When a company engages in business with a government, especially with the defense sector of that government, one should expect that security surrounding the engagement would be a serious endeavor. A recent report offered up by CyberSheath throws cold water on that assumption\u2014indeed, DEFENSELESS - A statistical report on the state of cybersecurity maturity across the defense industrial base (DIB) should embarrass the sector and begs the question: why are some companies still allowed to do business with the government at all?The CyberSheath report, conducted by Merrill research, surveyed 300 US members of the DIB and judged their results as having a 95% probability of being accurate. Which should give everyone pause, as the results are startling.US military secrets are \u201cnot safe\u201dCyberSheath CEO Eric Noonan did not mince words: \u201cThe report\u2019s findings show a clear and present danger to our national security. We often hear about the dangers of supply chains that are susceptible to cyberattacks. The DIB is the Pentagon\u2019s supply chain, and we see how woefully unprepared contractors are despite being in threat actors\u2019 crosshairs. Our military secrets are not safe and there is an urgent need to improve the state of cybersecurity for this group, which often does not meet even the most basic cybersecurity requirements.\u201dStartling statistics cited in the report included a lack of 24\/7\/365 security monitoring systems, that 80% lacked a vulnerability management solution, 78% did not use multi-factor authentication (MFA) comprehensively, 73% had no endpoint detection and response (EDR) solution, and 70% did not have a deployed security information and event management (SIEM) system.Unsurprisingly, 82% of the contractors found that the US government\u2019s cybersecurity regulations were difficult to understand.At the recent Acronis Cyberfit conference, CSO had the opportunity to meet with the company\u2019s senior-most executives and a good many managed security service providers (MSSP). The data presented by CyberSheath aligns.Acronis CEO Patrick Pulvermueller noted that \u201ccomplexity is security\u2019s menace\u201d and that EDR solutions should be considered part of every cybersecurity implementation. Acronis president Ezquiel Stiener tells CSO that supply chain audits should be the norm. To assist their clients, Acronis engages with their MSSPs and the MSSP\u2019s clients with these audits.CMMC is at the heart of the issueAt the heart of the matter is Cybersecurity Maturity Model Certification (CMMC). As we noted in a September 2021 article, 300,000 entities are striving to be certified in C3PAO by assessors who themselves must be certified to conduct that certification. In September 2021, there were four. In December 2022, there are 31 entities certified by CyberAB to conduct the assessments. To their credit, in October 2022 CyberAB subsidiary the Cybersecurity Assessor and Instructor Certification Organization (CAICO) made available the Certified CMMC Professional exam. A press release described the exam as verifying a \u201ccandidate\u2019s knowledge of the DoD CMMC framework and the roles and responsibilities of various positions within it.\u201d\u00a0In August 2022, Coalfire was authorized by CyberAB to conduct CMMC assessments for the defense sector. At that time, Coalfire Federal President Bill Malone observed: "Foreign adversaries are escalating attacks on Defense Industrial Base (DIB) organizations, compromising sensitive information and threatening the integrity of weapons systems, platforms, tools, and materiel. CMMC is consistent with our mission and extends our commitment to provide cybersecurity services that enable and protect the mission of the DoD and its supply chain."The learning curve is steepCyberSheath vice president, security services Carl Herberger told InfoSecurity: \u201cAs the government steps into a realization of this [CMMC] and the laws follow, we hope to see far wider adoption. It\u2019s a story of the haves and have nots. Contractors who struggle have successfully grown their businesses without significant technology investments, have not taken advantage of cloud-based economies of scale, and therefore are quite far behind other industries and that learning curve is steep.\u201dTo assist in successfully traversing that learning curve, companies such as Silvereye are available. Silvereye exists to help companies understand how best to use the services of MSSPs. Cameron Way, founder and chief strategist of Silvereye explained to CSO at the Cyberfit conference how they engage with users to help the individual entity to fully define their needs and then assist the companies in acquiring the services of the MSSP which best fulfills their cybersecurity requirements. The message that Way had for MSSPs in his keynote? Find a way to consolidate the tools they are asking their clients to use, as more tools means more complications and problems.Defense sector CISOs need to step upCISOs need to strive for lack of complexity in their cybersecurity implementation, as far too often convenience trumps security and modern security needs to be convenient and able to be implemented at all levels. Given the above, there really is no reason that any entity wishing to engage within the US defense sector should not be creating an in house EDR, implementing 24\/7\/365 monitoring, have one-step restoration and isolation of compromised portions of their network, or have a comprehensive MFA process. To do otherwise is indeed placing US national security at risk.