More than 87% of Pentagon Supply Chain Fails Basic Cybersecurity Minimums

RESTON, Va.--(BUSINESS WIRE)--Defense contractors hold information that's vital to national security and will soon be required to meet Cybersecurity Maturity Model Certification (CMMC) compliance to keep those secrets safe. Nation-state hackers are actively and specifically targeting these contractors with sophisticated cyberattack campaigns.

A shocking 87% of contractors have a sub-70 Supplier Performance Risk System (SPRS) score, the metric that shows how well a contractor meets Defense Federal Acquisition Regulation Supplement (DFARS) requirements.

DFARS, which has been law since 2017, requires a score of 110 for full compliance. Critics of the system have anecdotally deemed 70 to be “good enough,” but the overwhelming majority of contractors still come up short.

The first ever comprehensive, independent study of the DIB’s cybersecurity maturity was conducted by Merrill Research and commissioned by CyberSheath, the largest CMMC managed service vendor. The survey data of 300 U.S.-based Department of Defense (DoD) contractors was tested at the 95% confidence level, meaning that there is a 95% probability that significant differences are real and are not due to sampling error. The study was completed in July and August 2022, with CMMC 2.0 on the horizon.

“The report’s findings show a clear and present danger to our national security,” said Eric Noonan, CEO of CyberSheath. “We often hear about the dangers of supply chains that are susceptible to cyberattacks. The DIB is the Pentagon’s supply chain, and we see how woefully unprepared contractors are despite being in threat actors’ crosshairs. Our military secrets are not safe and there is an urgent need to improve the state of cybersecurity for this group, which often does not meet even the most basic cybersecurity requirements.”

Roughly 80% of the DIB doesn’t monitor its systems 24/7/365 and doesn’t use U.S.-based security monitoring services. Other deficiencies were evident in the following categories that are currently required by law and will be required in the future to achieve CMMC compliance:

• 80% lack a vulnerability management solution
• 79% lack a comprehensive multi-factor authentication (MFA) system
• 73% lack an endpoint detection and response (EDR) solution
• 70% have not deployed security information and event management (SIEM)

These security controls are legally required of the DIB, and since they are not met, there is a significant risk facing the DoD and its ability to conduct armed defense. In addition to being largely non-compliant, an astounding 82% of contractors find it “moderately to extremely difficult to understand the governmental regulations on cybersecurity.”

Additional Resources 

• Register for CyberSheath's webinar later today to discuss the results of the Merrill Research study and to learn how to accelerate your journey to compliance.
• Read the full Merrill Research report.

About CyberSheath Services International, LLC
Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at www.cybersheath.com.