A Closer Look: Current State of Cybersecurity in the Defense Industry



military-cyber.jpgOver the past decade, cyber threats have grown exponentially more sophisticated and frequent, with trillions of dollars lost each year due to cyberattacks. This threat is especially prevalent for those in the defense industry, as suppliers at all levels are being targeted.

In response to this heightened threat, government and industry leaders have scrambled to develop a comprehensive and effective approach to cyber safety. Proposed solutions have largely fallen short of fully addressing the cyber threat in a unified way, leaving defense suppliers confused about where to start and reluctant to implement solutions.

This industry-wide sentiment was captured in a report released by the National Defense Industrial Association (NDIA) in August 2019 titled, Beyond Obfuscation: The Defense Industry’s Position within Federal Cybersecurity Policy. This report offers an evaluation of the current state of cyber practices within the defense industry, highlighting the risks, vulnerabilities and challenges experienced by suppliers.

According to the survey included in the report, which was given to 300 defense organizations ranging from prime contractors to third-tier subcontractors:

  • More than 25% work for firms that have experienced a cyber-attack
  • Small companies use security measures such as firewalls and multi-factor authentication at a much lower rate than large companies
  • 30% of companies do not have a good sense of the cost needed to recover from a cyber attack
  • Small businesses are 15% less likely to agree their employees are well-prepared to understand and respond to cybersecurity threats
  • Only 54% of small businesses agreed they were prepared to comply with DFARS 7012 requirements
  • 44% of prime contractors have not been able to verify their subcontractors’ system security plans

It is clear there is a need for a stronger approach to regulating cyber practices – but what can be done to help this? Recommendations to improve the flow-down of cyber regulations were outlined in the report, including:

  • The industry must be as committed to solving the issue of cyber breaches as the government – they must be ready to protect the innovative technologies they develop
  • Communication among industry partners must improve, with a focus on keeping smaller companies educated and informed
  • The current cyber regulations must be simplified, making it easier for smaller companies to comply
  • Prime contractors should share cyber best practices with smaller companies, working together to increase security across the entire supply base
  • Small companies need to prioritize cybersecurity initiatives

As 2020 rapidly approaches and with the estimated annual intellectual property loss jumping to six trillion dollars, the government has made efforts to ensure businesses of all sizes are better positioned to protect against ever-evolving cyber threats.

The recently-released National Institute of Standards and Technology (NIST) Special Publication 800-160 Volume 2 entitled, Developing Cyber Resilient Systems: A Systems Security Engineering Approach, attempts to bridge the gap between classic risk management and information systems to enable businesses to design more flexible systems that can adapt to changing business requirements and threats. With a primary focus on the “Advanced Persistent Threat,” referring to sophisticated threats that utilize multiple avenues of attack and adapt to defenders’ efforts to resist, this new special publication emphasizes the need for a practical implementation of systems combined with a constant review of risk.

In addition, the defense industry has started taking steps toward evaluating supplier compliance to contractual requirements outlined in DFARS 252.204-7012 through the recent release of the Defense Contract Management Agency’s “Assessment Methodology.” This provides organizations with a method to score their practices, along with a formalized procedure for evaluating a company’s implementation of NIST SP 800-171 Rev. 1.

Finally, the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) program is expected to be released soon. The CMMC builds upon the existing regulations outlined in DFARS 252.204-7012 and evaluates not only the technical implementation of NIST SP 800-171 Rev. 1, but also looks at the maturity of the company’s cyber program. This includes risk management, policy and procedures, and how these are used to direct the company’s information protection. More program details will be released in 2020, with CMMC language planned to be introduced into contract bid requests later in the year.

These efforts are meant to satisfy the industry’s need for a unified and structured approach to cybersecurity. However, unless all industry players – including small suppliers – commit themselves to effectively practice and prioritize cyber safety, the costs of attacks will only continue to grow.

To learn more about how to protect your business from cyber threats, or how to comply with NIST 800-171 and prepare for potential audits, contact cyber@the-center.org or click here.


Williams_J-web.jpgJeff Williams, Program Manager, Cybersecurity
Jeff Williams leads The Center's efforts to educate and equip small and medium-sized manufacturers to guard against the growing threat of cyber-attacks. One of his main areas of focus relates to the cybersecurity requirements outlined in NIST Special Publication 800-171, designed to protect the information security systems of contractors working with the Department of Defense. In addition to serving Michigan’s manufacturing community, Jeff also is involved with training other Manufacturing Extension Partnership (MEP) centers across the U.S. This effort will enable those centers to provide cybersecurity services to manufacturers in their states.



Since 1991, the Michigan Manufacturing Technology Center has assisted Michigan’s small and medium-sized businesses to successfully compete and grow. Through personalized services designed to meet the needs of clients, we develop more effective business leaders, drive product and process innovation, promote company-wide operational excellence and foster creative strategies for business growth and greater profitability. Find us at www.the-center.org.

Categories: cybersecurity