The Pentagon is expected to tighten cybersecurity requirements for vendors, but a new survey shows contractors have barely made progress.
Complying with the Cybersecurity Maturity Model Certification (CMMC), the Pentagon’s framework for assessing vendor cybersecurity, is as much of a mouthful as it sounds.
But many defense contractors are not even in the ballpark on those standards as the Defense Department’s revised version of CMMC is hurtling towards implementation, according to a Merrill Research study commissioned by cybersecurity firm CyberSheath.
The CMMC framework was created by the 2017 Defense Federal Acquisition Regulation Supplement (DFARS). However, it wasn’t a finalized rule, and until it is, companies can only undergo voluntary assessments. The Pentagon is preparing to release an updated version, CMMC 2.0, for industry feedback by the end of 2023, with an actual implementation date as soon as next year. CMMC has undergone several revisions, but draft versions indicate that CMMC 2.0 will include mandatory third-party or government certification for vendors handling more sensitive information, as well as finalize its contractual enforcement mechanisms.
DFARS defines compliance with the CMMC expectations as a score of 110 on a scale called the Supplier Performance Risk System (SPRS). CyberSheath says a score of 70 is considered “good enough” within the defense community. Yet CyberSheath’s data shows the average score submitted by Defense Department prime and/or subcontractors has barely budged from July and August 2022, when it was -23, to -15 in the April and May 2023 version of the survey.
From 2022 to 2023, the percentage of federal defense vendors who said they submitted SPRS scores fell from 46% to 36%. Those vendors claiming to meet CMMC standards via self-certification, the least rigorous method of measuring compliance, rose from 71% to 81%. CyberSheath noted in the report that “significantly fewer reported being compliant via a medium or high assessment.”
Complying with the Cybersecurity Maturity Model Certification (CMMC), the Pentagon’s framework for assessing vendor cybersecurity, is as much of a mouthful as it sounds.
But many defense contractors are not even in the ballpark on those standards as the Defense Department’s revised version of CMMC is hurtling towards implementation, according to a Merrill Research study commissioned by cybersecurity firm CyberSheath.
The CMMC framework was created by the 2017 Defense Federal Acquisition Regulation Supplement (DFARS). However, it wasn’t a finalized rule, and until it is, companies can only undergo voluntary assessments. The Pentagon is preparing to release an updated version, CMMC 2.0, for industry feedback by the end of 2023, with an actual implementation date as soon as next year. CMMC has undergone several revisions, but draft versions indicate that CMMC 2.0 will include mandatory third-party or government certification for vendors handling more sensitive information, as well as finalize its contractual enforcement mechanisms.
DFARS defines compliance with the CMMC expectations as a score of 110 on a scale called the Supplier Performance Risk System (SPRS). CyberSheath says a score of 70 is considered “good enough” within the defense community. Yet CyberSheath’s data shows the average score submitted by Defense Department prime and/or subcontractors has barely budged from July and August 2022, when it was -23, to -15 in the April and May 2023 version of the survey.
From 2022 to 2023, the percentage of federal defense vendors who said they submitted SPRS scores fell from 46% to 36%. Those vendors claiming to meet CMMC standards via self-certification, the least rigorous method of measuring compliance, rose from 71% to 81%. CyberSheath noted in the report that “significantly fewer reported being compliant via a medium or high assessment.”