Deltek Clarity Report Highlights Growing CMMC Pressure Across GovCon Market

• Deltek’s latest GovCon Clarity Report found rising CMMC applicability and compliance costs are increasing operational pressure across the defense industrial base.
• Kevin Plexico said growing cybersecurity requirements and contract vehicle consolidation are accelerating competitive pressures within GovCon.
• Government and industry leaders will discuss evolving cyber priorities and defense industrial base security at Potomac Officers Club’s 2026 Cyber Summit on May 21.

Cybersecurity Maturity Model Certification requirements are becoming an increasingly significant competitive and operational factor across the government contracting sector, according to Deltek’s newly released 2026 GovCon Clarity Report and comments from company executive Kevin Plexico.

The report found 59 percent of government contractors expect Cybersecurity Maturity Model Certification requirements to apply to their organizations in 2026, up from 55 percent last year, while cybersecurity ranked as the industry’s top audit risk area. (You can access the full 2026 GovCon Clarity Report here.)

“The cost of compliance is going up,” Plexico, senior vice president of information solutions at Deltek, GovCon Expert and multiple Wash100 Award winner, told ExecutiveBiz in a recent interview discussing the report. “Over 50 percent expect CMMC to apply to them.”

Industry members looking for new approaches and details regarding CMMC should attend Potomac Officers Club’s 2026 Cyber Summit. The event, coming this Thursday, May 21, will feature top Department of War leadership like Acting CISO Aaron Bishop and Assistant Secretary of War for Cyber Policy Katherine Sutton as keynotes. They will discuss cyber modernization, operational resilience, AI governance and evolving defense cybersecurity priorities impacting federal contractors. Limited tickets remain!

What Is Driving Increased CMMC Pressure?

According to Deltek’s report, GovCons are facing growing pressure to balance operational speed, compliance requirements and profitability as agencies accelerate modernization initiatives and cybersecurity expectations.

Plexico said compliance obligations are becoming more significant as firms navigate rising operational costs and intensified competition for federal work.

“I feel like consolidation has to flatten out soon because it’s been on a decade-long decline,” Plexico said. “But unfortunately it accelerated this year.”

He attributed part of that pressure to increasing compliance burdens and growing reliance on indefinite-delivery/indefinite-quantity vehicles and best-in-class contracts.

Deltek additionally found 96 percent of contractors expect compliance costs to either remain elevated or increase in the coming year.

The report also found contractors continue to face margin pressure despite revenue growth, suggesting firms may struggle to absorb expanding cybersecurity and governance costs over time.

Why Is CMMC Becoming a Competitive Requirement?

Industry observers increasingly describe CMMC as more than a compliance framework, particularly as implementation timelines become more concrete.

A recent Kaseya piece said Phase 1 CMMC enforcement began Nov. 10, 2025, while Phase 2 implementation begins Nov. 10, 2026, making Certified Third-Party Assessor Organization certification mandatory across a broader set of applicable contracts.

According to Kaseya, organizations that are not certified when applicable Phase 2 solicitations appear “cannot compete for that award,” while many contractors require nine to 12 months to become assessment-ready.

The article also noted that CMMC obligations increasingly extend beyond prime contractors to subcontractors and managed service providers that handle controlled unclassified information as part of defense programs.

Those expanding requirements could create disproportionate challenges for smaller contractors and suppliers with fewer resources to dedicate toward cybersecurity modernization and compliance programs, according to industry observers.

“Clearly companies are really leaning into AI as a source of productivity and automation to drive efficiency.” — Kevin Plexico

How Are Contractors Responding to Rising Cybersecurity Requirements?

Deltek’s report found GovCons are increasingly turning toward automation, operational efficiency initiatives and AI-enabled workflows to manage rising costs and operational complexity.

According to the study, 90 percent of government contractors now use AI in some capacity, while 92 percent reported using generative AI tools.

Plexico said many firms view AI and automation as important tools for improving productivity and operational resilience.

“Clearly companies are really leaning into AI as a source of productivity and automation to drive efficiency,” he said.

However, Deltek also found governance maturity continues to lag adoption levels, potentially creating additional compliance and auditability concerns as contractors integrate AI more deeply into pricing, proposal development and cybersecurity workflows.

Two dedicated panels at Potomac Officers Club’s 2026 Cyber Summit on Thursday, May 21, will tackle AI’s role in cybersecurity. Throughout the day, top federal officials and industry executives will examine evolving cyber requirements and emerging threats facing the DIB. You don’t want to miss this!

What Could CMMC Rev. 3 Mean for Contractors?

Even as many contractors continue preparing for current CMMC requirements, industry experts are already warning about future revisions.

A recent Federal News Network commentary piece by Redspin Lead CMMC Certified Assessor Ned Butler said the War Department is preparing for eventual alignment with NIST SP 800-171 Revision 3 requirements.

According to Butler, Revision 3 introduces additional focus areas involving supply chain security, incident response and advanced threat protection while adding new organization-defined parameters agencies may use to establish more specific cybersecurity requirements.

Butler wrote that organizations pursuing compliance today should continue aligning with Revision 2 requirements while beginning longer-term migration planning toward Revision 3 standards.

“The entire DIB must remember that CMMC compliance is a continual journey that is necessary to protect our warfighters and our nation,” Butler wrote.

What Is Deltek’s GovCon Clarity Report?

The GovCon Clarity Report is Deltek’s annual benchmarking study focused specifically on the government contracting sector and is part of the company’s broader Clarity research series covering multiple industries.

Now in its 17th year, the GovCon edition examines financial performance, operational trends, compliance pressures, business development practices and emerging technologies affecting contractors across the federal market. This year’s report was based on responses from 917 government contractors collected in January.

Who Is Kevin Plexico?

Plexico serves as senior vice president of information solutions at Deltek and has played a major role in development of the company’s annual GovCon Clarity Report and broader government market analysis initiatives. He frequently speaks on GovCon market conditions, federal acquisition trends and operational challenges affecting contractors.