85% of respondents citing them as a top threat. That figure marks near consensus across company sizes and roles. Mehta said the survey’s AI data “focuses on how organizations view AI within the threat landscape rather than their own internal adoption of AI for defensive use.” How far these same companies have brought AI into their own defenses remains an open question.
Agentic frameworks let AI run attack chains from start to finish with little human direction, and vulnerability discovery has been industrialized at a scale no human team can match. The same tools sit within reach of defenders. Joyce told the audience: “The people that are using AI will outperform those who are not. I don’t care if you’re on offense or defense. Start adopting and integrating them into your workflows because it will help your defense.”
Expanding regulatory requirements also drew strong responses, cited by 48% of respondents. Quantum computing concerns ranked high as well, and the concept of harvest now, decrypt later means data crossing defense networks may already sit in adversary hands.
(Source: Help Net Security)


