SalesTech Star

More than 87% of Pentagon Supply Chain Fails Basic Cybersecurity Minimums

First ever independent study of the Defense Industrial Base (DIB) shows that federal contractors are not properly securing military secrets

Defense contractors hold information that’s vital to national security and will soon be required to meet Cybersecurity Maturity Model Certification (CMMC) compliance to keep those secrets safe. Nation-state hackers are actively and specifically targeting these contractors with sophisticated cyberattack campaigns.

A shocking 87% of contractors have a sub-70 Supplier Performance Risk System (SPRS) score, the metric that shows how well a contractor meets Defense Federal Acquisition Regulation Supplement (DFARS) requirements.

DFARS, which has been law since 2017, requires a score of 110 for full compliance. Critics of the system have anecdotally deemed 70 to be “good enough,” but the overwhelming majority of contractors still come up short.

Read More: SalesTechStar Interview with Justin Long, Executive Vice President of Operations at Paycom

“The report’s findings show a clear and present danger to our national security”

The first ever comprehensive, independent study of the DIB’s cybersecurity maturity was conducted by Merrill Research and commissioned by CyberSheath, the largest CMMC managed service vendor. The survey data of 300 U.S.-based Department of Defense (DoD) contractors was tested at the 95% confidence level, meaning that there is a 95% probability that significant differences are real and are not due to sampling error. The study was completed in July and August 2022, with CMMC 2.0 on the horizon.

“The report’s findings show a clear and present danger to our national security,” said Eric Noonan, CEO of CyberSheath. “We often hear about the dangers of supply chains that are susceptible to cyberattacks. The DIB is the Pentagon’s supply chain, and we see how woefully unprepared contractors are despite being in threat actors’ crosshairs. Our military secrets are not safe and there is an urgent need to improve the state of cybersecurity for this group, which often does not meet even the most basic cybersecurity requirements.”

Read More: Where Deals Go To Die. Closing the Buyer-seller Gap

Roughly 80% of the DIB doesn’t monitor its systems 24/7/365 and doesn’t use U.S.-based security monitoring services. Other deficiencies were evident in the following categories that are currently required by law and will be required in the future to achieve CMMC compliance:

  • 80% lack a vulnerability management solution
  • 79% lack a comprehensive multi-factor authentication (MFA) system
  • 73% lack an endpoint detection and response (EDR) solution
  • 70% have not deployed security information and event management (SIEM)

These security controls are legally required of the DIB, and since they are not met, there is a significant risk facing the DoD and its ability to conduct armed defense. In addition to being largely non-compliant, an astounding 82% of contractors find it “moderately to extremely difficult to understand the governmental regulations on cybersecurity.”

Write in to to learn more about our exclusive editorial packages and programs.