December 9, 2022


Most contractors hired by the Department of Defense over the past five years failed to meet required minimum cyber security standards, posing a significant risk to US national security.

Managed services vendor CyberSheth released a report on November 30 showing that 87% of the Pentagon supply chain fails to meet basic cybersecurity minimums. Those security gaps are subjecting major defense contractors and their subcontractors to massive cyberattacks, putting US national security at risk.

Those risks have been well known for some time without efforts to fix them. According to CyberSheth, this independent study of the Defense Industrial Base (DIB) is the first to show that federal contractors are not properly protecting military secrets.

DIB is a complex supply chain consisting of 300,000 primes and subcontractors. The government allows these approved companies to share sensitive files and communicate securely to get their jobs done.

To keep those secrets safe, defense contractors will soon be required to meet Cybersecurity Maturity Model Certification (CMMC) compliance. Meanwhile, the report warns that nation-state hackers are actively and specifically targeting these contractors with sophisticated cyberattack campaigns.

“Awarding contracts to federal contractors without first validating their cybersecurity controls is a complete failure,” Eric Noonan, CEO of CyberSheth, told TechNewsWorld.

Defense contractors have been mandated to meet cyber security compliance requirements for more than five years. Those terms are embedded in more than a million contracts, he said.

alarming details

The Merrill Research Report 2022, commissioned by CyberSheth, revealed that 87% of federal contractors have a sub-70 Supplier Performance Risk System (SPRS) score. The metric shows how well a contractor meets Defense Federal Acquisition Regulation Supplement (DFARS) requirements.

DFARS has been in law since 2017 and requires a score of 110 for full compliance. Critics of the system considered the 70 to be “good enough”. Yet, the overwhelming majority of contractors still come up short.

Eric Noonan said, “The report’s findings show a clear and present threat to our national security.” “We often hear about threats to supply chains that are more susceptible to cyberattacks.”

The DIB is the Pentagon’s supply chain, and we see how poorly prepared contractors are despite being in the crosshairs of risk actors.

“Our military secrets are not secure, and there is an urgent need to improve the cyber security posture for this group, which often does not meet even the most basic cyber security requirements,” Noonan warned.

more report findings

Survey data came from 300 US-based DOD contractors, with accuracy tested at the 95% confidence level. The study is completed in July and August 2022, with CMMC 2.0 on the horizon.

Roughly 80% of DIB users failed to monitor their computer systems around the clock and lacked US-based security monitoring services. Other deficiencies were evident in the following categories that would be required to achieve CMMC compliance:

  • 80% lack a vulnerability management solution
  • 79% lack a comprehensive multi-factor authentication (MFA) system
  • 73% lack an endpoint detection and response (EDR) solution
  • 70% have not deployed Security Information and Event Management (SIEM)

These security controls are legally required of the DIB, and since they are not met, there is a significant risk to the DoD and its ability to conduct armed defense. In addition to widespread non-compliance, 82% of contractors find it “moderately to extremely difficult to understand government regulations on cyber security”.

Confusion prevails among contractors

As per reports, some of the DIB’s defense contractors focused on cyber security have only been halted by roadblocks.

When asked to rate DFARS reporting challenges on a scale of one to 10 (with 10 being extremely challenging), about 60% of all respondents rated “understanding requirements” a seven out of 10 or more. Also regular documentation and reporting were on top of the list of challenges.

The primary barriers listed include challenges in understanding the steps required to achieve compliance, difficulty in implementing sustainable CMMC policies and procedures, and the overall cost involved.

Unfortunately, these results are in line with what CyberSheth expected, Noonan acknowledged. He said the research confirmed that even fundamental cyber security measures such as multi-factor authentication were largely ignored.

Noonan said, “This research, combined with the False Claims Act case against defense giant Aerojet Rocketdyne, shows that defense contractors both large and small are not meeting contractual obligations for cyber security and that the DoD has access to their supplies.” There is systemic risk in the series.”

no big surprise

Noonan believes the Defense Department has known for a long time that the defense industry is not addressing cyber security. News reporting of never-ending nation-state violations by defense contractors, including large-scale incidents like the SolarWinds and False Claims Act cases, prove that point.

“I also believe that the DoD has run out of patience after giving contractors years to fix the problem. Only now is the DoD going to make cyber security a pillar of contract acquisition,” Noonan said.

He noted that the planned new DoD doctrine would be “no cyber security, no contract”.

Noonan acknowledged that there is merit to some of the conflicts raised by contractors about difficulties in understanding and meeting cyber requirements.

“It is a fair point as some of the messaging from the government has been inconsistent. In fact, however, the requirements have not changed since 2017,” he offered.

what will happen next

Perhaps the DoD will adopt a stricter policy with contractors. If contractors complied with the legislation required in 2017, the entire supply chain would be in a much better shape today. Despite some communication challenges, the DoD has been incredibly consistent on what is required of defense contractor cybersecurity, Noonan said.

