Report: nearly 90% of Pentagon supply chain fails basic cybersecurity requirements
The first-ever thorough analysis of the state of cybersecurity of the Pentagon's US Defense Industrial Base (DIB) reveals that nearly 90% of its contractors do not meet the required security standards.
Defence contractors possess sensitive national security information and are being constantly targeted with sophisticated hacking operations led by state-sponsored hackers.
The in-depth analysis of the Pentagon supply chain was commissioned by CyberSheath, a cybersecurity compliance service provider, and was carried out by Merrill Research, a provider of custom, multi-methodological research services.
The survey questioned 300 US-based DIB contractors via an online survey in July 2022.
The supply chain of the departments in question was evaluated using the Supplier Risk Performance System (SPRS), which is the DoD's single, authorised system to retrieve supplier security performance information.
Contractors who do not possess an SPRS score of 70 or higher are deemed non-compliant with the Defense Federal Acquisition Regulation Supplement (DFARS) criteria.
The DFARS is a set of cybersecurity regulations the DoD imposes on its contractors. The DFARS, which has been in effect since 2017, demands a score of 110 to be considered fully compliant.
Data presented by Atlas VPN shows that a startling 89% of contractors have an SPRS score of less than 70, which means that they do not meet the legally required minimum.
Over 25% of the supply chain received SPRS scores between -170 to -120, while only 11% of surveyed contractors received a score that is regarded as compliant.
The research conclusions show a clear and present risk to US national security.
These findings should not be easily overlooked, considering the current global political tensions and the constant barrage of attacks from state-sponsored hackers.
Areas of non-compliance
Approximately 80% of the DIB does not monitor its systems 24/7/365 and does not use security monitoring services headquartered in the United States. Using foreign cybersecurity services has a risk on its own.
Other flaws were discovered in the following areas:
- 80% do not have a vulnerability management system.
- 79% do not have a robust multi-factor authentication (MFA) system in place, and 73% do not have an endpoint detection and response (EDR) solution.
- 70% of organisations have not implemented security information and event management (SIEM)
These security measures are legally required by the DIB, and if they are not satisfied, the DoD and its capacity to undertake armed defence face a major danger.