Nearly nine in 10 (87%) of US defense contractors are failing to meet basic cybersecurity regulation requirements, according to research commissioned by CyberSheath.
The survey of 300 US-based Department of Defense (DoD) contractors found that just 13% of respondents have a Supplier Risk Performance System (SPRS) score of 70 or above. Under the Defense Federal Acquisition Regulation Supplement (DFARS), a score of 110 is required for full compliance.
Anecdotally, a score of 70 is believed to be “good enough” to be considered compliant, according to the study authors.
DFARS, which was enacted into law in 2017, is designed to bolster cybersecurity in the defense industrial base. Defense contractors also must comply with the Cybersecurity Maturity Model Certification (CMMC), a certification framework they must pass to bid for contracts with the DoD.
The first version of CMMC was released in January 2020, with an updated version, 2.0, coming into effect in May 2023. It offers five certification levels spanning one through five, with five being the highest. Each level maps to a different level of process maturity.
The new study suggests the vast majority of DoD defense contractors are neither meeting current DFARS obligations or in a position to comply with the updated version of CMMC.
This could have major consequences for defense contractors, nearly half of whom would lose up to 40% of their revenue if DoD contract loss occurs, according to the research.
Speaking to Infosecurity, Tom Brennan, USA Chairman at CREST, said: “CMMC is a set of commercially reasonable standards to protect data. Organizations should address it as part of doing business or they can lose the contract.”
Yet, the report found that 70% have not deployed security information and event management (SIEM), 79% lack a comprehensive multi-factor authentication system, 73% do not have an endpoint detection response (EDR) solution and 80% lack a vulnerability management solution.
Defense contractors are a major target for nation-state groups due to the sensitive data they hold relating to the US military. In October 2022, the Cybersecurity and Infrastructure Security Agency (CISA) published an advisory highlighting advanced persistent threat (APT) activity observed on a defense organization's enterprise network.
Worryingly, more than four out of five defense contractors said they experienced a cyber-related incident in the CyberSheath study, with nearly three out of five experiencing business loss due to a cyber-related event.
Eric Noonan, CEO of CyberSheath, commented: “The report’s findings show a clear and present danger to our national security. We often hear about the dangers of supply chains that are susceptible to cyber-attacks. The DIB is the Pentagon’s supply chain, and we see how woefully unprepared contractors are despite being in threat actors’ crosshairs. Our military secrets are not safe and there is an urgent need to improve the state of cybersecurity for this group, which often do not meet even the most basic cybersecurity requirements.”
A major factor in non-compliance appears to be a lack of understanding of government cybersecurity regulations, which was cited by 82% of respondents. Around three-fifths of respondents rated the difficultly of understanding CMMC compliance as seven out of 10.
Carl Herberger, vice president, security services at CyberSheath, told Infosecurity that a previous lack of enforcement of government regulations explains the compliance difficulties being faced, with businesses needing to adapt. “Traditionally there has been very little oversight of these regulations and very little enforcement resulting in ‘happenstance’ compliance,” he explained.
“As the government steps into a realization of this and the laws follow, we hope to see far wider adoption. It’s a story of the ‘haves’ and ‘have nots.’ Contractors who struggle have successfully grown their businesses without significant technology investments, have not taken advantage of cloud based economies of scale and therefore are quite far behind other industries and that learning curve is steep.”
He argued that enforcement of the CMMC will ultimately improve compliance. “This will drive understanding and adoption because cybersecurity compliance now stands in the way of revenue. Second, we need some kind of incentives, tax or otherwise, to propel contractors to make these investments quickly,” outlined Herberger.
Brennan said that cybersecurity compliance should become a business priority for these contractors. “The organizations must appoint a person with the technical and business skills. Second, the CEO must countersign attestations,” he commented.
An encouraging aspect of the survey was that a high proportion of defense contractors appreciate the importance of complying with cybersecurity regulations. Nearly half said DFARS improvements have a significant impact on national security, while three out of five believe MSPs, MSSPs and IT providers should be certified.
Herberger added: “This time it’s real. The DoD is fully committed to enforcing cybersecurity compliance and while the defense industry base has a long way to go in implementing all of the requirements, they are fully onboard with the need to be more secure. It’s heartwarming to see that most companies now acknowledge that these laws should improve both the American government’s security and corporate-level cybersecurity.”
Correction: CMMC 2.0 has three levels, reduced from five in CMMC 1.0. The planned schedule is for CMMC rulemaking to be complete by May 2023, but it is not expected to start appearing in DoD contracts until later in 2023.
