Federal defense contractors are not properly securing military secrets
Defense contractors hold information that’s vital to national security and will soon be required to meet Cybersecurity Maturity Model Certification (CMMC) compliance to keep those secrets safe. Nation-state hackers are actively and specifically targeting these contractors with sophisticated cyberattack campaigns.
A shocking 87% of contractors have a sub-70 Supplier Performance Risk System (SPRS) score, the metric that shows how well a contractor meets Defense Federal Acquisition Regulation Supplement (DFARS) requirements.
DFARS, which has been law since 2017, requires a score of 110 for full compliance. Critics of the system have anecdotally deemed 70 to be “good enough,” but the overwhelming majority of contractors still come up short.
A study of the DIB’s cybersecurity maturity was conducted by Merrill Research and commissioned by CyberSheath. The survey data of 300 US-based Department of Defense (DoD) contractors was tested at the 95% confidence level, meaning that there is a 95% probability that significant differences are real and are not due to sampling error.
“The report’s findings show a clear and present danger to our national security,” said Eric Noonan, CEO of CyberSheath. “We often hear about the dangers of supply chains that are susceptible to cyberattacks. The DIB is the Pentagon’s supply chain, and we see how woefully unprepared contractors are despite being in threat actors’ crosshairs. Our military secrets are not safe and there is an urgent need to improve the state of cybersecurity for this group, which often do not meet even the most basic cybersecurity requirements.”
Roughly 80% of the DIB doesn’t monitor its systems 24/7/365 and doesn’t use US-based security monitoring services. Other deficiencies were evident in the following categories that will be required to achieve CMMC compliance:
- 80% lack a vulnerability management solution
- 79% lack a comprehensive multi-factor authentication (MFA) system
- 73% lack an endpoint detection and response (EDR) solution
- 70% have not deployed security information and event management (SIEM)
These security controls are legally required of the DIB, and since they are not met, there is a significant risk facing the DoD and its ability to conduct armed defense. In addition to being largely non-compliant, an astounding 82% of contractors find it “moderately to extremely difficult to understand the governmental regulations on cybersecurity.”