Nearly nine out of ten US defense contractors fail to meet basic cybersecurity minimums, according to research commissioned by CyberSheath.
CyberSheath's survey of 300 US-based Department of Defense (DoD) contractors found that just 13% of respondents have score of 70 or above in the Supplier Performance Risk System (SPRS), the Department of Defense’s primary system for assessing supplier and product risk for contractors who handle unclassified information. According to the Defense Federal Acquisition Regulation Supplement (DFARS), a score of 110 is required for full compliance.
While the researchers noted that critics of the system have anecdotally considered a score of 70 to be "good enough," most contractors still have not met even that baseline.
"The report's findings show a clear and present danger to our national security," said Eric Noonan, CEO of CyberSheath. "We often hear about the dangers of supply chains that are susceptible to cyberattacks. The [defense industrial base] is the Pentagon's supply chain, and we see how woefully unprepared contractors are despite being in the threat actors' crosshairs."
DFARS, which has been in law since 2017, is designed to maintain cybersecurity standards across the defense industrial base (DIB). In order to sell products into the DoD, contractors will soon be required to comply with the Cybersecurity Maturity Model Certification (CMMC), which is expected to go into effect in May 2023. The research found that most contractors have not followed DFARS requirements, nor are the prepared for future CMMC compliance.
Noonan told SC Media that the findings are not "pretty" but also "not surprising."
"After decades of not investing in IT and cybersecurity and the people and processes necessary to sustain those investments, it is an overwhelming lift for many federal contractors that suddenly need to retrofit their legacy infrastructure for 21st-century threats," Noonan said.
Most contractors face problems with compliance, technology adoption
Indeed, according to the report, many contractors find understanding the requirements of CMMC and DFARS challenging, with 60% of all respondents rating a score of 7 or above out of 10 — 10 being extremely challenging.
“The requirements in NIST SP 800-171 are the result of a decades-long march toward flexible requirements that are now so open-ended and nebulous. It should be no surprise that contractors find them unhelpful,” Jacob Horne, a chief security evangelist at Summit7 who specializes in defense contracting cybersecurity, told SC Media in an email.
According to Horne, instead of continuing to clarify the security requirements (something DoD has been doing for years) the department should provide specification, examples, and reference architectures to help contractors understand how to comply with the rules.
“If cookbooks singularly focused on flexible ‘outcomes’ like cybersecurity regulations, then they would only contain pictures without recipes,” Horne said. “Industry clearly does not need more admonishments to ‘be secure’, they need to know how to get there.”
According to the report, eight in ten respondents said they lack a vulnerability management solution, and nearly the same lack a comprehensive multi-factor authentication system. While the cybersecurity industry has developed a host of tools and technologies for monitoring known digital threats and malicious cyber activity, few contractors appear to be using them. Over 73% lack an endpoint detection and response solution, and 70% have not deployed security information and event management.
The defense contractor community has been under relentless attack from foreign intelligence agencies, ransomware groups and other malicious actors over the past decade, and Pentagon officials and Congress have moved to update or enforce a number of heightened cybersecurity standards in an effort to prevent the theft or compromise of intellectual property and valuable unclassified information that underpins U.S. military superiority.
Robert Metzger, head of the Washington office at Rogers Joseph O’Donnell and a coauthor of Deliver Uncompromised, an influential 2018 MITRE report on supply chain security, said that contractors fail to adopt many recommended practices, such as endpoint detection, because they demand significant expense.
“[All of these practices] require workforce training, corporate commitment, investment in hardware, and continuing expense from service providers and license security applications,” Metzger told SC Media in an interview.
However, Metzger said he thinks DoD has done “an extraordinary job” over the past seven years to help contractors understand the requirements. One of the fundamental problems is that small and medium sized companies are not willing to invest in time and money to study these standards.
In response to the compliance difficulties, Noonan said that defense contractors could solve their compliance challenges at scale with little cost by moving to the cloud.
Noonan also advised contractors to collaborate with industrial partners, such as managed services providers and professional services providers, to better manage the security risks. Metzger agreed with the solution, but warned that contractors should stay attentive to the credentials of third-party providers.
As for DoD, the department should encourage the use of these providers while thinking about how to assess their security, Metzger said.
