Most contractors hired by the Department of Defense over the past five years failed to meet required minimum cyber security standards, posing a significant risk to US national security.
Managed services vendor CyberSheth released a report on November 30 showing that 87% of the Pentagon supply chain fails to meet basic cybersecurity minimums. Those security gaps are subjecting major defense contractors and their subcontractors to massive cyberattacks, putting US national security at risk.
Those risks have been well known for some time without efforts to fix them. According to CyberSheth, this independent study of the Defense Industrial Base (DIB) is the first to show that federal contractors are not properly protecting military secrets.
DIB is a complex supply chain consisting of 300,000 primes and subcontractors. The government allows these approved companies to share sensitive files and communicate securely to get their jobs done.
To keep those secrets safe, defense contractors will soon be required to meet Cybersecurity Maturity Model Certification (CMMC) compliance. Meanwhile, the report warns that nation-state hackers are actively and specifically targeting these contractors with sophisticated cyberattack campaigns.
“Awarding contracts to federal contractors without first validating their cybersecurity controls is a complete failure,” Eric Noonan, CEO of CyberSheth, told TechNewsWorld.
Defense contractors have been mandated to meet cyber security compliance requirements for more than five years. Those terms are embedded in more than a million contracts, he said.
The Merrill Research Report 2022, commissioned by CyberSheth, revealed that 87% of federal contractors have a sub-70 Supplier Performance Risk System (SPRS) score. The metric shows how well a contractor meets Defense Federal Acquisition Regulation Supplement (DFARS) requirements.
DFARS has been in law since 2017 and requires a score of 110 for full compliance. Critics of the system considered the 70 to be “good enough”. Yet, the overwhelming majority of contractors still come up short.
Eric Noonan said, “The report’s findings show a clear and present threat to our national security.” “We often hear about threats to supply chains that are more susceptible to cyberattacks.”
The DIB is the Pentagon’s supply chain, and we see how poorly prepared contractors are despite being in the crosshairs of risk actors.
“Our military secrets are not secure, and there is an urgent need to improve the cyber security posture for this group, which often does not meet even the most basic cyber security requirements,” Noonan warned.
more report findings
Survey data came from 300 US-based DOD contractors, with accuracy tested at the 95% confidence level. The study is completed in July and August 2022, with CMMC 2.0 on the horizon.
Roughly 80% of DIB users failed to monitor their computer systems around the clock and lacked US-based security monitoring services. Other deficiencies were evident in the following categories that would be required to achieve CMMC compliance:
- 80% lack a vulnerability management solution
- 79% lack a comprehensive multi-factor authentication (MFA) system
- 73% lack an endpoint detection and response (EDR) solution
- 70% have not deployed Security Information and Event Management (SIEM)
These security controls are legally required of the DIB, and since they are not met, there is a significant risk to the DoD and its ability to conduct armed defense. In addition to widespread non-compliance, 82% of contractors find it “moderately to extremely difficult to understand government regulations on cyber security”.
Confusion prevails among contractors
As per reports, some of the DIB’s defense contractors focused on cyber security have only been halted by roadblocks.
When asked to rate DFARS reporting challenges on a scale of one to 10 (with 10 being extremely challenging), about 60% of all respondents rated “understanding requirements” a seven out of 10 or more. Also regular documentation and reporting were on top of the list of challenges.
The primary barriers listed include challenges in understanding the steps required to achieve compliance, difficulty in implementing sustainable CMMC policies and procedures, and the overall cost involved.
Unfortunately, these results are in line with what CyberSheth expected, Noonan acknowledged. He said the research confirmed that even fundamental cyber security measures such as multi-factor authentication were largely ignored.
Noonan said, “This research, combined with the False Claims Act case against defense giant Aerojet Rocketdyne, shows that defense contractors both large and small are not meeting contractual obligations for cyber security and that the DoD has access to their supplies.” There is systemic risk in the series.”
no big surprise
Noonan believes the Defense Department has known for a long time that the defense industry is not addressing cyber security. News reporting of never-ending nation-state violations by defense contractors, including large-scale incidents like the SolarWinds and False Claims Act cases, prove that point.
“I also believe that the DoD has run out of patience after giving contractors years to fix the problem. Only now is the DoD going to make cyber security a pillar of contract acquisition,” Noonan said.
He noted that the planned new DoD doctrine would be “no cyber security, no contract”.
Noonan acknowledged that there is merit to some of the conflicts raised by contractors about difficulties in understanding and meeting cyber requirements.
“It is a fair point as some of the messaging from the government has been inconsistent. In fact, however, the requirements have not changed since 2017,” he offered.
what will happen next
Perhaps the DoD will adopt a stricter policy with contractors. If contractors complied with the legislation required in 2017, the entire supply chain would be in a much better shape today. Despite some communication challenges, the DoD has been incredibly consistent on what is required of defense contractor cybersecurity, Noonan said.
The current research now sits on top of a mountain of evidence that proves federal contractors have a lot of work to do in improving cyber security. It is clear that without enforcement from the federal government the work will not get done.
“Trust without verification failed, and now DoD is moving to enforce verification,” he said.
DoD response still pending
TechNewsWorld submitted written questions to the DoD about the supply chain criticism in the CyberSheath report. A spokesperson for the Cyber/IT/DOD CIO for the Department of Defense responded, adding that it would take a few days to investigate the issues. We’ll update this story with any response we get.