Defense contractors are way behind on meeting upcoming cybersecurity standards

Complying with the Cybersecurity Maturity Model Certification (CMMC), the Pentagon’s framework for assessing vendor cybersecurity, is as much of a mouthful as it sounds.

But many defense contractors are not even in the ballpark on those standards as the Defense Department’s revised version of CMMC is hurtling towards implementation, according to a Merrill Research study commissioned by cybersecurity firm CyberSheath.

The CMMC framework was created by the 2017 Defense Federal Acquisition Regulation Supplement (DFARS). However, it wasn’t a finalized rule, and until it is, companies can only undergo voluntary assessments. The Pentagon is preparing to release an updated version, CMMC 2.0, for industry feedback by the end of 2023, with an actual implementation date as soon as next year. CMMC has undergone several revisions, but draft versions indicate that CMMC 2.0 will include mandatory third-party or government certification for vendors handling more sensitive information, as well as finalize its contractual enforcement mechanisms.

DFARS defines compliance with the CMMC expectations as a score of 110 on a scale called the Supplier Performance Risk System (SPRS). CyberSheath says a score of 70 is considered “good enough” within the defense community. Yet CyberSheath’s data shows the average score submitted by Defense Department prime and/or subcontractors has barely budged from July and August 2022, when it was -23, to -15 in the April and May 2023 version of the survey.

From 2022 to 2023, the percentage of federal defense vendors who said they submitted SPRS scores fell from 46% to 36%. Those vendors claiming to meet CMMC standards via self-certification, the least rigorous method of measuring compliance, rose from 71% to 81%. CyberSheath noted in the report that “significantly fewer reported being compliant via a medium or high assessment.”

Last year, CyberSheath found “extreme levels of non-compliance,” the company’s CEO, Eric Noonan, told IT Brew. “So, we’re very much about where we were a year ago, which is not a good place to be.”

In 2022, just 19% of contractors reported having implemented vulnerability management solutions, while only 25% had secure IT backup solutions. Both are SPRS metrics.

Noonan told IT Brew that contractors have had plenty of warning to raise standards, including the passage of DFARS, the National Cybersecurity Strategy, and new Securities and Exchange Commission rules requiring public companies to disclose more cybersecurity info to investors.

The reason scores aren’t higher is because “there’s nobody enforcing compliance today,” Noonan said, and contractors have made a “successful bet for many years” that awarding agencies would hesitate to disrupt business as usual.

Noonan says CMMC will make it more difficult for contractors who aren’t able to satisfy cybersecurity requirements to finalize contracts and get paid.

“Until the Defense Department says, ‘If you are not compliant, we will not award the contract,’ and it actually stands in the way of revenue, until that switch is flipped, we’re not going to see better scores,” Noonan added.

The study does show that defense contractors are paying attention, in that they’ve begun to realize compliance with CMMC might be more difficult than they had imagined. Seventy percent rated their difficulty in understanding how to achieve and maintain CMMC requirements at 7 out of 10 or above.

In Noonan’s view, complying with CMMC can be intimidating on multiple fronts. Apart from the costs of actually raising the SPRS scores themselves, vendors may also face costs associated with compliance documentation. Smaller contractors, or those who have neglected to prepare for the new rules, may be “very overwhelmed,” he said.

In 2020, DOD estimated the average annual cost of CMMC compliance for small entities to range from around $1,000 on the lowest tier to $483,000 at the highest, but National Defense reported in 2021 larger contractors have estimated costs in the millions.

“The big primes [contractors] whose names we all know, they have armies of people to do this pretty effectively internally,” Noonan warned. “But their supply chains don’t. If they have one IT person, they’re probably lucky.”

Noonan does not anticipate a “dramatic” crackdown when CMMC becomes a finalized rule, pointing out that some version of the requirements has already been in many of their contracts for 8 years.

“I think we’ll be amazed when somehow they find a way to get compliant and implement these minute, minimum security requirements,” Noonan concluded. Nor will the Pentagon just flip a switch, he added: “It’s not going to be [that] all 300,000+ contracts are going to be audited overnight.”

Instead, Noonan said, he thinks contractors that are still behind will face the equivalent of a corrective action plan.

“Get an assessment, document your gaps, get on the road to compliance,” Noonan concluded. “In my experience, that’s what the DOD is expecting.”

Defense Department spokesperson Commander Timothy P. Gorman told IT Brew it was “unable to address any substantive aspects” of the forthcoming CMMC rule “until the rulemaking process is complete.” He referred IT Brew to the Office of Information and Regulatory Affair’s open DFARS cases list, which listed the extended deadline for Defense Acquisition Regulations Council to release a report as Oct. 25.