News, news analysis, and commentary on the latest trends in cybersecurity technology.

Defense Contractors Need to Check Their Six

Companies overall met government standards, but poor credential management left vulnerabilities.

Dark Reading Staff, Dark Reading

February 10, 2022

1 Min Read
Heat map that grades US defense contractors on preparedness in various security areas; each area adds up to 96 companies
Source: Black Kite

In 2020, the US Department of Defense established the Cybersecurity Maturity Model Certification (CMMC) framework to certify its contractors as having appropriate cybersecurity practices, basing it on NIST standards. In a recent Black Kite report, 96% of the top 100 defense contractors complied with CMMC 2.0, the latest version. Even so, there were some weak points in the companies' armor.

The "2021 Third-Party Risk Pulse: The US Federal Government" report from Black Kite grades the performance of the top 100 defense contractors on various aspects of security preparedness. The group earned an overall B rating, indicating they were generally prepared to fend off ransomware. As the chart shows, though, credential management was a major weak point for over half; 57 companies rated an F. Indeed, the full report states, "42% of defense contractors have had at least one leaked credential within the last 90 days."

Most defense contractors rated well across security postures, including awareness of attack surface (88 As, 8 Bs), fraudulent apps (84 As, 11 Bs, 1 C), and social media risks (85 As, 9 Bs, 1 C, and 1 D). You can see a lot of zeros in the D and F rows.

However, half of the companies need to improve their patch management; 44 were rated an F here, with another four earning a D. Other weak spots included CDN security (51 Ds, 9 Fs), application security (15 Ds, 34 Fs), information disclosure practices (24 Ds, 16 Fs), and SSL/TLS strength (34 Ds, 17 Fs).

The results support the idea that meeting government standards for cybersecurity practices is necessary but not sufficient to protect sensitive information. 

View the full defense sector report on Black Kite.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights