The State of Cybersecurity Compliance in the Defense Industrial Base: Insights from CyberSheath and Merrill Research
On October 1, 2024, CyberSheath and Merrill Research unveiled a pivotal study examining cybersecurity compliance among contractors within the Defense Industrial Base (DIB). As the launch of the Cybersecurity Maturity Model Certification (CMMC) approaches in early 2025, this research sheds light on the preparedness of contractors to meet the evolving cybersecurity standards mandated by the Department of Defense (DoD). Despite the CMMC program being announced in early 2021, the findings indicate that many contractors are far from ready to comply with the stringent requirements that will soon be enforced.
Current Regulatory Landscape
The existing regulations require DoD contractors to submit a self-assessment score based on the 110 controls outlined in NIST SP 800-171. These controls will form the foundation of the upcoming CMMC requirements. The study revealed that only 41% of respondents had completed this self-assessment, highlighting a significant gap in compliance. Alarmingly, the average self-assessment score among contractors was -12, indicating that many are not only unprepared but may also be operating below the minimum cybersecurity standards.
Readiness for CMMC Certification
One of the most concerning findings from the study is that a mere 4% of respondents believe they are ready for CMMC certification. This statistic underscores the widespread challenges faced by both large and small contractors in implementing the necessary cybersecurity controls. The lack of readiness is particularly troubling given the critical role that these contractors play in national security and defense.
The Impact of Cyber Incidents
The study also examined the experiences of contractors with cyber incidents. Notably, 80% of respondents reported experiencing losses due to cyber incidents. However, only 42% indicated that they had developed annual incident response exercises, a crucial component of an effective cybersecurity strategy. Furthermore, just over half of the respondents had a system security plan in place, and nearly 50% reported having plans of actions and milestones. The failure of almost half of the contractors to implement these key components suggests a significant disconnect between regulatory requirements and actual cybersecurity practices.
Historical Context and Trends
The findings of this study are consistent with CyberSheath’s 2022 report, which indicated that little progress had been made in cybersecurity compliance within the DIB. In that earlier study, 46% of respondents had completed the self-assessment requirement, with an average SPRS score of -23. This stagnation in compliance efforts raises concerns about the ability of contractors to meet the upcoming CMMC requirements, especially as the DoD intensifies its focus on cybersecurity.
Implications for the Future
As the CMMC rollout approaches, the potential gap between requirements and implementation poses significant challenges for both contractors and the DoD. The study’s findings suggest that many contractors may struggle to achieve compliance, which could have far-reaching implications for national security. If contractors are unable to meet the required cybersecurity standards, it could jeopardize the integrity of defense systems and sensitive information.
Conclusion
The recent study by CyberSheath and Merrill Research serves as a wake-up call for contractors within the Defense Industrial Base. With the CMMC certification looming on the horizon, it is imperative that contractors take immediate action to bolster their cybersecurity practices. The findings highlight a critical need for increased awareness, training, and resources to ensure that all contractors can meet the necessary standards for compliance. As the landscape of cybersecurity continues to evolve, the responsibility lies with contractors to prioritize their cybersecurity measures and safeguard the nation’s defense infrastructure.
Special thanks to Law Clerk Olivia Bellini for her contributions to this GT Alert. (Not admitted to the practice of law.)