Study Shows Defense Contractors Haven’t Improved Cybersecurity, Despite Increasing Threats

Independent study shows compliance and enforcement of security controls is low

RESTON, Va.--()--Threats like Volt Typhoon, PowerDrop, and nation-state plots highlight the importance of supply chain cybersecurity and show why programs like Cybersecurity Maturity Model Certification (CMMC) were enacted. Contractors in the defense industrial base (DIB) understand the risk but haven’t implemented the necessary security controls, according to a study conducted by Merrill Research and commissioned by CyberSheath, the largest CMMC managed service vendor.

The second edition of the comprehensive, independent study of the DIB’s cybersecurity posture shows the average Supplier Performance Risk System (SPRS) score is a woeful -15, far short of the 110 score required by the Defense Federal Acquisition Regulation Supplement (DFARS).

DFARS was signed into law in 2017 and is in over 1 million contracts today, but adherence to compliance requirements remains low. Only 36% of respondents even submitted SPRS scores, significantly lower than the 46% that submitted last year in the inaugural report. Moreover, 81% of respondents claim to be compliant only via self-assessment, up 10 percentage points from last year. Significantly fewer reported compliance via medium or high assessment.

“The government has done the hard work of creating controls to better protect our most sensitive data, which is increasingly a valuable currency to foreign countries, but enforcement hasn’t kept pace,” said Eric Noonan, CEO of CyberSheath. “This year’s survey shows we haven’t made much progress in protecting military secrets, and until the DIB is compelled to do so, our security posture will remain stagnant.”

The study shows contractors pick and choose which areas they’ll take action on. Only 19% of respondents have implemented vulnerability management solutions, and 25% have secure IT backup solutions, both keys to DFARS compliance that were implemented more last year. Yet 40% go further than the law requires and explicitly deny the use of Huawei, which the Federal Communications Commission (FCC) designated as a national security risk.

The DIB’s unpreparedness will undoubtedly make compliance more difficult whenever CMMC 2.0 arrives. Roughly 70% of respondents rate the difficulty of understanding how to achieve and maintain CMMC compliance as a seven or higher on a scale from 1-10, up from 57% last year.

CyberSheath will dig further into the findings during its CMMC CON 2023 virtual event on Sept. 27 from 9 a.m. to 5 p.m. EDT. Register for the event and read the full Merrill Research report.

About CyberSheath

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at


Kristen Morales at