More than 87 percent of Pentagon supply chain contractors have failed minimum cybersecurity regulations, a new report by CyberSheath said.
Survey data of 300 U.S.-based Defense Department (DoD) contractors showed that nearly nine in 10 defense contractors have a cyber hygiene score below 70.
“The report’s findings show a clear and present danger to our national security,” said Eric Noonan, CEO of CyberSheath.
“We often hear about the dangers of supply chains that are susceptible to cyberattacks. The [Defense Industrial Base] is the Pentagon’s supply chain, and we see how woefully unprepared contractors are despite being in threat actors’ crosshairs,” he continued, “Our military secrets are not safe and there is an urgent need to improve the state of cybersecurity for this group, which often does not meet even the most basic cybersecurity requirements.”
The contractors were scored based on the Supplier Performance Risk System – a metric that shows how well a contractor meets Defense Federal Acquisition Regulation Supplement (DFARS) requirements.
DFARS enacted the Cybersecurity Maturity Model Certification (CMMC) 1.0 in 2020. However, the DoD is actively updating these requirements – dubbed CMMC 2.0 – for Pentagon contractors, so the current regulations have been suspended until the new update is officially released.
DFARS requires a score of 110 for full compliance, but according to the report, critics of the system have anecdotally deemed 70 to be “good enough” – despite the overwhelming majority of contractors still coming up short.
The report also looked at other current deficiencies by defense contractors that will be required in the near future to achieve CMMC compliance:
- Only 20 percent continuously monitor their systems with U.S.-based security monitoring services;
- Only 20 percent have a vulnerability management solution;
- Seventy-nine percent lack a comprehensive multi-factor authentication system;
- Only 27 percent have an endpoint detection and response solution; and
- Thirty percent have deployed security information and event management.