ARTICLE
8 October 2024

Study Suggests Only 4% Of DoD Contractors Are Ready For CMMC

GT
Greenberg Traurig, LLP

Contributor

Greenberg Traurig, LLP has more than 2,850 attorneys across 49 locations in the United States, Europe, the Middle East, Latin America, and Asia. The firm’s broad geographic and practice range enables the delivery of innovative and strategic legal services across borders and industries. Recognized as a 2024 BTI “Leading Edge Law Firm” for anticipating and meeting client needs, Greenberg Traurig is consistently ranked among the top firms on the Am Law Global 100 and NLJ 500. Greenberg Traurig is also known for its philanthropic giving, culture, innovation, and pro bono work. Web: www.gtlaw.com.
On Oct. 1, 2024, CyberSheath and Merrill Research released a study about cybersecurity compliance among contractors within the Defense Industrial Base (DIB).
United States Government, Public Sector

On Oct. 1, 2024, CyberSheath and Merrill Research released a study about cybersecurity compliance among contractors within the Defense Industrial Base (DIB). The research provides insights about how well contractors may be meeting cybersecurity standards before the Cybersecurity Maturity Model Certification (CMMC)'s launch in early 2025. The study, surveying contractors of all sizes already subject to Defense Federal Acquisition Regulation Supplement (DFARS) requirements, revealed that few may be prepared to meet CMMC 2.0 standards, even though the program was announced in early 2021.

Currently, the regulations require Department of Defense (DoD) contractors to post a self-assessment score against the 110 controls in NIST SP 800-171, which will form the basis of the CMMC requirements. According to the study, 41% of respondents have completed the self-assessment requirement, while 89% of the survey participants reported operating in critical infrastructure sectors. Contractors scored an average of -12 on the assessment.

Additionally, only 4% respondents believe they are ready for CMMC certification. The study suggests that both large and small contractors are struggling to implement all the required controls.

The results of the survey are starker when examining specific requirements. Though 80% of respondents have experienced loss from a cyber incident, only 42% of respondents indicated they have developed annual incident response exercises. Just over 50% of respondents have a system security plan, and just under 50% have plans of actions and milestones in place. Only 42% of companies reported performing an annual DFARS assessment. The failure of almost half of respondents to implement these key components of the requirements suggests a gap between requirements and implementation.

CyberSheath's 2022 study reported similar results, showing that little progress has been made. For example, 46% of the 2022 respondents had completed the self-assessment requirement. The 2022 respondents also had an average SPRS score of -23. Despite DoD's sustained focus on cybersecurity, the potential gap between requirements and implementation may presage challenges for contractors and DoD as CMMC rollout begins, potentially early next year.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More