The majority of US defence contractors don’t adhere to the minimum requirements for cybersecurity

CyberSheath reported that nearly nine out of ten US defense contractors do not adhere to fundamental cybersecurity regulations.

A Supplier Risk Performance System score of 70 or higher is only achieved by 13% of respondents. This was reported by a survey of 300 Department of Defense (DoD) contractors based in the US. Full compliance with the Defense Federal Acquisition Regulation Supplement (DFARS) necessitates a score of 110.

According to the study’s authors, anecdotally, a score of 70 is considered “good enough” to be regarded as compliant. The 2017 law known as DFARS is intended to strengthen cybersecurity in the defense industrial base. To compete for contracts with the DoD, defense contractors must also pass the Cybersecurity Maturity Model Certification (CMMC). It is a certification program.

The initial release of CMMC was in January 2020, and the 2.0 update will take effect in May 2023. There are five certification levels available, with level five being the highest and ranging from one to five. Each level corresponds to a distinct process maturity level. According to the latest survey, the vast majority of DoD military contractors are neither in a position to adhere to the revised CMMC requirements nor are they currently satisfying their DFARS commitments.
If DoD contracts are lost, nearly half of defense contractors might lose up to 40% of their revenue. It could have bought severe repercussions for the industry.

The chairman of USA gave a statement to Infosecurity

“CMMC is a set of commercially reasonable criteria to protect data,” stated Tom Brennan, USA Chairman at CREST, in a statement to Infosecurity. Therefore, companies must deal with it as a routine aspect of operations or risk losing the contract.

However, the study found that 79% of organizations do not have a comprehensive multi-factor authentication system, 73% do not have an endpoint detection response (EDR) solution, and 80% do not have a vulnerability management solution.

Cybersecurity and Infrastructure Security Agency released a warning

Due to the sensitive information they possess about the US military, defense contractors are a top target for nation-state organizations. As a result, the Cybersecurity and Infrastructure Security Agency (CISA) released a warning in October 2022 emphasizing advanced persistent threat (APT) activities discovered on an enterprise network of a defense institution.


In the worrying CyberSheath research, nearly three out of five defense contractors reported experiencing commercial loss due to a cyber-related incident, with more than four out of five defense contractors reporting experiencing a cyber-related incident.

“The report’s results demonstrate a clear and present danger to our national security,” said Eric Noonan, CEO of CyberSheath. The risks associated with supply chains that are vulnerable to cyberattacks are frequently mentioned. The Pentagon’s supply chain is known as the DIB, and despite being targeted by threat actors, contractors are shockingly unprepared. As a result, our military secrets are not secure, and urgent action must be taken to improve this group’s cybersecurity, which frequently falls short of even the most fundamental standards.

CMMC compliance a seven out of ten ratings

According to 82% of respondents, one of the leading causes of non-compliance is a failure to comprehend governmental cybersecurity requirements. In addition, about three-fifths of survey participants gave the challenge of understanding CMMC compliance a seven out of ten ratings.
According to Carl Herberger, vice president of security services at CyberSheath, businesses are having trouble complying with rules because there needs to be adequate enforcement in the past. According to him, there has historically been little enforcement and control of these standards, which has led to “happenstance” compliance.

“As the government steps into a realization of this and the laws follow, we hope to see far wider adoption. Unfortunately, it’s a story of the ‘haves’ and ‘have-nots.’ Contractors who struggle have successfully grown their businesses without significant technology investments, have not taken advantage of cloud-based economies of scale, and therefore are far behind other industries, and that learning curve is steep.”

He contended that the CMMC’s enforcement would eventually increase compliance. “This will drive understanding and adoption because cybersecurity compliance now stands in the way of revenue. Second, we need some incentives, tax or otherwise, to propel contractors to make these investments quickly,” outlined Herberger.

Contractors can make the cybersecurity compliance a top business priority

According to Brennan, these contractors should make cybersecurity compliance a top business priority. “The companies must choose a candidate with both technical and managerial abilities. In addition, the CEO is required to countersign attestations, he added.

The survey’s finding that many defense contractors recognize the significance of adhering to cybersecurity requirements is promising. Three out of five respondents said MSPs, MSSPs, and IT providers should be accredited, while almost half claimed that DFARS reforms substantially impacted national security.

“This time, it’s real. The DoD is fully committed to enforcing cybersecurity compliance, and while the defense industry base has a long way to go in implementing all of the requirements, they are fully onboard with the need to be more secure. It’s heartwarming that most companies now acknowledge that these laws should improve the American government’s security and corporate-level cybersecurity.” Herberger added.