A recent executive order from the Biden administration made the cyber standards for United States defense contractors more rigorous, but a new report from incident response firm BlueVoyant indicates that those wheels are not fully in motion just yet. The survey of 300 small-to-medium business (SMBs) defense contractors found common failure to comply with CMMC requirements, and returned some disturbing numbers: 48% had “severe vulnerabilities” such as unsecured ports and data storage, and about 10% showed critical vulnerabilities and evidence of compromise. 28% were assessed as not being able to pass a test of even the most basic tier-1 CMMC requirements.
SMB defense contractors struggling to keep up
The report focuses on SMBs in the defense industrial base (DIB) as they are targets of extreme interest to threat actors, particularly nation-state actors looking for an entry point into defense supply chains that can be exploited to eventually reach better-defended organizations.
The results of the report bear out the hypothesis that SMBs in the DIB contractor chain will be more poorly defended and a likely first stop for threat actors looking to ultimately penetrate government agencies. The report finds that the 10% of surveyed companies that had critical vulnerabilities were already showing signs of intentional and targeted threat activity; some appear to have already been compromised.
The 300 companies that were tested all had annual revenues of less than $1 billion and mostly had employee counts in the low hundreds. The testing looked for signs of threat activity, existing compromise, and visible vulnerabilities such as unsecured ports and outdated or unpatched software. While it is true that threat actors have a general interest in smaller defense contractors due to a general tendency to have less sophisticated defenses, the report found that risk and vulnerability correlated more with industry type than company size; R&D and manufacturing companies were found to be substantially more at risk than their similarly-sized counterparts in other verticals. Small manufacturing firms were found to have the highest levels of critical risk (14%), while 100% of the large R&D firms were rated at least “high risk” and found to have network vulnerabilities. Additionally, a little over 1/3 of the large R&D firms showed existing evidence of targeting or compromise.
In addition to the 48% of defense contractors that exhibited serious vulnerabilities, slightly over 50% showed a critical vulnerability to ransomware. 20% had multiple vulnerabilities. And of the companies considered “critical risk” status, nine still had the exploitable vulnerabilities of the much-publicized F5 and Microsoft Network attacks present (all of these being either small manufacturing or large R&D companies).
What exactly were the vulnerabilities that were observed? The most common by far were email security issues. The next most common were unpatched software vulnerabilities, evidence of malicious internal activity, and general IT hygiene (i.e. failure to secure ports or data storage properly).
CMMC requirements going unmet
The Cybersecurity Maturity Model Certification (CMMC) is a requirement for all defense contractors, the standard that the industry is transitioning to from the NIST SP 800-171. There are five tiers of CMMC requirements that companies can fall into depending on what sort of information they handle and access they have; the lowest tier, Tier 1, is actually considerably less stringent than the NIST SP 800-171 requirements. Thus, organizational failure to meet even this most basic requirement indicates systemic cybersecurity dysfunction stretching back for some time. Bassam Al-Khalidi, Founder and Co-CEO of AxiadAxiad, says that this news is not unexpected: “It’s alarming but not unsurprising that over a quarter of companies wouldn’t meet the most basic CMMC requirements … The reality is that many businesses struggle to keep up: organizations often have limited IT resources and implementing new technologies to meet security requirements can seem like an overwhelming investment. That’s why businesses need to look for ways to future-proof their cybersecurity infrastructure with scalable solutions and partners that are knowledgeable about the CMMC requirements. This enables them to work towards higher maturity levels of CMMC and other standards, without the need to invest in costly new technology in the future.”
There are incidents stretching back more than a decade now that demonstrate how important the cybersecurity practices of defense contractors are to the entire chain. These range from the 2011 theft of 24,000 terabytes of data from the Department of Defense (DoD) to the recent SolarWinds compromise. The DoD has an estimated 100,000 to 300,000 direct contractors, and the number of subcontractors that work for them cannot even be accurately counted. These chains of defense contractors are also frequently not at all linear, with a prime contractor on one project playing an indirect role in one or several others. The CMMC requirements in some cases conflict with the systems of communication needed to facilitate all of these connections.
The report notes that in addition to the new cybersecurity certification standards and the terms of the Biden executive order, requirements for defense contractors may be ratcheted up even further by new terms introduced in the national upcoming infrastructure plan and the 2022 Defense Authorization Act. The DoD is also in the midst of developing a “threat hunting” program that would, for the first time, see the agency actively probe its contractors for vulnerabilities; Congress will see a report on the program by September, and if approved it could roll out in 2022.