Majority of defense contractors fail to implement critical cybersecurity requirements, report says

A new report by a Reston-based cybersecurity company claims a majority of defense contractors haven't implemented security tools required by the DOD.

A new report by a Reston-based cybersecurity company claims a majority of defense contractors haven't implemented security tools required by the DOD. Yuichiro Chino/Getty Images

A new report reveals that many contractors working for the Department of Defense have failed to implement required cybersecurity measures.

A majority of defense contractors are failing to meet Defense Federal Acquisition Regulation Supplement requirements in a trend that poses "a direct threat to national security," according to a new report.

The Reston-based security firm CyberSheath surveyed 300 individuals in the defense industrial base "who have a DFARS obligation, are responsible for cybersecurity and are actively seeking CMMC compliance" between July and August 2022 for a report published on Wednesday that assesses the state of cybersecurity maturity across the DIB. 

The report reveals that the vast majority of defense contractors surveyed lack critical components to their cybersecurity infrastructures: An estimated 73% of contractors have failed to implement an endpoint detection and response solution, while 79% lack a comprehensive multi-factor authentication system. 

“The report’s findings show a clear and present danger to our national security,” said CyberSheath CEO Eric Noonan, in a statement. “Our military secrets are not safe and there is an urgent need to improve the state of cybersecurity for this group, which often does not meet even the most basic cybersecurity requirements.”

The report comes as defense contractors prepare to meet Cybersecurity Maturity Model Certification, or CMMC, compliance requirements. The new acquisition regulation is meant to help protect sensitive information and intellectual property maintained by the DIB amid a range of evolving threats, replacing the previous self-attestation model with third-party certifications.

A Reston-based managed services provider, CyberSheath offers services geared toward achieving CMMC compliance such as its shared security compliance framework, alongside continuous monitoring, incident response and reporting services. 

Its report also details how the vast majority of defense contractors surveyed are failing to meet many of the DFARS requirements that have been in place since 2017 and lack vulnerability management solutions and adequate security information and event management resources. According to CyberSheath, 87% of defense contractors fall below a score of 70 on the Supplier Performance Risk System, a tool used to track whether contractors are complying with DFARS requirements. 

Meanwhile, 82% of surveyed contractors reported that it was "moderately to extremely difficult to understand the governmental regulations on cybersecurity."

Officials from the National Defense Industrial Association, an industry nonprofit representing more than 1,800 corporate members in the defense industry, weren’t immediately available for comment on the CyberSheath report. 

Concerns of contractor noncompliance with DOD cybersecurity standards were why the CMMC regulation was first proposed in the fiscal year 2020 National Defense Authorization Act. DOD officials later retooled the proposed regulation, reducing the number of required security levels from five to three, following public feedback. The DOD is currently finalizing its rulemaking process for the regulation, ahead of implementation for defense contracts.

Earlier this year, the DOD launched a study to determine whether companies – including small businesses – can successfully implement the department's cybersecurity requirements. The Defense Contract Management Agency's Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) is leading that study as contractors await the final deadline to begin complying with CMMC, expected to arrive in fiscal year 2023.