In 2020, the US Department of Defense established the Cybersecurity Maturity Model Certification (CMMC) framework to certify its contractors as having appropriate cybersecurity practices, basing it on NIST standards. In a recent Black Kite report, 96% of the top 100 defense contractors complied with CMMC 2.0, the latest version. Even so, there were some weak points in the companies' armor.

The "2021 Third-Party Risk Pulse: The US Federal Government" report from Black Kite grades the performance of the top 100 defense contractors on various aspects of security preparedness. The group earned an overall B rating, indicating they were generally prepared to fend off ransomware. As the chart shows, though, credential management was a major weak point for over half; 57 companies rated an F. Indeed, the full report states, "42% of defense contractors have had at least one leaked credential within the last 90 days."

Most defense contractors rated well across security postures, including awareness of attack surface (88 As, 8 Bs), fraudulent apps (84 As, 11 Bs, 1 C), and social media risks (85 As, 9 Bs, 1 C, and 1 D). You can see a lot of zeros in the D and F rows.

However, half of the companies need to improve their patch management; 44 were rated an F here, with another four earning a D. Other weak spots included CDN security (51 Ds, 9 Fs), application security (15 Ds, 34 Fs), information disclosure practices (24 Ds, 16 Fs), and SSL/TLS strength (34 Ds, 17 Fs).

The results support the idea that meeting government standards for cybersecurity practices is necessary but not sufficient to protect sensitive information. 

View the full defense sector report on Black Kite.