"Majority of US Defense Contractors Not Meeting Basic Cybersecurity Requirements"
According to researchers at CyberSheath, nearly nine in 10 (87%) of US defense contractors are failing to meet basic cybersecurity regulation requirements. The researchers surveyed 300 US-based Department of Defense (DoD) contractors and found that just 13% of respondents have a Supplier Risk Performance System (SPRS) score of 70 or above. Under the Defense Federal Acquisition Regulation Supplement (DFARS), a score of 110 is required for full compliance. The researchers noted that anecdotally, a score of 70 is believed to be “good enough” to be considered compliant. DFARS, which was enacted into law in 2017, is designed to bolster cybersecurity in the defense industrial base. In the future, defense contractors will have to comply with the Cybersecurity Maturity Model Certification (CMMC), a certification framework they must pass to bid for contracts with the DoD. The first version of CMMC was released in January 2020, with an updated version, 2.0, coming into effect in May 2023. The researchers stated that the study suggests that the vast majority of DoD defense contractors are neither meeting current DFARS obligations nor in a position to comply with the updated version of CMMC. The researchers stated that this could have major consequences for defense contractors, nearly half of whom would lose up to 40% of their revenue if DoD contract loss occurs. The researchers also found that 70% of respondents have not deployed security information and event management (SIEM), 79% lack a comprehensive multi-factor authentication system, 73% do not have an endpoint detection response (EDR) solution and 80% lack a vulnerability management solution. The researchers stated that a major factor in non-compliance appears to be a lack of understanding of government cybersecurity regulations, which was cited by 82% of respondents. Around three-fifths of respondents rated the difficulty of understanding CMMC compliance as seven out of 10.