Study Shows DIB is Largely Failing Compliance and Unprepared to Face Attacks

By Carl Herberger • December 6, 2022

United States defense contractors hold sensitive information that’s vital to national security. Nation-state hackers are leveraging cyberattacks to get their hands on it, and they’re succeeding.


According to the Cybersecurity and Infrastructure Security Agency (CISA), Russia has utilized spear phishing attacks, “taking advantage of easily guessed usernames and passwords and exploiting existing unpatched network vulnerabilities.” In another incident, China didn’t even have to breach one San Diego contractor, who pleaded guilty to accepting money in exchange for aviation-related information and was sentenced to 20 months in prison.


Almost unbelievably, 79% of the U.S. Defense Industrial Base (DIB) lacks a comprehensive multi-factor authentication (MFA) system, table stakes for most businesses that don’t handle military secrets. That statistic only scratches the surface of how poorly prepared contractors are in achieving Defense Federal Acquisition Regulation Supplement (DFARS) compliance as required by law, according to the first-ever comprehensive, independent study of the DIB’s cybersecurity compliance efforts, conducted by Merrill Research and commissioned by CyberSheath.


Defense contractors will soon be required to meet Cybersecurity Maturity Model Certification (CMMC) compliance to combat cyberattacks and keep military secrets safe — and have had a multi-year headstart to fulfill the requirements. The goal of CMMC is to enhance the cybersecurity posture of the DIB and ensure an appropriate level of security is met.


Largely, contractors are sorely missing the mark.


The survey data of 300 U.S.-based Department of Defense (DoD) contractors was tested at the 95% confidence level, meaning that there is a 95% probability that significant differences are real and are not due to sampling error. The study was completed in July and August 2022, with CMMC 2.0 on the horizon. Here are a few key findings:


SPRS scores reflect confusion about requirements

DFARS requires a Supplier Performance Risk System (SPRS) score of 110. Critics of the system have anecdotally deemed a score of 70 to be “acceptable,” however the overwhelming majority of contractors still come up short.


The research shows 87% of contractors have a sub-70 SPRS score. That leaves just 13% with an “acceptable” score, and even less actually meeting the required benchmark.


The low scores are in line with confusion about the government requirements. Eighty-two percent of respondents said the regulations on cybersecurity are moderately to extremely difficult to understand. About 60% of respondents rate the difficulty in understanding how to achieve and maintain DFARS compliance as 7 out of 10 or higher.


Most contractors could greatly benefit from assistance in improving their SPRS score to meet required benchmarks and understanding government compliance regulations. Not enough DIB contractors have the help they need in ensuring sensitive national security information remains a secret.


DIB systems are not regularly monitored

Another gaping deficiency among respondents was the lack of continuous monitoring into critical systems, and very little presence of essential technologies to fight off nefarious actors.


Roughly 80% of the DIB doesn’t monitor its systems 24/7/365 and doesn’t use a U.S.-based and staffed security monitoring service. It is extremely concerning that the nation’s most critical military information is not tracked constantly by employees on domestic soil. With the gaps currently present, it’s evident nation-states have an advantage accessing secrets meant to stay within the Department of Defense (DoD).


Other common business security controls are missing, too

A shocking 80% don’t have a vulnerability management solution. Meanwhile, 73% lack an endpoint detection and response (EDR) solution and 70% have not deployed security information and event management (SIEM). The number drops just slightly for the number of contractors who have yet to install data leakage protection (67%) but clearly, DIB contractors are not adequately prepared to detect, respond or report a cybersecurity incident.


These security controls are legally required of the DIB, and since they are not met, there is a significant risk facing the DoD and its ability to conduct armed defense. As a result, the vast majority of respondents (88%) have experienced at least one financial, business, or reputational loss due to a cyber-incident.


According to Microsoft’s 2022 Digital Defense Report, cyberattacks targeting critical infrastructure jumped from accounting for 20% of all nation-state attacks to 40% over the last year. That number is just out of the attacks Microsoft was able to detect, meaning the actual total could be much higher. Given the amount of communication around the U.S. DoD cybersecurity regulations and the demonstrable risk to the nation’s supply chains, it is no surprise that a vast majority of respondents say that security is now a CEO or board-level concern.


However, the data shows cybersecurity compliance efforts at the federal level are grossly under met. There is much more that needs to be done to help DIB contractors reach future CMMC benchmarks and keep military secrets, the key to our national security, safe.


Watch CyberSheath’s webinar Defenseless – The State of the DIB to hear the results of the Merrill Research study and to learn how to accelerate your compliance journey. Read the full report to see the comprehensive findings.

CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO