WASHINGTON — A new survey suggests that very few defense industrial base companies are ‘fully” prepared for the looming cybersecurity regulations known as Cybersecurity Maturity Model Certification (CMMC) 2.0 set to drop in the first quarter of 2025.
The online survey, which took input from 300 respondents in the DIB, was conducted by Merrill Research, a firm that conducts qualitative research for a range of clients including Microsoft, Intel, and Mastercard and was commissioned by CyberSheath, an IT firm that provides CMMC compliance services.
CyberSheath CEO Eric Noonan told Breaking Defense that the survey results should be “sobering for Americans,” saying that the finding reflected that some contractors are unable to follow basic requirements like multi-factor authentication and vulnerability management that are staples in being CMMC 2.0 compliant. The main challenges to compliance include managing costs, implementing sustainable policies and simply understanding the steps of compliance, according to the survey.
“The defense industrial base is one of the 16 critical infrastructure sectors, and is not only non-compliant, but actually woefully under-secured relative to cybersecurity,” Noonan said. “The two biggest implications are, first and foremost, we have really a kind of crisis of cybersecurity, or lack of, within the defense industrial base. And then second, for those individual companies, contractors, primes and subs, they’re going to be ineligible going forward to continue to win DoD contracts.”
The survey also highlighted what pollsters suggested was a potential blindspot: though only 4 percent of respondents were actually CMMC compliant based on third-party assessment, fully 75 percent thought they were based on self assessments.
“It’s just a complete disconnect, where, on one hand, contractors are saying, ‘I’m doing a self assessment, and I’m in great shape.’ But then I think when facing the light of day, and the fact that an independent third-party auditor is going to be looking at that [and] they’re being very honest and saying ‘We’re actually not anywhere near compliance.’ So you have 96 percent of respondents who are saying they couldn’t pass these requirements,” Noonan said. “It highlights the disconnect between the rigor of a self assessment and an actual audit.”
The study also revealed that the Supplier Performance Risk System (SPRS) scores among the respondents averaged at a -12, despite needing a score of 110 to meet CMMC standards. SPRS is a tool used by the DoD that measures contractor’s cybersecurity abilities in protecting CUI.
CMMC 2.0 is a Pentagon initiative designed to create an upgraded version of CMMC 1.0 which was the baseline that set cybersecurity standards for contractors who handle CUI in 2020 The idea behind CMMC 2.0 is to piggyback off the ideas of CMMC 1.0, while responding to industry complaints that the first compliance program was too costly and restrictive.
The study received 300 responses via an online survey in April of this year, including respondents from companies with 40 to up to 1,000 employees, and ranging from C-level executives down to engineers or technicians. The study also surveyed prime contractors, firms that were sub and prime contractors and those who were only sub contractors. All people who responded were part of firms that had at least some Defense Federal Acquisition Regulation Supplement (DFARS) obligations in their existing business or contracts.