By Byron V. Acohido

Small and mid-sized contractors play a vital role in the U.S. defense industrial base — but too often, they remain the weakest link in the cybersecurity chain.

Related: Pentagon enforcing CMMC

RADICL’s  2025 DIB Cybersecurity Maturity Report reveals that 85% of these contractors still fall short of basic regulatory standards. And just 3% meet the threshold of “Advanced” maturity.

This is no longer a theoretical problem. With the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework expected to become enforceable as early as November 2025, thousands of SMBs in the defense supply chain face a major inflection point. They’ll either demonstrate compliance — or risk being locked out of federal contracts.

To unpack what this means, Last Watchdog sat down with Chris Petersen, co-founder and CEO of RADICL, the threat-informed Cybersecurity-as-a-service (CSaaS) company behind the annual maturity study. Petersen explains why many firms are still dangerously exposed — and how the smartest ones are rethinking CMMC as a blueprint for long-term resilience.

LW: What’s the main takeaway from this year’s report?

Petersen: The gap is still huge. Most DIB contractors remain vulnerable, especially to nation-state actors focused on espionage. This isn’t just about ransomware or generic threats anymore. It’s about adversaries actively targeting sensitive data tied to national defense.

That said, we are seeing a shift in mindset. A year ago, a lot of contractors were in wait-and-see mode. Now, leadership teams — CEOs, CIOs, COOs — are more engaged. They’re asking the right questions. But that urgency hasn’t translated into implementation yet. Many still lack basic controls, from documented policies to configured security tools. It’s not just a tech problem — it’s organizational.

LW: CMMC can seem overwhelming to SMBs. What’s a better way to look at it?

Petersen: Think of CMMC not as red tape but as a roadmap for operational maturity. For too long, contractors trying to “do the right thing” in cybersecurity were at a competitive disadvantage. Now, the enforcement mechanism levels the playing field. Everyone has to step up.

Security isn’t just about avoiding fines or passing audits. It’s about avoiding costly business disruptions. Things like ransomware or phishing attacks aren’t just security issues — they’re operational risks that can cripple a company. And with compliance now tied to contract eligibility, doing nothing is no longer an option.

LW: Your report notes compliance and real-time risk management are starting to align. What does that mean in practice?

Petersen: Compliance used to mean, “Did we do the paperwork?” Now it’s moving toward, “Can we actually respond to threats?”

Petersen

When organizations treat compliance as an ongoing readiness practice — when they operationalize it — they start doing the things that actually make them more secure. They monitor environments continuously. They develop playbooks for response. They test controls regularly. That’s the future.

LW: Where are most contractors still struggling?

Petersen: A lot of the gaps are foundational. Many contractors still don’t have documented policies or basic asset inventories. There are no consistent practices for access control, or patching, or logging.

My advice is always: don’t try to boil the ocean. Focus on controls that reduce the most risk quickly. Get multi-factor authentication in place. Make sure your endpoints have enterprise-grade EDR and are being monitored 24/7. Have someone managing vulnerability remediation. Those three alone can significantly lower your risk profile.

And while you’re maturing over time, that visibility layer — detection and response — is your safety net. It buys you time to fix what’s broken without leaving you exposed in the meantime.

LW: AI is everywhere. How is it changing the picture for SMBs?

Petersen: AI is lowering the barrier to entry for effective security. It allows us to deliver detection and response capabilities that used to be out of reach for SMBs. The economics have shifted.

AI helps with noise reduction and faster triage. It doesn’t replace human analysts, but it lets those analysts focus on what matters. What AI can’t do yet is understand your specific business context — what matters to you, what’s acceptable risk. That’s where humans still play a key role.

We’re integrating AI into every layer of our platform at RADICL, but we always pair it with expert oversight. That combination is what gives us scale and trust.

LW: Will CMMC raise the bar, or just become another checkbox?

Petersen: It comes down to intent. If companies treat CMMC like a box-checking exercise, they’ll end up just as vulnerable as before. But if they use it to guide real change, they’ll come out stronger.

The good news is that the best solutions today are built with security outcomes in mind. They’re affordable, scalable, and designed to help organizations both comply and defend. That’s a shift from the older generation of compliance-only tools that didn’t actually improve security.

LW: A midsize contractor comes to you and asks, “Where do we start?” What do you say?

Petersen: First, define what readiness means for your organization. It’s not just a document — it’s a plan with real action: who does what, when, and how.

Second, get help on the hardest pieces. You likely don’t have in-house staff to run 24/7 detection or to manage a vulnerability program end-to-end. So partner up. But be selective — not all managed service providers (MSPs) or managed security service providers (MSSPs) are built for CMMC.

And lastly, don’t assume a gap assessment is enough. You need to actually execute against it. That’s where we see companies stall.

LW: Do you think SMBs can ever get ahead of threats?

Petersen: I do. CMMC is creating the pressure to invest. At the same time, the tech has matured. Today, we can offer SMBs protection that rivals what the Fortune 500s have.

At RADICL, our whole focus is on making enterprise-grade, robust defense-in-depth protection accessible. We take the capabilities that used to be out of reach and deliver them as a turn-key, tech-enabled service, purpose-built for SMBs and the DIB. That’s what makes me hopeful. The tools are here. The awareness is rising. The pressure is real. Now it’s about innovation and execution.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.

(LW provides consulting services to the vendors we cover.)

November 17th, 2025 | Q & A | Top Stories