America’s defense contractors are failing basic cybersecurity and China is exploiting it

Most Americans likely assume that defense contractors, funded by taxpayer dollars, already meet stringent cybersecurity requirements. After all, these companies are the backbone of national defense, handling everything from classified military projects to critical infrastructure. 

Unfortunately, that assumption is dangerously wrong.

A new report from Merrill Research delivers a sobering reality check: Only 4% of defense contractors are fully prepared to meet the Department of Defense minimum cybersecurity requirements known as the Cybersecurity Maturity Model Certification. These requirements represent basic cyber hygiene, not cutting-edge tools — yet the vast majority of contractors fail to meet even these minimum standards.

The timing couldn’t be worse. The U.S. faces an unprecedented and persistent cyber threat, particularly from China. Recently, hackers linked to Beijing breached several U.S. internet service providers in an attack dubbed Salt Typhoon. This latest intrusion is part of a broader wave of sophisticated cyber campaigns orchestrated by China, including Volt Typhoon and Flax Typhoon, which have penetrated critical sectors ranging from energy to telecommunications. As FBI Director Christopher Wray bluntly stated, “China’s hacking program is larger than that of every other major nation, combined.”

The gap between what Americans believe about the security of our defense contractors and the grim reality exposed by the Merrill report should alarm everyone.

Basic cyber hygiene, critical national risk

The CMMC is the digital equivalent of locking your doors at night. Multi-factor authentication and patch management are fundamental requirements, yet the Merrill report shows that only 21% of defense contractors use multi-factor authentication, which most civilians need to log into their social media accounts, and a dismal 15% have implemented patch management, which ensures that software vulnerabilities are regularly updated.

The disconnect between belief and reality is stark. While 75% of contractors believe they are compliant, their reported cybersecurity readiness tells a different story. The average Supplier Performance Risk System score across surveyed contractors is a staggering -12, far below the required 110 to meet CMMC standards. 

This isn’t just a compliance failure; it’s a national security crisis.

If these contractors — many of them responsible for safeguarding classified data and developing our military’s most advanced technology — are this unprepared, what does that say about the rest of the U.S. critical infrastructure? 

The defense industrial base is one of 16 critical infrastructure sectors in the U.S., alongside other essential industries like energy, healthcare, and financial services. These sectors are integral to the functioning of our nation.

The Salt Typhoon, Volt Typhoon, and Flax Typhoon attacks highlight just how deeply Chinese cyber operatives are infiltrating that critical infrastructure. According to U.S. intelligence, China’s ultimate goal is to disrupt America’s ability to respond to military crises, particularly in the event of a conflict over Taiwan. The idea that Chinese hackers could paralyze our power grids, disrupt water systems, or compromise defense communications is no longer a far-fetched scenario. It’s a real and present danger.

The need for accountability

The CMMC standards, having slowly worked their way through the regulatory process, are slated for enforcement and third-party audits in 2025. Why the need for third-party audits? Because these cybersecurity requirements have been in place for nearly a decade and are instilled in more than 1,000,000 contracts, but the DIB has been allowed to self-certify compliance with cybersecurity requirements. 

Now that they can no longer do so, the vast majority of defense contractors must retrofit their sprawling digital infrastructure with mandatory minimum cybersecurity controls quickly, so as not to jeopardize the awarding of new contracts.

Can contractors afford this?

As for the cost of CMMC, particularly for small businesses, industry trade associations have done a good job of framing CMMC as an unaffordable, unachievable cost burden — but it’s not true. 

Lobbyists and trade groups are pushing back against requirements that have been in contracts for nearly a decade. Contractors have already been certifying their compliance for years, and CMMC is simply the formal verification that they are doing what they've always claimed. CMMC can be achieved in a way that is affordable for small businesses, and with the right partner, cost is not a barrier — it can be both affordable and manageable. 

The DOD declined further delaying implementation because it said each passing day “increases the risk for exfiltration of non-public information on unsecured nonfederal systems that may result in the loss of DoD's technological advantages in its warfighting capabilities and programs.”

We've had almost 10 years to work on this problem, during which time the requirements have essentially remained unchanged, and we have solved it. Cost doesn't have to be the reason for non-compliance.

The contractors that remain non-compliant will be shut out from future Department of Defense contracts and subject to False Claims Act penalties if they had previously attested to being compliant. 

Now that the DOD has aligned contractor profit incentives with national security interests, we should eventually see fewer breaches like Salt Typhoon. 

The Chinese government has demonstrated its intent and capability to exploit any weaknesses in America’s critical infrastructure. It’s time for contractors to recognize that cybersecurity is more than just a regulatory box to check.

What’s at risk isn’t just contract dollars or company reputations; it’s the safety and security of the United States.