Defense contractors and the federal government are responsible for storing and protecting valuable information and private data that if in the wrongs hands could be used for harm. This includes critical infrastructure, personal identifiable information (PII), and other forms of information.
This means that organizations working within the Defense Industrial Base (DIB) have a unique responsibility to protect their vulnerable assets.
There have been multiple steps taken in order to reduce the attack surface of the DIB supply chain including the implementation of CMMC. The Cybersecurity maturity model certification was established to legislate compliance across the DIB and any defense contractor who has access to controlled unclassified information (CUI). CMMC is founded on NIST 800-171 and DFARS requirements in order to standardize the practices and controls implemented to secure an organization.
With all of these requirements can the Defense Industrial Base confidently say they are secure? The answer is unfortunately no.
What's the Standard?
In order to establish whether or not the DIB has successfully secured their supply chain it is important to identify the standard of success they are being asked to meet. In order to show how accurately a contractor has met DFARS requirements organizations have to submit a Supplier Performance Risk System (SPRS) score.
To be considered fully compliant a contractor must attain a perfect score of 110. However, many individuals consider a score of 70 to be "secure". Can we really say that a 63% is enough to combat advanced persistent threats (APT's)? Unfortunately, many contractors don't even reach a score of 70.
Missing the Mark
A recent study conducted by Merrill Research indicated some very concerning trends. According to a survey of 300 Department of Defense contractors, 87% of contractors scored lower than a 70 on their SPRS assessment.
This statistic is terrifying in the implications it has on the nations overall security posture. If an overwhelming majority of contractors' security infrastructure is vulnerable then we have a huge attack surface ready to be exploited. Many contractors have not implemented a vulnerability management solution, they don't require MFA on all applications, and neglect 24/7 monitoring of all systems. These are some of the most fundamental practices that can tremendously improve an organizations security posture.
What Can be Done?
Is there anything to be done when it comes to shrinking the attack surface of the DIB? First, contractors need to work on improving their SPRS score. A security assessment may prove beneficial in determining where an organizations gaps are and what can be done to fill them.
Oftentimes some of the most neglected security controls are the most fundamental ones. Enabling MFA on every account, practices good password hygiene, and security awareness training are the easiest steps contractor can take to help secure themselves against cyber criminals.
Additionally, working with an MSP to develop and implement a vulnerability management solution aids in bolstering a contractors security posture. All of these fundamental steps can go a long way in protecting the overall supply chain of the Defense Industrial Base.
CorpInfoTech prides itself in being able to secure business across the DIB using enterprise cybersecurity tools and practices. We can conduct a holistic security assessment and provide managed services that address all of your security needs.
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services including compliance assessment, cybersecurity penetration tests, and comprehensive business continuity planning services. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.