News, news analysis, and commentary on the latest trends in cybersecurity technology.
Defense Contractors Need to Check Their SixDefense Contractors Need to Check Their Six
Companies overall met government standards, but poor credential management left vulnerabilities.
February 10, 2022
In 2020, the US Department of Defense established the Cybersecurity Maturity Model Certification (CMMC) framework to certify its contractors as having appropriate cybersecurity practices, basing it on NIST standards. In a recent Black Kite report, 96% of the top 100 defense contractors complied with CMMC 2.0, the latest version. Even so, there were some weak points in the companies' armor.
The "2021 Third-Party Risk Pulse: The US Federal Government" report from Black Kite grades the performance of the top 100 defense contractors on various aspects of security preparedness. The group earned an overall B rating, indicating they were generally prepared to fend off ransomware. As the chart shows, though, credential management was a major weak point for over half; 57 companies rated an F. Indeed, the full report states, "42% of defense contractors have had at least one leaked credential within the last 90 days."
Most defense contractors rated well across security postures, including awareness of attack surface (88 As, 8 Bs), fraudulent apps (84 As, 11 Bs, 1 C), and social media risks (85 As, 9 Bs, 1 C, and 1 D). You can see a lot of zeros in the D and F rows.
However, half of the companies need to improve their patch management; 44 were rated an F here, with another four earning a D. Other weak spots included CDN security (51 Ds, 9 Fs), application security (15 Ds, 34 Fs), information disclosure practices (24 Ds, 16 Fs), and SSL/TLS strength (34 Ds, 17 Fs).
The results support the idea that meeting government standards for cybersecurity practices is necessary but not sufficient to protect sensitive information.
View the full defense sector report on Black Kite.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023