Defense Department contractors are struggling to meet the standards for protecting sensitive DOD information on their networks, as most companies fail to use key controls like multifactor authentication and incident response tests, according to a new report from cybersecurity auditing firm Sera-Brynn.
The report issued last week assessed how defense contractors are implementing a provision in the Defense Federal Acquisition Regulation requiring contractors to protect controlled unclassified information (CUI) on their networks using the 110 controls in the National Institute for Standards and Technology Special Publication 800-171. The requirement is DOD's primary instrument for ensuring the cybersecurity of sensitive data across its supply chain.
"NIST 800-171 is a solid cybersecurity baseline for organizations handling sensitive information," the report states. "However, it has not been well implemented even when required."
Sera-Brynn found organizations implemented 39% of the 110 controls on average, according to the report. Zero organizations assessed were 100 percent compliant, according to the report.
Sera-Brynn pulled the data for the report from assessments it conducted between December 2017 and February 2019 on approximately 50 organizations subject to the DFARS rule. The organizations ranged from "small businesses conducting scientific research to publicly traded companies in manufacturing, consulting, and technology," as well as universities, according to the report.
Rob Hegedus, chief executive at Sera-Brynn, said the company put out the report to help people better understand the contractor cybersecurity landscape.
"When we go in and work with a defense contractor, one of the first questions they ask is, 'Where do we stand compared to our peers? What does the rest of the community look like?'" Hegedus said in an interview with Inside Defense.
The report found businesses with more than $500 million in annual revenue were generally more compliant, as those companies fully implemented 57% of the controls, on average.
"In general, the larger the company and more robust the security environment, the higher the percentage of 800-171 controls implemented," the report states.
However, there was "statistically little difference" between a firm with $10 million in annual revenue and a $100 million company, according to the report. The firms in that range fully implemented 34% of the controls, on average.
Still, the smallest companies struggled the most. The report found companies with $5 million or less in annual revenue had "the highest percentage of controls not implemented."
The report also found a "not-so-sweet" 16 controls went unimplemented across 80% or more of all organizations. For instance, 91% of those assessed failed to use multifactor authentication, incident response tests and proper CUI markings, respectively, according to the document.
The report illustrates the problem DOD is facing in attempting to secure a vast supply chain that includes many small and medium companies, according to Robert Metzger, head of the DC office for law firm Rogers Joseph and O'Donnell, and an author of the MITRE Corp.'s "Deliver Uncompromised" supply chain security report conducted on behalf of DOD.
"It is consistent with what many regrettably have come to believe is the case, and that is much of the supply chain, where we hope to do a better job protecting covered defense information against exfiltration, is having trouble getting the job done," Metzger said in an interview.
DOD does not currently require full compliance with the NIST controls. Instead, the regulation requires companies to document their current "system security plan" and develop a "plan of action and milestones" for implementing any neglected controls.
But with the defense industrial base under "cyber siege," as a recent Navy report asserts, DOD officials are beginning to move toward stricter enforcement of the standards. The department is developing new contracting language to hold companies "accountable" and plans to begin scoring contractors on their compliance by 2020.
Colin Glover, director of DFARS assessments at Sera-Brynn, said what often motivates companies to take the cybersecurity requirements seriously are education and auditing, as well as the importance of defense contracts to their business model.
"Oftentimes, they'll see the contract language in there, and they just kind of ignore it until they finally get asked [about it] by somebody," Glover said. "Whereas a small business who's dependent on DOD funding is going to be pretty aggressive in meeting all those requirements."
Despite the struggles with implementation, NIST 800-171 compliance equates to increased security, the Sera-Brynn report asserts. The firm reviewed several cybersecurity incidents at the organizations it assessed and found proper implementation of the NIST controls would have made a difference in either preventing the breach or limiting its impact.
For instance, a lack of multifactor authentication, untrained users and poor patch management all "played significant roles" in many of the cases reviewed, according to the report.
"This is not just some bureaucratic checking the box requirement," Hegedus said of the DFARS requirement. "It actually does improve the overall security posture, and it does significantly decrease the liability of a breach."
Metzger said he agrees compliance with NIST 800-171 controls equates to better security. But he thinks DOD must "confront a world in which 171 compliance, at least with all 110 controls, is not a workable outcome."
"I think we should consider a risk-tailored approach to how it is applied and what is expected," Metzger said. "I also think the government has to accept that it is going to cost money to improve the security of the supply chain, and that only a small percentage of companies are able to absorb those costs today without needing to be paid more."
However, DOD officials may not accept the premise of paying more for contractor cybersecurity. Last September, then-Deputy Defense Secretary Patrick Shanahan said, "we shouldn't pay extra for security."
"Security is the standard," Shanahan said during the Air Force Association's annual conference. "It's not something that's above and beyond what we've done before."
Many DOD officials have compared cybersecurity to quality, arguing the department does not pay more for products to meet quality management standards such as those published by the International Standardization for Organization.
But Metzger said quality standards have benefited from decades of work and investment, unlike cybersecurity. He said simply insisting upon strict compliance with the NIST controls will result in some companies doing a better job but warned such a regime will have negative consequences as well.
"Companies will promise to do what they know they have not -- they will overpromise and underachieve," Metzger said. "And perhaps more seriously, I believe there will be defections, at many levels of the supply chain, from the defense industrial base."