Study Shows DIB is Largely Failing Compliance and Unprepared to Face Attacks

United States defense contractors hold sensitive information that’s vital to national security. Nation-state hackers are leveraging cyberattacks to get their hands on it, and they’re succeeding.


According to the Cybersecurity and Infrastructure Security Agency (CISA), Russia has utilized spear phishing attacks, “taking advantage of easily guessed usernames and passwords and exploiting existing unpatched network vulnerabilities.” In another incident, China didn’t even have to breach one San Diego contractor, who pleaded guilty to accepting money in exchange for aviation-related information and was sentenced to 20 months in prison.


Almost unbelievably, 79% of the U.S. Defense Industrial Base (DIB) lacks a comprehensive multi-factor authentication (MFA) system, table stakes for most businesses that don’t handle military secrets. That statistic only scratches the surface of how poorly prepared contractors are in achieving Defense Federal Acquisition Regulation Supplement (DFARS) compliance as required by law, according to the first-ever comprehensive, independent study of the DIB’s cybersecurity compliance efforts, conducted by Merrill Research and commissioned by CyberSheath.


Defense contractors will soon be required to meet Cybersecurity Maturity Model Certification (CMMC) compliance to combat cyberattacks and keep military secrets safe — and have had a multi-year headstart to fulfill the requirements. The goal of CMMC is to enhance the cybersecurity posture of the DIB and ensure an appropriate level of security is met.


Largely, contractors are sorely missing the mark.


The survey data of 300 U.S.-based Department of Defense (DOD) contractors was tested at the 95% confidence level, meaning that there is a 95% probability that significant differences are real and are not due to sampling error. The study was completed in July and August 2022, with CMMC 2.0 on the horizon. Here are a few key findings:


SPRS scores reflect confusion about requirements

DFARS requires a Supplier Performance Risk System (SPRS) score of 110. Critics of the system have anecdotally deemed a score of 70 to be “acceptable,” however the overwhelming majority of contractors still come up short.


The research shows 87% of contractors have a sub-70 SPRS score. That leaves just 13% with an “acceptable” score, and even less actually meeting the required benchmark.


The low scores are in line with confusion about the government requirements. Eighty-two percent of respondents said the regulations on cybersecurity are moderately to extremely difficult to understand. About 60% of respondents rate the difficulty in understanding how to achieve and maintain DFARS compliance as 7 out of 10 or higher.


Most contractors could greatly benefit from assistance in improving their SPRS score to meet required benchmarks and understanding government compliance regulations. Not enough DIB contractors have the help they need in ensuring sensitive national security information remains a secret.


DIB systems are not regularly monitored

Another gaping deficiency among respondents was the lack of continuous monitoring into critical systems, and very little presence of essential technologies to fight off nefarious actors.


Roughly 80% of the DIB doesn’t monitor its systems 24/7/365 and doesn’t use a U.S.-based and staffed security monitoring service. It is extremely concerning that the nation’s most critical military information is not tracked constantly by employees on domestic soil. With the gaps currently present, it’s evident nation-states have an advantage accessing secrets meant to stay within the Department of Defense (DOD).


Other common business security controls are missing, too

A shocking 80% don’t have a vulnerability management solution. Meanwhile, 73% lack an endpoint detection and response (EDR) solution and 70% have not deployed security information and event management (SIEM). The number drops just slightly for the number of contractors who have yet to install data leakage protection (67%) but clearly, DIB contractors are not adequately prepared to detect, respond or report a cybersecurity incident.


These security controls are legally required of the DIB, and since they are not met, there is a significant risk facing the DOD and its ability to conduct armed defense. As a result, the vast majority of respondents (88%) have experienced at least one financial, business, or reputational loss due to a cyber-incident.


According to Microsoft’s 2022 Digital Defense Report, cyberattacks targeting critical infrastructure jumped from accounting for 20% of all nation-state attacks to 40% over the last year. That number is just out of the attacks Microsoft was able to detect, meaning the actual total could be much higher. Given the amount of communication around the U.S. DOD cybersecurity regulations and the demonstrable risk to the nation’s supply chains, it is no surprise that a vast majority of respondents say that security is now a CEO or board-level concern.


However, the data shows cybersecurity compliance efforts at the federal level are grossly under met. There is much more that needs to be done to help DIB contractors reach future CMMC benchmarks and keep military secrets, the key to our national security, safe.


Watch CyberSheath’s webinar Defenseless – The State of the DIB to hear the results of the Merrill Research study and to learn how to accelerate your compliance journey. Read the full report to see the comprehensive findings.

Join us March 27 at 12pm ET for Understanding CMMC 2.0: Maturity Levels, Implementation Use Cases and Costs a live webinar!
This is default text for notification bar