Two men enter the booth of Lockheed Martin, the biggest defense company in the world, during the Singapore Airshow last February in Singapore. A new evaluation of 300 defense contractors shows a substantial number, 28%, would likely fail to meet the lowest version of new DOD cybersecurity standards. (Photo by Suhaimi Abdullah/Getty Images)

An evaluation of 300 small and medium-sized prime contractors highlights how far some small and medium-sized businesses have to go to comply with basic cybersecurity exceptions imposed by the federal government.

With contractors in the crosshairs of hostile nation-state hacking groups and ransomware gangs, the Department of Defense is in the midst of implementing a new evaluation program called the Cybersecurity Maturity Model Certification. The multi-tiered certification process of CMMC is designed to raise the collective floor of federal contracting cybersecurity for controlled unclassified information, while setting down increasingly advanced requirements for companies, depending on the sensitivity of their work or their supply chain dependencies.

But the new contractor study, the results of which were released today by cybersecurity company BlueVoyant, revealed that nearly three in ten (28%) showed evidence that they would fail to meet CMMC’s first (and lowest) baseline requirements. These include basic cyber and email hygiene practices like identity management, authentication, limiting information, access and administrative control to authorized users, and verifying and limiting connections to external systems over the internet.

Austin Berglas, BlueVoyant’s head of professional services and a former head of the FBI New York field office's cyber office, said that these contractors often fail to patch vulnerabilities, follow basic email security hygiene and secure open ports. "All those would have to be fixed in order for them to reach that basic level-one maturity” in CMMC, he explained.

Much of the worries around CMMC from the defense industry has revolved around the cost and resource burden on small- and medium-sized businesses. The findings from BlueVoyant suggest that while size does play an important factor in a company’s readiness against CMMC standards, industrial sector was actually a stronger predictor.

BlueVoyant said it found at least nine companies that were still operating with unpatched versions of Microsoft Exchange or F5 products, more than six months after they were disclosed. All nine of the companies operated in either the manufacturing space or in research and development – the two industrial sectors with the highest risk profiles.

“Across the board when you’re looking at any type of supply chain, whether it’s in the [defense industrial base] or out, oftentimes your weakest links are going to be those smaller organizations that don’t have the resources to best protect themselves,” said Berglas. “But based on the reporting we’ve done it showed that there is a kind of nexus between size and industry segments.”

Those weaknesses have been exploited by cybercriminals as well, and fully half of the 300 companies evaluated had what BlueVoyant described as “critical” vulnerabilities that leave them potentially exposed to ransomware infections – such as the use of unsecured ports for Remote Desktop Protocol connections.

First kicked off in 2019, the CMMC program is part of the DOD’s response to years of damaging hacks from foreign governments and other digital actors against their defense contracting base, a community that encompasses hundreds of thousands of companies that either contract directly with the government or sit firmly in the supply chain of those who do.

The sheer number of companies involved in the average defense procurement, as well as the “non-linear” structure of the defense industrial base, creates a sprawling and sometimes confusing web of software and hardware interdependencies that make it difficult for outside observers – or even the prime contractor – to determine the extent of their vulnerability.

The report argues that in order to meet the logistical challenges posed by that complexity, many contractors have prioritized interoperability with outside systems without considering the inherent security tradeoffs that come with it.

“For this approach to work effectively, communications between and among supply chain members have been streamlined and improved with a focus on ease of data transfer. This emphasis on ever improving efficiencies in communications has eclipsed concerns over network and transmission security, leaving gaping holes at every connecting point across any given supply chain,” the authors argue.

To reach their conclusions, researchers used a variety of third-party datasets as well as information from BlueVoyant’s proprietary analytics engine. Berglas was reluctant to talk about this technology in detail, but he said it combines data pulled from different sources including the dark web, hacking group communications, BGP routes and ”millions and millions” of individual DNS events.

That brew gives the company insight into the current vulnerabilities and patching practices of defense contractors, and lets them track the beaconing of certain malware from inside companies to outside command-and-control infrastructure associated with malicious hacking groups. There are limitations to the findings: namely, the small sample size relative to the larger universe of defense companies, and a lack of visibility from inside the networks of the evaluated companies. Berglas said the company encouraged follow-up research, but the widespread lack of cybersecurity standards of defense companies for uncontrolled classified information, as well as the worries around CMMC’s impact on smaller businesses, has been known for years.

The Pentagon is also taking a number of other actions to shore up the security of their supply chain. Earlier this year it was charged with conducting an internal review of its supply chain, seeking out security risks and other weaknesses, and the DOD was recently given authority to conduct threat hunting on defense contractor networks.