Nearly 90% of the Pentagon supply chain fails basic cybersecurity requirements

The first-ever thorough analysis of the state of cybersecurity of the US defense industrial base (DIB) reveals that nearly 90% of its contractors do not meet the required security standards.

Defense contractors possess sensitive national security information and are being constantly targeted with sophisticated hacking operations led by state-sponsored hackers.

The defense industrial base sector is an industrial complex that is responsible for the research, development, production, delivery, and maintenance of military weapons systems. The DIB provides products and services that are essential to mobilize, deploy, and sustain military operations. 

The in-depth analysis of the Pentagon supply chain was commissioned by CyberSheath, a cybersecurity compliance service provider, and was carried out by Merrill Research, a leader in providing custom, multi-methodological research services. Access the State of The Defense Industrial Base Report here. 

The survey questioned 300 US-based DIB contractors via an online survey in July 2022.

NASA, the Department of Defense (DoD), the Department of Energy (DoE), the Department of Veterans Affairs (DVA), the Department of Homeland Security (DHS), and the Department of Justice (DOJ) comprise the DIB agencies analyzed in the report.

The supply chain of the departments in question was evaluated using the Supplier Risk Performance System (SPRS), which is the DoD’s single, authorized system to retrieve supplier security performance information.

Contractors who do not possess an SPRS score of 70 or higher are deemed non-compliant with the Defense Federal Acquisition Regulation Supplement (DFARS) criteria.

The DFARS is a set of cybersecurity regulations the DoD imposes on its contractors. The DFARS, which has been in effect since 2017, demands a score of 110 to be considered fully compliant.

A score of 70 and above is regarded as “good enough,” but the vast majority of contractors fail even to meet this level of compliance.

Data presented by CyberSheath shows that a startling 89% of contractors have an SPRS score of less than 70, which means that they do not meet the legally required minimum.  

Over 25% of the supply chain received SPRS scores between -170 to -120, while only 11% of surveyed contractors received a score that is regarded as compliant.

The research conclusions show a clear and present risk to US national security. In 2022, we also reported on US Nuclear Security body lacking necessary security measures.

These findings should not be easily overlooked, considering the current global political tensions and the constant barrage of attacks from state-sponsored hackers. Furthermore, our research has showed that cyber incidents have increased at NASA. Thus, criminals more and more sophisticated targets.

Areas of non-compliance

Approximately 80% of the DIB does not monitor its systems 24/7/365 and does not use security monitoring services headquartered in the United States. Using foreign cybersecurity services has a risk on its own.

Other flaws were discovered in the following areas:

• 80% do not have a vulnerability management system.
• 79% do not have a robust multi-factor authentication (MFA) system in place, and 73% do not have an endpoint detection and response (EDR) solution.
• 70% of organizations have not implemented security information and event management (SIEM)

These security measures are legally required by the DIB, and if they are not satisfied, the DoD and its capacity to undertake armed defense face a major danger.