On Oct. 1, 2024, CyberSheath and Merrill Research released a study about cybersecurity compliance among contractors within the Defense Industrial Base (DIB). The research provides insights about how well contractors may be meeting cybersecurity standards before the Cybersecurity Maturity Model Certification (CMMC)’s launch in early 2025. The study, surveying contractors of all sizes already subject to Defense Federal Acquisition Regulation Supplement (DFARS) requirements, revealed that few may be prepared to meet CMMC 2.0 standards, even though the program was announced in early 2021.
Currently, the regulations require Department of Defense (DoD) contractors to post a self-assessment score against the 110 controls in NIST SP 800-171, which will form the basis of the CMMC requirements. According to the study, 41% of respondents have completed the self-assessment requirement, while 89% of the survey participants reported operating in critical infrastructure sectors. Contractors scored an average of -12 on the assessment.
Additionally, only 4% of respondents believe they are ready for CMMC certification. The study suggests that both large and small contractors are struggling to implement all the required controls.
The results of the survey are starker when examining specific requirements. Though 80% of respondents have experienced loss from a cyber incident, only 42% of respondents indicated they have developed annual incident response exercises. Just over 50% of respondents have a system security plan, and just under 50% have plans of actions and milestones in place. Only 42% of companies reported performing an annual DFARS assessment. The failure of almost half of respondents to implement these key components of the requirements suggests a gap between requirements and implementation.
CyberSheath’s 2022 study reported similar results, showing that little progress has been made. For example, 46% of the 2022 respondents had completed the self-assessment requirement. The 2022 respondents also had an average SPRS score of -23. Despite DoD’s sustained focus on cybersecurity, the potential gap between requirements and implementation may presage challenges for contractors and DoD as CMMC rollout begins, potentially early next year.
* Special thanks to Law Clerk Olivia Bellini˘ for her contributions to this GT Alert.
˘ Not admitted to the practice of law.