87% of US Defense Contractors Fail Basic Cybersecurity Requirements

80% lack a vulnerability management solution, while 79% lack a comprehensive multi-factor authentication system.

The United States might not be as prepared for a cyber-attack as we think: A large majority of US defense contractors don't meet basic cybersecurity requirements.

Specifically, a full 87% don't meet core regulation standards, as a survey of 300 contractors has recently found.

It's a sign that the country's protective services aren't quite up to snuff, and that's concerning for the health and safety of our infrastructure and private data. But what are the exact standards that our bevy of contractors failed at?

Just 13% Contractors Scored 70 or Higher

The security standard is called the Supplier Risk Performance System (SPRS) score, and it's a requirement under the Defense Federal Acquisition Regulation Supplement (DFARS). The US passed that supplement back in 2017.

Contractors are supposed to reach a score of 110 for full compliance. However, they only have to hit a score of 70 to reach the bare minimum. And yet just 13% of them reached 70 or higher, while the rest failed to reach that mark, research commissioned by CyberSheath has found.

Some additional takeaways about the survey's findings:

  • 80% lack a vulnerability management solution
  • 79% lack a comprehensive multi-factor authentication (MFA) system
  • 73% lack an endpoint detection and response (EDR) solution
  • 70% have not deployed security information and event management (SIEM)

Worse, the same survey found most contractors didn't meet another standard, the Cybersecurity Maturity Model Certification (CMMC), which is a framework that the Department of Defense released in 2020 and must be pass by any company bidding for contracts.

A “Clear and Present Danger”

CyberShealth hasn't held back about these findings, calling them “shocking” and a threat to national security.

“The report’s findings show a clear and present danger to our national security. We often hear about the dangers of supply chains that are susceptible to cyberattacks. The DIB is the Pentagon’s supply chain, and we see how woefully unprepared contractors are despite being in threat actors’ crosshairs.” – Eric Noonan, CEO of CyberSheath

We covered the government's commitments to closing the cybersecurity skills gap back in July, but these new results don't look promising. And these days, cybersecurity is more important than ever.

Ransomware attacks and security breaches are up in recent years, and even the best pros have neared their breaking points recently, with one report from June of this year finding that 45% of cybersecurity professionals have considered quitting their jobs over rampant ransomware attacks.

Staying Cyber-Secure

The good news is that we are seeing some positive change on the horizon in 2023, with spending on cybersecurity set to rise in the next year by 10% to 15%.

Better software solutions like password managers, VPNs, and remote access software can help businesses small and large tackle the problem.

For the government and its defense contractors, though, we'll need more than just a VPN. The wheels of change turn slowly in government, sure, but this appears to be a case in which they could be turning a lot faster.

Written by:

Adam is a writer at Tech.co and has worked as a tech writer, blogger and copy editor for more than a decade. He was a Forbes Contributor on the publishing industry, for which he was named a Digital Book World 2018 award finalist. His work has appeared in publications including Popular Mechanics and IDG Connect, and he has an art history book on 1970s sci-fi out from Abrams Books in 2023. In the meantime, he's hunting down the latest news on VPNs, POS systems, and the future of tech.

Explore More See all news
close Thinking about your online privacy? NordVPN is Tech.co's top-rated VPN service See Deals