Dive Brief:
- Barely any U.S. defense contractors say they’re fully prepared to comply with the Department of Defense’s new cybersecurity assessment program.
- Only 1% of companies say they’re completely ready to be assessed through the Cybersecurity Maturity Model Certification (CMMC) program, which takes effect on Nov. 10, according to a report that the managed security provider CyberSheath published on Wednesday.
- The percentage of respondents expressing confidence in their readiness has dropped over the past two years.
Dive Insight:
CMMC represents a major step forward for the Pentagon’s oversight of its contractors’ cyber defenses. Military officials began creating the program in 2019 in response to concerns that defense firms weren’t taking cybersecurity seriously enough and leaving gaps that foreign adversaries could exploit. But many of the roughly 100,000 defense industrial base (DIB) companies have struggled to prepare for CMMC assessments.
Fewer than 50% of respondents to Cybersheath’s survey have implemented the necessary security controls and completed the required documentation, including system security plans (SSPs) and plans of action and milestones (POAMs). In addition, only 29% of respondents have deployed secure backup technologies, only 22% have patch-management systems in place, only 27% are using multifactor authentication and only one-quarter are using endpoint detection and response software.
None of the respondents reported Supplier Performance Risk System scores of 110, which is required for full CMMC compliance, with 17% still reporting negative scores.
While only 1% of contractors reported 100% readiness, the median level of preparedness was 70%. Significant numbers estimated 80% or 90% readiness.
“With CMMC moving from policy to procurement,” Cybersheath said in its report, “the cost of delay is no longer measured only in lost contracts but in the exposure of sensitive national security information.”
Cybersheath, which sells CMMC compliance services, surveyed 300 contractors across the DIB, 89% of them prime contractors, 18% subcontractors and the rest holding both types of deals. Most respondents were in the technology and manufacturing industries, with many others representing construction, healthcare, finance and architecture.
