Defense Industrial Base (DIB) C-Suite Perspectives on CMMC

By Carl Herberger • January 19, 2021

Scrutiny of defense industrial base (DIB) cybersecurity has never been higher. The costs and impacts of security lapses are on full display in the wake of the SolarWinds breach, as federal agencies continue to investigate the full scale of the intrusion, likely the work of Russia.

Even before recent events, Cybersecurity Maturity Model Certification (CMMC) loomed large among the DIB. We took a snapshot this fall of where DoD contractors stand, surveying more than 200 senior executives to find out what work still needs to be done, the risks and challenges they face, and how to ensure long-term security and compliance.

The results reveal new opportunities, including mitigation and investment strategies, and highlight some of the biggest remaining unknowns that the DIB must quickly address.

This report is designed to help the DIB, the US DoD, and the general security community better understand the level of compliance, the acceptance of new rules, the level of understanding of the cyberattack threat landscape, and current levels of preparedness and business impacts.

Once you learn what DoD suppliers are thinking, find out what they’ve been doing for the past five years. We’re opening the vault on data from the hundreds of Prime and Sub-contractor assessments we’ve completed and scored, sharing trends and benchmarks to help contractors better navigate the road to CMMC compliance. Join our free webinar on February 3, 2021 for all the findings.

 

Among the key findings of the Fall 2020 executive survey:

 

Finding 1: 21% of DIB companies surveyed have experienced a cybersecurity incident

 A little over one-fifth of DIB companies indicated that they have been a victim of a cyberattack, highlighting the risk that CMMC aims to curb. But as the demand for security professionals outpaces supply, executives are increasingly looking to public cloud and key DIB partners to assist in managing security.

Public cloud infrastructure offers some of the best bets, and allows DIB companies to compete effectively in today’s digital world and stay secure. Moreover, as cyberattacks become more rampant, DIB C-Suite professionals are looking for active management and continuous monitoring of all infrastructures.

 

Finding 2: 82% of DIB contractors are handling CUI, a Critical Element in DFARS Compliance (CMMC / NIST 800-171)

Of DIB companies surveyed, 82% understand that they process Controlled Unclassified Information (CUI) as first defined by a ruleset under the Obama administration. As a result, they inherit the most onerous requirements of CMMC and NIST 800-171 security standards, which are critical to ensuring future DoD revenue.

Executives are concerned about the impact security threats can have on business performance, pointing to the potential loss of customers, brand reputation, and operational productivity. Many report adjusting budget priorities to better secure networks and prevent attacks.

The impacts of attacks on DIB corporate networks can vary depending on the industry in which companies compete. Manufacturers that have long embraced automation to boost production efficiencies now plan to integrate artificial intelligence in security measures with a corresponding shift in their IT budgets.

Events that most influence how executives view their companies’ security vulnerabilities include high-profile data breaches and nation-state attacks on peer companies, cyber-attacks on their organizations, and government regulations.

 

Finding 3: 93% of DIB companies are aware of CMMC

The DIB C-Suite research reveals that nearly all companies in the sector – 93% – are aware of the new CMMC rules and the important sector trends. DIB companies are attempting to educate themselves about the effects of recent rule changes on security requirements. Suppliers of all sorts need to consider documentation, adherence, and, in some cases, transformation of their security practices to protect and comply with the requirements of the new DoD rules.

Fortunately, only 13 of 201 respondents cited that they were unaware of the CMMC rules. Unfortunately, many in the DIB are ill prepared to actually implement them.

 

Finding 4: A third of DIB companies don’t know which CMMC level to focus on

 The CMMC will encompass multiple maturity levels that range from “Basic Cybersecurity Hygiene” to “Advanced/Progressive.” The intent is to incorporate CMMC as a requirement for contract award.

While 56% of respondents said they’re focused on Levels 1-3, with 42% focused on Level 3 alone, a large portion of respondents still don’t know which level to focus on. Some 33% of respondents said the level they would focus on is “uncertain.” That will limit their speed in adopting and certifying their compliance with the level they eventually must meet.

