The vast majority of US defense contractors are failing to meet bare-minimum cybersecurity requirements imposed five years ago, according to a Merrill poll commissioned by managed security provider CyberSheath.
The 2017 Defense Federal Acquisition Regulation Supplement (DFARS) considers a contractor to be in perfect compliance with the federal government’s cybersecurity expectations if they have a score of 110 on a scale called the Supplier Performance Risk System (SPRS). Virtually none of them are even close, the poll of 300 Department of Defense contractors found.
In fact, less than 13% reported an SPRS score of 70 or above. That’s the number the company says is commonly referred to within the industry as “good enough.” The average score was −23 out of a lowest possible rating of −203, presenting “significant opportunity for improvement.”
According to the survey, defense contractors have failed to implement basic standards. A sampling:
- 30% have security information and event management (SIEM)
- 27% have an endpoint detection response solution (EDR)
- 20% have a vulnerability management solution
- 21% have multi-factor authentication (MFA)
It should go without saying that the defense sector is one of the top targets for hacking campaigns.
“The world’s largest supply chain—that is, defense contractors supporting the Department of Defense—is largely noncompliant with their mandatory cybersecurity requirements,” CyberSheath CEO Eric Noonan told IT Brew.
Noonan said that while contractors currently only need to self-certify that they’re in compliance with DFARS, the survey is a wakeup call as the Pentagon prepares to implement the Cybersecurity Maturity Model Certification (CMMC). While the rollout date for CMMC has become somewhat of a rolling target, compliance will be a pre-award requirement, meaning companies won’t be able to get contracts unless they meet the standard. Whether or not a company is deemed CMMC-compliant will be up to independent auditors.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Among the more concerning findings were that 88% of respondents said they had experienced loss from a cyber incident, and nearly three out of five said they had lost business as a result. But while 97% of respondents reported having cybersecurity insurance, prime contractors said their ideal price-point for solutions were between one dollar and slightly over $1,000s. Noonan said those numbers were “very unrealistic” and further evidence many companies haven’t been looking into the standards as much as they should be.
“To their credit, the federal government gave industry the opportunity to solve this problem themselves without mandatory verification,” Noonan said. “This research clearly indicates [that] it’s failed. So, now they’re moving to enforcement.”
Michael Daniel, president and CEO of the Cyber Threat Alliance, told IT Brew via email that the defense industry wasn’t unique in underinvesting in cybersecurity, or failing to prioritize it as a part of a company’s culture and organizational processes.
“For many years, cybersecurity has been considered a purely technical problem, a good-to-have capability, a cost center, or some combination of all three,” Daniel wrote. “It has to become part of running a reputable, successful business, just like keeping clean books or maintaining workplace safety.”
Noonan’s advice to defense contractors is to treat CMMC as “just table stakes for working in the space,” and the best time to improve cybersecurity would have been five to seven years ago.
“But the second-best time is right now, because this is not a simple process,” he added.—TM
Do you work in IT or have information about your IT department you want to share? Email [email protected]. Want to go encrypted? Ask Tom for his Signal.