Survey Reveals Alarming State of Cybersecurity Readiness in the Defense Industrial Base
The Department of Defense (DoD) and its vast network of contractors form the backbone of U.S. national security. However, a recent report by CyberSheath reveals a deeply concerning reality: the majority of defense contractors are woefully unprepared for the Cybersecurity Maturity Model Certification (CMMC) requirements, leaving critical infrastructure and sensitive data vulnerable to cyber threats.
The CMMC certification process is arduous but our CMMC 2.0 compliance roadmap can help.
The Stark Reality of CMMC Compliance
CyberSheath’s 2024 study, which expanded its scope to include contractors with up to 1,000 employees, paints a grim picture of cybersecurity readiness across the Defense Industrial Base (DIB):
- Over 75% of respondents claim compliance based on self-assessment
- Less than 40% are actively working on a System Security Plan (system security plan), Plan of Action and Milestones (POA&M), required controls, and ongoing compliance plans
- Only 4% believe their company is completely ready for CMMC certification
- The average Supplier Performance Risk System (SPRS) score among respondents is -12 out of 110, far below the DFARS-required minimum of 110
These statistics reveal a significant disconnect between contractors’ perception of their cybersecurity posture and the reality of their preparedness.
Key Takeaways
-
Widespread Non-Compliance
Despite self-assessments indicating high compliance, the actual state of CMMC readiness among defense contractors is alarmingly low.
-
Critical Infrastructure at Risk
89% of surveyed companies operate in critical infrastructure sectors defined by the DoD. Their lack of cybersecurity preparedness poses a severe threat to national security, economic stability, and public safety.
-
Low Adoption of Essential Technologies
Adoption rates for crucial cybersecurity solutions like multi-factor authentication (21%), vulnerability management (20%), and patch management (15%) are disturbingly low, leaving contractors vulnerable to cyberattacks.
-
Underestimated Compliance Costs
The average annual budget reported for DFARS compliance ($41,220) is grossly inadequate. For example, just meeting 24/7 network monitoring requirements would cost a 30-50 person company around $144,000 annually.
-
Urgent Need for Action
With only 4% of contractors feeling completely ready for CMMC certification, there’s an immediate need for increased awareness, education, investment in cybersecurity infrastructure, and potentially stricter regulatory enforcement to improve the DIB’s cybersecurity posture.
Why So Few Contractors Are Prepared
Several factors contribute to the lack of CMMC readiness among defense contractors:
1. CMMC Requirements are Complex and Evolving
Many contractors find it challenging to understand and implement CMMC requirements due to their complexity and dynamic nature. Approximately 40% of respondents rated DFARS reporting an 8 out of 10 or higher in terms of difficulty. The constantly evolving landscape of cybersecurity threats and regulations makes it difficult for companies to keep pace.
2. CMMC Compliance is Costly
Over 50% of contractors highlighted significant cost impacts due to ongoing changes and necessary tools and solutions. The average annual budget reported for achieving and maintaining DFARS compliance is $41,220, however, this amount is woefully inadequate. A 30-50 person company, for example, should expect to spend around $144,000 per year just to fulfill the U.S.-based 24/7 network monitoring requirements specified by DFARS.
3. Defense Contractors Aren’t Adopting Technologies Critical for CMMC Compliance
The study reveals alarmingly low adoption rates for essential cybersecurity solutions. These low adoption rates indicate that many contractors lack the basic technological infrastructure necessary for robust cybersecurity. Examples of low adoption rates include:
- Data Loss Prevention (DLP): 33%
- IT Configuration Management Solution: 30%
- Security Information & Event Management (SIEM) Solution: 30%
- Multi-factor Authentication (MFA): 21%
- Vulnerability Management Solution (VM): 20%
- Patch Management Solutions: 15%
4. Defense Contractors Aren’t Aware of or Don’t Understand CMMC
Despite the critical nature of CMMC compliance, many contractors seem unaware of the regulation’s importance or the potential consequences of non-compliance. For instance, only 63% of respondents were aware of Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) audits.
5. Defense Contractors Are Overestimate CMMC Readiness
The disparity between compliance via self-assessment (over 75%) and the average SPRS score (-12) suggests that many contractors overestimate their cybersecurity capabilities. This overconfidence may lead to complacency and a failure to address critical vulnerabilities.
Why a Lack of Preparedness for CMMC is Deeply Concerning
The implications of widespread CMMC non-compliance across the DIB are far-reaching and potentially catastrophic:
1. Non-compliance With CMMC Poses National Security Risks
89% of the companies represented in the study operate in critical infrastructure sectors defined by the DoD. These sectors are considered vital to national security, economic stability, and public safety. Inadequate cybersecurity measures in these areas could have devastating consequences if exploited by adversaries.
2. Defense Contractors Non-compliant with CMMC Are More Vulnerable to Cyberattacks
The low adoption rates of essential cybersecurity technologies leave defense contractors highly vulnerable to cyberattacks. In an era of increasing nation-state cyber threats, this vulnerability poses a significant risk to sensitive defense information and technologies.
3. Defense Contractors Not Compliant with CMMC Weaken the Defense Supply Chain
The DIB is an interconnected ecosystem. Weaknesses in one part of the supply chain can compromise the entire network. With many contractors failing to meet basic cybersecurity standards, the entire defense supply chain is at risk.
4. CMMC Non-compliance Carries Severe Economic Implications
Cyber incidents can result in substantial financial losses. The study shows that many contractors have already experienced losses due to cyber incidents. Continued non-compliance could lead to even greater economic damage, both for individual companies and the defense sector as a whole.
