Federal Contractors Fail Cybersecurity Basics

By Greg Tavarez, TMCnet Editor  |  December 06, 2022

Defense contractors hold information that's vital to national security. Of course, with vital information, there are those cyberattackers who want to get their fingers on it.

A recent example of this is the STEEP#MAVERICK campaign where the attacker focuses on operations security and ensures their malware is hard to detect, remove and analyze. Campaigns that are similar usually involve state-backed actors operating out of countries like Russia and North Korea.

It’s reasonable to think that, due to the sensitive nature of this government information, it would benefit from the very best in cybersecurity measures. To (try to) ensure that happens, and knowing that vital security information is in the crosshairs, the U.S. Department of Defense set cybersecurity best practices to protect sensitive data through its Cybersecurity Maturity Model Certification program.

Still – and perhaps shockingly – defense contractors are not securing military secrets. In fact, 87% of defense contractors record sub-70 Supplier Performance Risk System scores, according to research conducted by Merrill Research and commissioned by CyberSheath on the Defense Industrial Base. The SPRS score is the metric that shows how well a contractor meets Defense Federal Acquisition Regulation Supplement requirements. DFARS requires a score of 110 for full compliance.

The DIB’s overall score is low because about 80% of the DIB does not monitor its systems 24/7/365 and does not use U.S.-based monitoring services. It doesn’t stop there, though. Other deficiencies include a lack of vulnerability management, MFA (News - Alert) and EDR solutions as well as security information and event management not being deployed.

“The report’s findings show a clear and present danger to our national security,” said Eric Noonan, CEO of CyberSheath. “Our military secrets are not safe and there is an urgent need to improve the state of cybersecurity for this group, which often does not meet even the most basic cybersecurity requirements.”

Security controls are legally required of the DIB. As long as contractors do not meet the security requirements, here is a significant risk facing the Department of Defense and its ability to conduct armed defense.




Edited by Erik Linask