Free Cyber Risk Analysis: Your Top Cyber Risks in 3 Clicks

Get Started
Request Demo

News Coverage

Cybersecurity Struggles in the Defense Sector

Originally published on the Radical Compliance blog. Author: Matt Kelly  

The report comes from CyberSaint, which sells software to help businesses automate their cybersecurity and IT governance practices. CyberSaint pulled together data from more than 250 anonymized risk assessments benchmarking defense contractors’ current cybersecurity systems against the NIST 800-171 standard. That standard is the foundation for the Defense Department’s new cybersecurity compliance requirement, the Cybersecurity Maturity Model Certification (CMMC). 

The Defense Department is phasing CMMC compliance into effect over the next five years. Only the largest defense contractors are subject to CMMC this year, but the plan is to extend compliance to all businesses in the defense industrial base — some 300,000+ firms — by 2026. Compliance will include implementing tough new cybersecurity controls and having those controls audited by an independent third party, so it won’t necessarily be an easy ride.

The CyberSaint report today suggests that those bumps are already happening. The company looked at those anonymized assessments and then scored the group’s “average” compliance with NIST 800-171 on a scale of 0 to 100. Some of the weak spots included… 

  • Configuration management, where the group scored 65. That suggests companies struggle with defining baseline configurations for their software, hardware, and firmware — and if you don’t understand what your IT infrastructure even looks like, good luck trying to assess and fix vulnerabilities that might exist.
  • Governance capabilities, with an average score of 64. Governance capabilities include establishing a cybersecurity policy for the whole enterprise, designating employees with defined cybersecurity roles, and managing all the legal and regulatory requirements you have. 
  • Risk management strategy, with a score of 64. That suggests that companies are struggling to identify and rank the risks that they have, especially against whatever risk tolerance levels were defined by the board. Without that executive clarity, the default will be to slip into the bad habit of going through known cybersecurity risks as more of a check-the-box exercise. 
  • IT asset identification. CyberSaint used a different scoring formula here, where the score was 1.35 on a scale of 1 to 3.
  • Trouble on this front shouldn’t be a surprise, considering the proliferation of employees using personal devices on corporate networks and of companies using cloud-based tech vendors. Still, this leaves companies exposed to the same threat we mentioned above: if you can’t even identify everything in your IT landscape, good luck securing it.

Now, obviously these weak spots align nicely with the products and services that CyberSaint sells; the company has a commercial interest in conveying this message of alarm. That doesn’t mean the message itself is wrong. Cybersecurity is difficult these days, and compliance with the CMMC standard will be difficult for plenty of defense industry firms about to be swept into its orbit.

Building a Cybersecurity Response

The CyberSaint report is worth a read for CISOs, auditors, and risk managers because it does illuminate how various control families with CMMC should fit together. Then you can approach your own cybersecurity program with a better understanding of which remediation tasks might be more important to undertake first. 

For example, configuration management is critical to effective cybersecurity. Controls in that family govern tasks like who can authorize changes to the IT system, who can install new software, and when software patches should be implemented. (Bad patch management is a particular sore spot, since it can lead to all manner of security threats. It even turned up in an SEC enforcement action announced just last week.)

Don’t be that cat.

But you can’t have good configuration management if you don’t understand the IT assets that exist on your network. So an even more important need is the ability to identify devices and applications running on your network. 

We should also talk about that governance finding, since successful governance involves documentation. Defense firms will need to document all those roles, responsibilities, policies, and risk processes accordingly.

This is important because to achieve CMMC compliance, you’ll need to pass an external audit — and the auditor is going to ask for that documentation. I’m not worried about the Tier 1 defense contractors wading through this documentation exercise ahead of a CMMC audit, but I do fear for the huge number of smaller sub-contractors in the defense industrial base. They’ll need to provide documentation too, and I wonder how many of them have sufficient resources to get that work done. 

Anyway, CMMC compliance is coming for a large portion of the U.S. business sector. It will be a significant undertaking that involves multiple parts of your enterprise. If you want a better sense of how significant that undertaking might be, give the CyberSaint report a read. 

You may also like

CyberSaint Launches NIST CSF ...
on May 8, 2024

BOSTON--(BUSINESS WIRE)--CyberSaint, the leader in cyber risk management, announced today the release of the NIST Cybersecurity Framework (CSF) Benchmarking Feature, which allows ...

CyberSaint Announces $21M in ...
on March 20, 2024

Boston, MA – March 20th, 2024 – CyberSaint, the leader in cyber risk management, today announced the company has raised $21M in Series A funding led by Riverside Acceleration ...

What to Expect When You’re ...
on March 13, 2024

Nathan Fisher has been in both the public and private sector—first as a special agent at the FBI and now, out of the federal game, as a special assistant of sorts, helping ...

Uncle Sam Intervenes as Change ...
on March 11, 2024

The US government has stepped in to help hospitals and other healthcare providers affected by the Change Healthcare ransomware infection, offering more relaxed Medicare rules and ...

How CISA Fights Cyber Threats ...
on March 11, 2024

After US election integrity and security took center stage as a political football after the 2020 Presidential race, the Cybersecurity and Infrastructure Security Agency (CISA) is ...

NIST Releases Expanded 2.0 Version ...
on April 25, 2024

The US National Institute of Standards and Technology released the 2.0 version of its Cybersecurity Framework, focusing more on governance and supply chain issues and offering ...