The United States might not be as prepared for a cyber-attack as we think: A large majority of US defense contractors don't meet basic cybersecurity requirements.
Specifically, a full 87% don't meet core regulation standards, as a survey of 300 contractors has recently found.
It's a sign that the country's protective services aren't quite up to snuff, and that's concerning for the health and safety of our infrastructure and private data. But what are the exact standards that our bevy of contractors failed at?
Just 13% Contractors Scored 70 or Higher
The security standard is called the Supplier Risk Performance System (SPRS) score, and it's a requirement under the Defense Federal Acquisition Regulation Supplement (DFARS). The US passed that supplement back in 2017.
Contractors are supposed to reach a score of 110 for full compliance. However, they only have to hit a score of 70 to reach the bare minimum. And yet just 13% of them reached 70 or higher, while the rest failed to reach that mark, research commissioned by CyberSheath has found.
Some additional takeaways about the survey's findings:
- 80% lack a vulnerability management solution
- 79% lack a comprehensive multi-factor authentication (MFA) system
- 73% lack an endpoint detection and response (EDR) solution
- 70% have not deployed security information and event management (SIEM)
Worse, the same survey found most contractors didn't meet another standard, the Cybersecurity Maturity Model Certification (CMMC), which is a framework that the Department of Defense released in 2020 and must be pass by any company bidding for contracts.
A “Clear and Present Danger”
CyberShealth hasn't held back about these findings, calling them “shocking” and a threat to national security.
“The report’s findings show a clear and present danger to our national security. We often hear about the dangers of supply chains that are susceptible to cyberattacks. The DIB is the Pentagon’s supply chain, and we see how woefully unprepared contractors are despite being in threat actors’ crosshairs.” – Eric Noonan, CEO of CyberSheath
We covered the government's commitments to closing the cybersecurity skills gap back in July, but these new results don't look promising. And these days, cybersecurity is more important than ever.
Ransomware attacks and security breaches are up in recent years, and even the best pros have neared their breaking points recently, with one report from June of this year finding that 45% of cybersecurity professionals have considered quitting their jobs over rampant ransomware attacks.
The good news is that we are seeing some positive change on the horizon in 2023, with spending on cybersecurity set to rise in the next year by 10% to 15%.
For the government and its defense contractors, though, we'll need more than just a VPN. The wheels of change turn slowly in government, sure, but this appears to be a case in which they could be turning a lot faster.