Survey finds DOD contractors know little about forthcoming cyber standards
The Defense Department has been planning for nearly a year to update its cybersecurity certification framework for vendors who handle its sensitive information — but that’s apparently news to some contractors.
A new survey published by Tier 1 Cyber found few DOD vendors are aware of the DOD’s new cybersecurity standard for contractors, the Cybersecurity Maturity Model Certification (CMMC). Only 24 percent of the responding defense contractors could accurately identify its acronym in the survey.
Overall, the survey found contractors have “gotten the message” on the importance of cybersecurity, but few have implemented mitigation efforts to the imposing threats, Tier1 Cyber CEO Bret Cohen told FedScoop.
The survey was conducted in November and solicited responses from a random sample of 150 government contractors with revenues of more than $15 million annually. Two-thirds of the respondents were DOD contractors with the vast majority employing more than 1,000 people.
The defense industry is targeted by state and rogue actors seeking to obtain sensitive national security data. To strengthen the military supply chain, the DOD launched CMMC as a top-down cybersecurity review and new framework to ensure compliance with cyber standards for all contractors.
The Cybersecurity Maturity Model Certification will replace the National Institute of Standards and Technology standards for cybersecurity as it is phased into the contracts later this year. Currently, contractors only need to self-certify NIST compliance. That will change under CMMC, with all companies in the DOD supply chain needing a third-party accredited authenticator to certify their level of cybersecurity compliance on a five-level scale. The security level will comport with the type of data contractors are given, with highly classified material only being awarded to high-level certified contractors.
The process could take up to a year, most of which will be while companies assure the “maturity” of their network security, Cohen said. Beyond initial certification, contractors will also need to continuously ensure security compliance; they risk losing certification in the event of a breach, according to the DOD’s frequently asked questions page on CMMC.
The upcoming rules are not the only thing respondents displayed a lack of knowledge on. Cohen was also surprised by the low levels of trust DOD contractors say they have for third-party vendors. Only 12 percent of the defense contractors surveyed said they trust their vendors, an apparent weak link in the chain. Cohen interpreted that as evidence that contractors aren’t concentrating on their vendors’ security or, worse, just don’t know the state of their third-party vendors’ security.
Other contractors surveyed showed little implementation of cyber mitigation efforts beyond “water cooler conversation” about the topic. Many employees’ personal devices lacked security software, and training was not a regular practice for many of the contractors surveyed.
Cohen said he anticipates other government agencies to adopt models similar to CMMC and the DOD’s implementation will likely continue on track, despite his company’s survey finding limited understanding among contractors.