 

Finding 5:  More than half of DIB companies outsource IT and security functions

DIB C-suite executives face tough choices when deciding where to invest resources to propel their businesses forward. At least 4 in 10 respondents identify increasing infrastructure complexity, digital transformation plans, integrations of artificial intelligence, and migration to the cloud as putting pressure on security planning and budget allocation.

Executives understand that compliance to DFARS, NIST 800-171, and CMMC is paramount and to transform their businesses, they must embrace the integration of new technologies.

At the same time, they’re facing an internal skills gap. One-third of respondents report dependence on their internal IT talent, promoted from within, which can create a knowledge gap in security strategy.

The internal skills gap is not easily solved because the demand for security professionals outpaces supply. As a result, more executives report the need to look to outside security vendors for assistance.

In fact, more than 54% of executives report outsourcing both IT and IT Security to gain traction on competent and quick compliance. They’ve decidedly moved toward public and private cloud environments, and the survey data also reveals a shift of network security budgets toward technologies that employ more automation, more technology integration, and the ability to operate from a sovereign US environment on government-certified FedRAMP environments.

 

Finding 6: China and Russia aren’t the only risks on DIB companies’ minds

DIB C-Suite executives face tough choices when deciding where to invest resources to propel their businesses forward. As the threat of network attacks becomes a question of when, not if, chief executive officers and chief security officers must carefully evaluate the risks associated with security vulnerabilities and the costs of implementing effective security solutions.

At least 4 in 10 respondents identify these factors as putting pressure on their organizations’ security planning and investment:

  • Increasing infrastructure complexity
  • Threat from China, Russia, and Iran
  • Compliance to new regulations
  • Migration to the cloud

 

Finding 7: 40% of DIB companies estimate the cost of an attack at more than $1 million

Data breaches are expensive. They rack up monetary costs that directly affect companies’ bottom lines, but more troubling is the damage inflicted to intangibles such as brand reputation and customer trust.

Almost 40% of respondents estimated the hard cost of every attack to be more than 1 million USD/EUR/GBP, with cost estimates surging to more than 25 million USD/EUR/GBP for 5% of respondents. While soft costs are difficult to quantify, it is likely their impact is much higher over the long run than hard costs.

Hard and Soft Costs

Executive-Ranked-Top-3

 

About the Research

On behalf of CyberSheath, BAO surveyed 201 Executives from July to September 2020. To participate in the 2020 DIB C-Suite Compliance Security Survey, respondents were required to be a company who contracts with the US DoD and by design, the survey required at least half respondents to be C-level executives, though this year’s research attracted far more C-level corporate leaders. About 2/3rds of the companies in the survey have less than 500 employees.

 

Don’t forget: Sign up for our free webinar on February 3, 2021 to learn what high- and low-scoring organizations have in common, variables that negatively affect most businesses, and characteristics of companies attaining compliance. Don’t miss it!

How Secure is the DIB Supply Chain?

Cybersheath Blog

3 Reasons Why You Need a Privileged Access Risk Assessment

A privileged account is one used by administrators to log in to servers, networks, firewalls, databases, applications, cloud services and other systems used by your organization. These accounts give enhanced permissions that allow the privileged user to access sensitive data or modify key system functions, among other things. You can…

Incident Response – Learning the Lesson of Lessons Learned

“Those who do not learn from history are condemned to repeat it.” Over the years, variations of this famous quote have been spoken by everyone from philosophers to world leaders. The message — that we must learn from our mistakes or continue to repeat them — is also highly relevant…

What is DFARS 252.204-7012 and NIST SP 800-171?

With the Department of Defense (DoD) promising the release of an update to NIST Special Publication 800-171, it is imperative defense contractors understand what DFARS 252.204-7012 and NIST SP 800-171 Clause is and how noncompliance with the Clause will impact their business.  Compliance is mandatory for contractors doing business with…

Our Trusted Partners

Cyberark McAfee Thycotic RSA Tenable Alien Vault Alert Logic Microsoft