News, news analysis, and commentary on the latest trends in cybersecurity technology.
Companies overall met government standards, but poor credential management left vulnerabilities.
In 2020, the US Department of Defense established the Cybersecurity Maturity Model Certification (CMMC) framework to certify its contractors as having appropriate cybersecurity practices, basing it on NIST standards. In a recent Black Kite report, 96% of the top 100 defense contractors complied with CMMC 2.0, the latest version. Even so, there were some weak points in the companies' armor.
The "2021 Third-Party Risk Pulse: The US Federal Government" report from Black Kite grades the performance of the top 100 defense contractors on various aspects of security preparedness. The group earned an overall B rating, indicating they were generally prepared to fend off ransomware. As the chart shows, though, credential management was a major weak point for over half; 57 companies rated an F. Indeed, the full report states, "42% of defense contractors have had at least one leaked credential within the last 90 days."
Most defense contractors rated well across security postures, including awareness of attack surface (88 As, 8 Bs), fraudulent apps (84 As, 11 Bs, 1 C), and social media risks (85 As, 9 Bs, 1 C, and 1 D). You can see a lot of zeros in the D and F rows.
However, half of the companies need to improve their patch management; 44 were rated an F here, with another four earning a D. Other weak spots included CDN security (51 Ds, 9 Fs), application security (15 Ds, 34 Fs), information disclosure practices (24 Ds, 16 Fs), and SSL/TLS strength (34 Ds, 17 Fs).
The results support the idea that meeting government standards for cybersecurity practices is necessary but not sufficient to protect sensitive information.
View the full defense sector report on Black Kite.
About the Author(s)
You May Also Like
Beyond Spam Filters and Firewalls: Preventing Business Email Compromises in the Modern Enterprise
April 30, 2024Key Findings from the State of AppSec Report 2024
May 7, 2024Is AI Identifying Threats to Your Network?
May 14, 2024Where and Why Threat Intelligence Makes Sense for Your Enterprise Security Strategy
May 15, 2024Safeguarding Political Campaigns: Defending Against Mass Phishing Attacks
May 16, 2024
Black Hat USA - August 3-8 - Learn More
August 3, 2024Cybersecurity's Hottest New Technologies: What You Need To Know
March 21, 2024