Pentagon Supply Chain Fall Short Of Meeting Cybersecurity Requirements

Nation-state hackers are targeting defense contractors with sophisticated cyberattack campaigns in order to gain access to information sensitive to national security.

A recent independent study revealed that a shocking 87% of federal contractors fall short of meeting the Defense Federal Acquisition Regulation Supplement (DFARS) requirements. This 87% has a sub-70 Supplier Performance Risk System (SPRS) score, the metric that shows how well a contractor meets DFARS requirements.

- Advertisement -

What is even more alarming is that 82% of contractors find it “moderately to extremely difficult to understand the governmental regulations on cybersecurity.

The Defense Federal Acquisition Regulation Supplement (DFARS) Requirements.

DFARS has been in effect since 2017 and requires a score of 110 for full compliance.

Critics of the system have anecdotally deemed 70 to be “good enough,” but the overwhelming majority of contractors still come up short.

The Study shows a clear danger to national security

The data came from an independent study conducted by Merrill Research and commissioned by CyberSheath, the largest CMMC-managed service vendor.

The survey data of 300 U.S.-based Department of Defense (DoD) contractors were tested at the 95% confidence level, meaning that there is a 95% probability that significant differences are real and are not due to sampling error. The study was completed in July and August 2022, with CMMC 2.0 on the horizon.

“The report’s findings show a clear and present danger to our national security.
We often hear about the dangers of supply chains that are susceptible to cyberattacks. 
The DIB is the Pentagon’s supply chain, and we see how woefully unprepared contractors are despite being in threat actors’ crosshairs. 

Our military secrets are not safe and there is an urgent need to improve the state of cybersecurity for this group, which often does not meet even the most basic cybersecurity requirements.” 

- Eric Noonan, CEO of CyberSheath.

Security Controls That are legally required are not being met

There are several security controls that even though they are required, are not being met by the majority of the contractors.

  • 80% lack a vulnerability management solution
  • 79% lack a comprehensive multi-factor authentication (MFA) system
  • 73% lack an endpoint detection and response (EDR) solution
  • 70% have not deployed security information and event management (SIEM)
  • 80% don’t monitor their systems 24/7/365 and don’t use U.S.-based security monitoring services

Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.

Exit mobile version