The Most Common Control Deficiencies in CMMC non-compliant DoD contractors

Abstract

As cyber threats become highly damaging and complex, a new cybersecurity compliance certification model has been developed by the Department of Defense (DoD) to secure its Defense Industrial Base (DIB), and communication with its private partners. These partners or contractors are obligated by the Defense Federal Acquisition Regulations (DFARS) to be compliant with the latest standards in computer and data security. The Cybersecurity Maturity Model Certification (CMMC), and it is built upon existing DFARS 252.204-7012 and the NIST SP 800–171 controls. As of 2020, the DoD has incorporated DFARS and the National Institute of Standards and Technology (NIST) recommended security practices into what is now the CMMC. This paper presents the most commonly identified Security-Control-Deficiencies (SCD) faced, the attacks mitigated by addressing these SCD, and remediations applied to 127 DoD contractors in order to bring them into compliance with the CMMC guidelines. An analysis is done on what vulnerabilities are most prominent in the companies, and remediations applied to ensure these vulnerabilities are better avoided and the DoD supply-chain is more secure from attacks.