The current research now sits on top of a mountain of evidence that proves federal contractors have a lot of work to do in improving cyber security. It is clear that without enforcement from the federal government the work will not get done.

“Trust without verification failed, and now DoD is moving to enforce verification,” he said.

DoD response still pending

TechNewsWorld submitted written questions to the DoD about the supply chain criticism in the CyberSheath report. A spokesperson for the Cyber/IT/DOD CIO for the Department of Defense responded, adding that it would take a few days to investigate the issues. We’ll update this story with any response we get.

A government standards agency’s crackdown on potential post-quantum cryptographic algorithms will strongly stimulate the PQC market over the next five years, according to an international research and advisory firm.

In its recently released Post-Quantum Cryptography Applications Analysis report, ABI Research predicts PQC revenue to grow 12% from US$196 million in 2022 to $218.6 million in 2023 and 20% from $328.7 million in 2026 to 2027 395.3 million dollars.

The nascent market will kick into high gear once the National Institute of Standards finalizes its choice of PQC algorithm, the report said.

“NIST is the foremost standards development organization leading PQC algorithm development, and depends on the successful completion of this process, after which work on algorithm integration and protocol updates is advanced by other organizations, industry associations, and open source movements.” “ABI Cyber ​​Security Applications Research Director Michaela Menting said in a statement.

“The progress of work in these forums will be a sign of technology maturity, and the goal for vendors will be to introduce ‘plug and play’ type technologies to their respective industries, allowing commercial integration and ease of adoption.”

Ray Harishankar, quantum safe lead at IBM, told TechNewsWorld, “When NIST announced that it has selected four encryption and digital signature algorithms to build quantum-secure standards by 2024, the field took an important step.” Is.”

Preparing for PQC Migration

The ABI’s growth forecast was not surprising to some in the quantum domain. “Since the latest NIST announcement, the cork has partially come out of the bottle,” Ben Packman, senior vice president of strategy at PQShield, a cryptography standards developer in Oxford, UK, told TechNewsWorld.

“They were a lot of people who were waiting to see what NIST would announce to think about their plans for migration to PQC,” he explained.

“I say out of the bottle partly because until those standards are ratified in 2024 – it is just the promise of a standard. Still, it allows people to plan with some certainty, ” They said.

When the standards are finalized, they will have a significant impact on the technology industry because everyone from vendors to standards bodies relying on cryptography will need to adapt to the changes and updated protocols, Samantha Mabe, product marketing management for Entrust Director, an identity solutions provider from Shakopee, Minn., explained to TechNewsWorld.

Post CEO Anderson Cheng said, in addition to vendors and standards bodies, anyone who needs to keep a secret for more than 10 years needs to follow NIST’s work closely, because that time period is at quantum risk. Well within the time limit. Quantum, a quantum-secure encryption, blockchain and digital identity company based in London.

Cheng told TechNewsWorld that the NSA, GCHQ, DOD and MI6 are seeing their encrypted data stolen right now. “From time to time, their internet traffic is being diverted to some Eastern European country for two or three hours at a time and then back to normal. The consensus is that Russia or some adversary is conducting rehearsals to suck up the data and decrypt it later.

NIST is not alone in crafting cryptography standards for the post-quantum era. “Work is also underway at other standards bodies – such as the IETF – to update secure message formats – such as S/MIME email and code signing – and secure protocols – such as TLS – to adopt PQC, which includes hybrid cryptographic data structures. including formalizing systems — such as composite certificates — for those who don’t think they’re ready yet to put all their eggs in the post-quantum basket,” Mabe said.

infrastructure review

Achieving the revenue growth forecast by ABI will require overcoming several challenges. For example, the PQ solution state is likely to remain unstable for some time. Mabe said, “While we move to PQ-safe algorithms today, we must acknowledge that they are a less mature set of algorithms and that it is important to remain agile as they may still need to change in the future. “

The technology demands posed by PQC solutions will be a challenge for both vendors and customers. Mabe pointed out that organizations will need to do a health check on their technology and the cryptography that exists in their infrastructure today to ensure that they have the right scale to support the additional computing power required by these new algorithms. There are other technologies.

Another challenge facing PQC will be the breadth and diversity of existing commercial cryptographic applications. For example, migrating to something like TLS is relatively simple. You add new cipher suites to the list, and if both peers support it, it is used. Otherwise, you go down the list that both partners support.

“Contrast that with data warehouses containing encrypted data over the last 30 years or with PKI-enabled ID badges, ePassports or gift cards,” Mabe said. “You can upgrade the card to PQ, but what happens when it encounters a terminal that hasn’t been upgraded since 2015?”

Packman said that PQC requires a change in the way people think about implementing cryptography. “In the past, people would cook in something and forget about it,” he explained. “With the advancement of computers, it is now clear that things need to be constantly updated over time. There needs to be some agility in the way people implement cryptography. Different types for different types of scenarios. will have algorithms.”