-

Study Shows Defense Contractors Haven’t Improved Cybersecurity, Despite Increasing Threats

Independent study shows compliance and enforcement of security controls is low

RESTON, Va.--(BUSINESS WIRE)--Threats like Volt Typhoon, PowerDrop, and nation-state plots highlight the importance of supply chain cybersecurity and show why programs like Cybersecurity Maturity Model Certification (CMMC) were enacted. Contractors in the defense industrial base (DIB) understand the risk but haven’t implemented the necessary security controls, according to a study conducted by Merrill Research and commissioned by CyberSheath, the largest CMMC managed service vendor.

The second edition of the comprehensive, independent study of the DIB’s cybersecurity posture shows the average Supplier Performance Risk System (SPRS) score is a woeful -15, far short of the 110 score required by the Defense Federal Acquisition Regulation Supplement (DFARS).

DFARS was signed into law in 2017 and is in over 1 million contracts today, but adherence to compliance requirements remains low. Only 36% of respondents even submitted SPRS scores, significantly lower than the 46% that submitted last year in the inaugural report. Moreover, 81% of respondents claim to be compliant only via self-assessment, up 10 percentage points from last year. Significantly fewer reported compliance via medium or high assessment.

“The government has done the hard work of creating controls to better protect our most sensitive data, which is increasingly a valuable currency to foreign countries, but enforcement hasn’t kept pace,” said Eric Noonan, CEO of CyberSheath. “This year’s survey shows we haven’t made much progress in protecting military secrets, and until the DIB is compelled to do so, our security posture will remain stagnant.”

The study shows contractors pick and choose which areas they’ll take action on. Only 19% of respondents have implemented vulnerability management solutions, and 25% have secure IT backup solutions, both keys to DFARS compliance that were implemented more last year. Yet 40% go further than the law requires and explicitly deny the use of Huawei, which the Federal Communications Commission (FCC) designated as a national security risk.

The DIB’s unpreparedness will undoubtedly make compliance more difficult whenever CMMC 2.0 arrives. Roughly 70% of respondents rate the difficulty of understanding how to achieve and maintain CMMC compliance as a seven or higher on a scale from 1-10, up from 57% last year.

CyberSheath will dig further into the findings during its CMMC CON 2023 virtual event on Sept. 27 from 9 a.m. to 5 p.m. EDT. Register for the event and read the full Merrill Research report.

About CyberSheath

Established in 2012, CyberSheath is one of the most experienced and trusted IT security services partners for the U.S. defense industrial base. From CMMC compliance to strategic security planning to managed security services, CyberSheath offers a comprehensive suite of offerings tailored to clients’ information security and regulatory compliance needs. Learn more at www.cybersheath.com.

Contacts

CyberSheath
Kristen Morales at Kristen.Morales@cybersheath.com

CyberSheath


Release Versions

Contacts

CyberSheath
Kristen Morales at Kristen.Morales@cybersheath.com

Social Media Profiles
More News From CyberSheath

CyberSheath Reopens Free Defense Contractor Cybersecurity Compliance Training Program as the DIB Races Toward CMMC Phase 2 Deadline

RESTON, Va.--(BUSINESS WIRE)--With the Phase 2 Cybersecurity Maturity Model Certification (CMMC) deadline arriving Nov. 10, 2026, defense contractors that haven’t started preparing face a shrinking window to get certified before third-party assessments become mandatory. The most recent State of the DIB Report, conducted by Merrill Research, found that only 1% of defense contractors felt fully prepared for CMMC assessments, and 69% rated achieving and maintaining compliance at 7 out of 10 or hig...

CyberSheath Opens Registration for CMMC CON 2026 as Phase 2 Deadline and Assessor Shortage Bear Down on Defense Contractors

RESTON, Va.--(BUSINESS WIRE)--The Cybersecurity Maturity Model Certification (CMMC) program’s phased rollout reaches a critical milestone on Nov. 10, 2026, when Phase 2 makes third-party assessments mandatory for most defense contracts. However, there are only 103 authorized C3PAOs that serve the roughly 80,000 organizations that need Level 2 certification. Against that backdrop, CyberSheath has opened registration for CMMC CON 2026, the longest-running CMMC event and now in its seventh year. T...

CyberSheath Helps Tunnell Consulting Achieve CMMC Level 2 Certification Through a Strategically Scoped CUI Environment

RESTON, Va.--(BUSINESS WIRE)--CyberSheath, the largest Cybersecurity Maturity Model Compliance (CMMC) managed service vendor, helped Tunnell Consulting, a consulting firm that provides specialized scientific and technical expertise to government agencies and commercial clients, achieve CMMC Level 2 certification with a perfect 110 score using a targeted enclave solution designed around the Company’s limited controlled unclassified information (CUI) handling requirements. With defense spending c...
Back to Newsroom