Contractors across the Defense Industrial Base (DIB) are scrambling to meet cybersecurity compliance requirements passed down by the federal government. State-backed cyber attackers are specifically targeting companies that have less-than-adequate cybersecurity measures with advanced attack campaigns. One such security metric used to determine how well a contractor meets Defense Federal Acquisition Regulation Supplement (DFARS) requirements is the Supplier Performance Risk System (SPRS) score. The SPRS requires a score of 110 to be determined “fully compliant,” yet 87% of contractors have a sub-70 score.
Now, CMMC 2.0 outlines requirements for any contractor dealing with Controlled Unclassified Information (CUI). A survey of 300 U.S.-based defense contractors revealed that the majority don’t meet even the most basic cybersecurity requirements. Around 80% of the DIB doesn’t monitor its systems and networks around the clock, and many that do don’t use U.S.-based security monitoring services. 79% lack a comprehensive multi-factor authentication solution. 73% lack a proper endpoint detection and response (EDR) solution, and 70% don’t use a security information and event management (SIEM) solution.
CMMC 2.0 is based on over 100 controls outlined in NIST 800-171. Accounting for those controls is a daunting and time-intensive task, so it’s no wonder suppliers are a bit behind. Many of these companies have self-audited in the past, and SPRS scores can be skewed due to internal bias. It is important for these suppliers to be honest with themselves to achieve a robust, effective cybersecurity infrastructure.
To make matters worse, entities offering governance, risk and compliance (GRC) services may not use the correct assessment criteria to determine how close companies are to meeting the requirements outline in CMMC 2.0. Not including the assessment criteria in NIST SP 800-171A could obscure the true state of a supplier’s cybersecurity measures and perpetuate a false sense of confidence that the supplier is well on their way to being compliant.
The Information Security Oversight Office released this statement two and a half years ago:
“???????????????? ???????????? ???????????????????????? ???????????????????????????????? ???????????????????????????????????????? ???????????????? ???????????? ???????????????????????????????? ???????????????????????????????????????????????? ???????? ???????????????? ???????? ????????????-????????????, ???????????????? ???????????????? ???????????? ???????????? ???????????????? ???????? ????????????-???????????????? ???????????????????????????????????????? ???????? ???????????????????????????????? ???????????? ???????????????????????????????????????????????????? ???????? ???????????? ???????????????????????? ????????????????????????????????. ???????????????? ???????? ????????????-???????????????? ???????? ???????????? ???????????????????????????? ???????????? ???????????????????????????????????????????????????? ???????????????????????????????? ???????? ???????????????????????????????????? ???????????????????????????????????????? ???????????????? ???????????????? ???????? ????????????-????????????.”
If you’re concerned about meeting these requirements, you’re not alone. Suppliers should be actively working to improve the protection of information. But if you’re not sure where to start, NTG’s security team can put you on the right path. We have a background in working closely with DoD and we’re deeply familiar with the tools and methodology necessary to keep our nation’s most guarded secrets secret. Historically, we’ve been instrumental in the evolution of network and information security in the government and its suppliers, so if you’re looking for some answers, don’t hesitate to contact us at your convenience. We make sure our assessment captures the full scope of your organization with minimal interruption to business continuity.
