When the Cybersecurity Maturity Model Certification rule became effective on November 10, 2025, many organizations expected that the hardest part would be implementing new controls for Controlled Unclassified Information (CUI). But at the ISC2 Security Congress in October, a different challenge emerged. There are nowhere near enough certified assessors to evaluate the more than 200,000 organizations now required to meet CMMC Level 2 requirements.
This capacity bottleneck may prove more disruptive to federal contracting than any single technical control.
CMMC Assessor Shortage Impact on National Security
Under 32 CFR Part 170, every CMMC Level 2 assessment requires three Certified CMMC Assessors. According to Thomas Graham, vice president and chief information security officer at cybersecurity service provider Redspin, there are only 550–560 CCAs worldwide, all of whom must clear a Tier 3 federal background check that takes six to eight months on average.
“Divide that number by three and that’s how many assessments can happen at one time,” Graham told attendees. “C3PAO waitlists are already over a year,” he said, referring to Certified Third-Party Assessor Organizations.
The economic stakes are massive. M. Dee Childs, associate vice president and special advisor to the CIO for regulated research at Clemson University, reminded the audience that “The U.S. Defense Industrial Base contributes nearly $450 billion annually to the U.S. economy, and DoD relies heavily on very small to very large businesses and universities for innovation.” Delayed certification, she noted, can restrict access to work that fuels regional economies and research ecosystems.
This makes the assessor shortage not just an administrative challenge, but a supply-chain risk with national security impact.
CUI Is Bigger Than DoD, and Getting Bigger
Many federal contractors mistakenly believe that CMMC applies only to defense data. Childs set the record straight: “CUI is not just DoD. It can be anything from law enforcement of crimes against children… to chemical formulas or specialized designs.”
Graham made it clear that while CUI was initiated in DoD, “it is a federal designation created as a common designation to communicate across federal agencies.” He explained that the General Services Administration and National Aeronautics and Space Administration have co-sponsored a federal CUI rule, and the Department of Education and Department of the Treasury have notified contractors that the federal taxpayer information they hold is CUI. National Institutes of Health and Department of Health and Human Services have signaled movement toward stricter CUI protections aligned with federal standards. He explained that other nation-states, including allies in NATO and the Five Eyes, are pursuing similar frameworks.
The message is increasingly clear: organizations outside the defense sector will soon operate under the same cybersecurity expectations.
Why Organizations Are Struggling with CMMC Level 2 Requirements
Redspin has conducted between 70 and 80 CMMC assessments, giving their team particular visibility into failure patterns. Graham summarized the most common “Not Met” items:
- Insufficient or misconfigured CUI encryption
- Multifactor authentication gaps
- Failure to restrict nonessential functionality
- Missing or incomplete role-based training
- Weak media protection for digital and physical (paper) CUI
These failures are often symptoms of organizational gaps rather than technical ones.
As Stephanie Kincaid, Manager of CMMC Services at Redspin, put it: “Everyone throws it all on the IT department. It’s not all about your IT department. You have to have everyone responsible for following through with that practice” involved and committed to CMMC compliance.
In non-federal environments like research universities, the challenge is even more complex. Kelley Gonzales, Research Information Security Manager at Clemson University, explained: “We are protecting CUI to about the level that we used to protect secret information, but we’re doing it without controlling the entire network.”
How Successful Organizations Prepare for CMMC Certification
Teams that invest early in structured preparation see dramatically better outcomes. According to Kincaid, organizations that conduct mock assessments and engage external readiness support achieve a 93.8% first-attempt pass rate.
Speakers across both sessions emphasized similar actions:
- Embed CMMC into enterprise risk management: “The first control in risk assessment is how your organization is assessing the risk before you even get to the point of handling CUI,” Kincaid explained.
- Engage all functions: Kincaid urged full participation by human resources, contracts, and executive leadership – not just IT.
- Document the environment thoroughly: Gonzales recommended that organizations maintain network diagrams, data-flow diagrams, asset inventories, and asset categorization. Graham suggests making the assessor’s job easier by pointing to particular sections of documents to show how documentation speaks to objectives. Assessors are looking for evidence, repeatability, and alignment, not policy statements without proof.
- Conduct an Early Gap Assessment: Both Redspin and Clemson recommended a structured NIST 800-171 gap analysis, ideally months before scheduling the assessment given the one-year-plus backlog.
Book Your CMMC Assessment Now or Risk Losing Eligibility
With the CMMC rule now in effect, the organizations that secure early assessment slots will be the ones that maintain access to federal contracts. Those who wait may find themselves shut out – not because they lack cybersecurity controls, but because they lack assessor availability.
Did you enjoy this story on the CMMC assessor shortage? Don’t miss my next one: use the blue “follow” button at the top of the article near my byline to follow my work, and check out my other columns here.