5. Defense Contractors Non-compliant with CMMC Lose Their Competitive Edge and Weaken the DIB
As CMMC requirements become more stringent and enforced, non-compliant contractors risk losing their ability to compete for DoD contracts. This could lead to a shrinking of the DIB, potentially impacting innovation and competition in the defense sector.
6. Non-compliance With CMMC Carries Severe Legal and Regulatory Consequences
With increased awareness of the False Claims Act and potential penalties for inaccurate SPRS score reporting, non-compliant contractors face significant legal and financial risks.
Need to comply with CMMC? Here is your complete CMMC compliance checklist.
How Defense Contractors Can Improve Their Cybersecurity Posture Ahead of CMMC Compliance
Based on the report findings, here are some key ways defense contractors can improve their cybersecurity posture:
- Increase investment in essential cybersecurity technologies. The report shows alarmingly low adoption rates for critical solutions like: multi-factor authentication (21% adoption), vulnerability management (20% adoption), and patch management (15% adoption). Prioritizing implementation of these basic security controls would significantly enhance cybersecurity.
- Allocate more budget for compliance. The average reported annual budget of $41,220 is grossly inadequate. For example, just meeting 24/7 network monitoring requirements would cost a 30-50 person company around $144,000 annually. Contractors need to increase cybersecurity spending to meet CMMC requirements.
- Improve accuracy of self-assessments. There’s a major disconnect between self-assessed compliance (over 75%) and actual readiness (average SPRS score of -12 out of 110). Contractors should conduct more rigorous self-evaluations to identify gaps or enlist the expertise of certified third-party assessor organizations (C3PAOs).
- Develop comprehensive System Security Plans (SSPs) and Plans of Action and Milestones (POAMs). Less than 40% are actively working on these required elements.
- Increase awareness and understanding of CMMC requirements. About 40% rated DFARS reporting as highly difficult (8/10 or higher). Education and training programs could help bridge this knowledge gap.
- Engage third-party expertise. Given the complexity, many contractors could benefit from partnering with experienced cybersecurity firms or Managed Security Service Providers (MSSPs) to achieve compliance.
- Implement continuous monitoring and improvement processes. Cybersecurity is not a one-time effort but requires ongoing vigilance to address evolving threats.
By focusing on these areas, defense contractors can make significant strides in improving their cybersecurity posture and moving towards CMMC compliance.
Kiteworks Helps Defense Contractors Demonstrate CMMC Compliance With a Fed-RAMP Authorized Private Content Network
The CyberSheath report serves as a stark wake-up call for the defense industry. The widespread lack of CMMC preparedness among defense contractors poses a severe threat to national security, economic stability, and the integrity of the defense supply chain. Urgent action is needed from all stakeholders – contractors, the DoD, and cybersecurity providers – to address these critical vulnerabilities and strengthen the cybersecurity posture of the entire defense industrial base.
As cyber threats continue to evolve and intensify, the cost of inaction far outweighs the investment required for robust cybersecurity measures. The future security of the nation depends on the DIB’s ability to rise to this challenge and create a resilient, CMMC-compliant ecosystem that can effectively safeguard critical defense information and infrastructure.
The Kiteworks Private Content Network, a FIPS 140-2 Level validated secure file sharing and file transfer platform, consolidates email, file sharing, web forms, SFTP, managed file transfer, and next-generation digital rights management solution so organizations control, protect, and track every file as it enters and exits the organization.
Kiteworks supports nearly 90% of CMMC 2.0 Level 2 requirements out of the box. As a result, DoD contractors and subcontractors can accelerate their CMMC 2.0 Level 2 accreditation process by ensuring they have the right sensitive content communications platform in place.
With Kiteworks, DoD contractors and subcontractors unify their sensitive content communications into a dedicated Private Content Network, leveraging automated policy controls and tracking and cybersecurity protocols that align with CMMC 2.0 practices.
Kiteworks enables rapid CMMC 2.0 compliance with core capabilities and features including:
- Certification with key U.S. government compliance standards and requirements, including SSAE-16/SOC 2, NIST SP 800-171, and NIST SP 800-172
- FIPS 140-2 Level 1 validation
- FedRAMP Authorized for Moderate Impact Level CUI
- AES 256-bit encryption for data at rest, TLS 1.2 for data in transit, and sole encryption key ownership
Kiteworks deployment options include on-premises, hosted, private, hybrid, and FedRAMP virtual private cloud. With Kiteworks: control access to sensitive content; protect it when it’s shared externally using automated end-to-end encryption, multi-factor authentication, and security infrastructure integrations; see, track, and report all file activity, namely who sends what to whom, when, and how. Finally demonstrate compliance with regulations and standards like GDPR, HIPAA, CMMC, Cyber Essentials Plus, IRAP, and many more.
To learn more about Kiteworks, schedule a custom demo today.
Additional Resources
- Blog Post CMMC Compliance for Small Businesses: Challenges and Solutions
- Blog Post If You Need to Comply With CMMC 2.0, Here Is Your Complete CMMC Compliance Checklist
- Blog Post CMMC Audit Requirements: What Assessors Need to See When Gauging Your CMMC Readiness
- Guide CMMC 2.0 Compliance Mapping for Sensitive Content Communications
- Blog Post 12 Things Defense Industrial Base Suppliers Need to Know When Preparing for CMMC 2.0 Compliance