Executive Brief

Most defense contractors know they need cybersecurity. Fewer understand what "good" looks like today.

The bar has moved. Threat actors are more aggressive, federal requirements demand greater accountability, and primes and contracting officers are paying closer attention to the security posture of the organizations they work with.

What separates organizations that are protected from those that are just covered on paper:

• A documented, implemented program grounded in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171
• Leadership ownership, not just IT ownership
• Controls that are consistently enforced, not selectively applied
• Evidence that can be produced on demand
• A posture that evolves with the threat environment

Dig deeper below to learn more.

Why the Cybersecurity Bar Has Moved

A few years ago, the federal government largely took contractors at their word when it came to cybersecurity compliance. The requirements existed, but accountability and validation were limited. Contractors could self-attest, and scrutiny was minimal. That is no longer true.

Several forces are raising the floor at the same time:

• The Cybersecurity Maturity Model Certification (CMMC) program is now moving into contract enforcement under 48 CFR, making cybersecurity a pass-or-fail eligibility condition
• The Department of Defense (DoD) (also known as the Department of War) is scrutinizing Supplier Performance Risk System (SPRS) scores more closely as a signal of supply chain risk
• Iran-aligned threat actors and ransomware groups are actively targeting defense contractors and critical infrastructure
• Prime contractors are flowing down cybersecurity requirements to subcontractors regardless of federal phase-in timelines

The result: what contractors were once trusted to document and implement on their own is now subject to formal validation. The controls have not changed but how they are enforced and verified has. Accurate documentation and consistent implementation are now the entry-level expectation for organizations handling Controlled Unclassified Information (CUI). For a closer look at how threat activity is evolving, see our Security Advisory on heightened Iran-related cyber risk.

“What was considered good cybersecurity yesterday is woefully insufficient today,” says John Nolan, ISI Vice President of Compliance. “Bad actors are continuously improving their approach, and DoD contractors must follow suit to keep them out.”

What the 'Bare Minimum' Looks Like Now

For organizations that handle CUI or operate within the Defense Industrial Base (DIB), the floor is no longer aspirational. These are the baseline expectations:

1. A Current, Accurate System Security Plan (SSP)

Your SSP must describe how your organization implements all 110 controls and 320 objectives in NIST SP 800-171 rev 2. It must reflect what is deployed, not what you plan to deploy.

• Generic or templated SSPs that have not been customized to your environment are not acceptable
• Assessors validate your SSP against live systems, configurations, and evidence
• If your SSP is inaccurate, your SPRS score is inaccurate, which creates legal and contract risk

2. Multi-Factor Authentication (MFA) Across the Board

MFA must be enforced on:

• Email and remote access (VPN)
• Cloud administration portals
• Privileged accounts and any system that processes or stores CUI

Gaps in MFA coverage are among the most common findings in CMMC assessments and among the first things threat actors exploit.

3. Endpoint Detection and Response (EDR)

Antivirus alone is not sufficient. Organizations must have EDR deployed across servers and endpoints, with active monitoring. This supports both compliance requirements and real-world defense against ransomware and wiper malware, both of which are increasingly common in the threat environment facing the DIB.

4. Documented and Tested Incident Response

You must have a documented, practiced incident response plan. That means:

• Clear escalation paths and after-hours contacts
• Defined roles during a security event
• A process for preserving logs and evidence
• A tested recovery capability

An untested plan is not a plan. If you have not run a tabletop exercise in the last 90 days, that is a gap.

5. Immutable, Tested Backups 

Backups must be recent, immutable where possible, and tested for restoration. This is non-negotiable in a ransomware environment. Knowing your recovery point objective (RPO) and recovery time objective (RTO) is part of basic operational maturity, not advanced security.

6. Accurate SPRS Score

Your SPRS score is a public-facing signal of your security posture. Primes, contracting officers, and the DoD can see it. A weak or inaccurate score creates risk before the conversation even starts. Learn more about what SPRS scores mean and how they are calculated.

What a Mature Cybersecurity Program Actually Looks Like

Meeting the bare minimum keeps you eligible. A mature program keeps you competitive and resilient.

Here is how mature programs differ from compliant-but-fragile ones:

Leadership Owns It

In a mature organization, cybersecurity is not delegated entirely to IT. Executive leadership is involved in risk decisions, budget alignment, and accountability. This is not just best practice, it is what CMMC requires. See why CMMC is a business risk issue, not just a cyber problem.

Controls Are Consistently Enforced

The difference between compliant and mature is consistency. A mature program applies controls the same way across all environments, users, and systems, not just during assessments. Selective or inconsistent enforcement is one of the most common failure points under audit scrutiny.

Evidence Is Organized and Retrievable

A mature program can produce evidence for any NIST SP 800-171 control on short notice. That means organized logs, current screenshots, training records, and configuration documentation. If evidence retrieval requires tribal knowledge or takes more than 15 minutes per control, the program is not assessment ready. This is also a key factor in determining whether a GRC platform is worth the investment.

Plans of Action and Milestones (POA&Ms) Are Managed Honestly

Mature programs do not use POA&Ms to paper over gaps. They use them as legitimate remediation tools with real owners, realistic timelines, and evidence of closure. Understanding what can and cannot be deferred under CMMC is essential to building a credible compliance posture.

The Program Evolves

Threat environments change. Frameworks are updated. Personnel turns over. A mature cybersecurity program is designed to adapt. That means:

• Regular risk reviews and control assessments
• Processes for updating documentation when environments change
• Ongoing security awareness training across all staff
• A clear owner for each control, not a shared assumption

Security Awareness Training Is Organization-Wide

Technical controls fail when people are not trained to support them. A mature program ensures that security awareness is not a one-time onboarding checkbox. It is an ongoing, role-based process that reaches every employee, not just IT staff.

This includes:

• Regular training on recognizing phishing and social engineering attempts
• Clear guidance on how to identify, handle, and report CUI
• Role-specific training for privileged users and those with access to sensitive systems
• Documented training records that can be produced as evidence during an assessment
• Insider threat awareness training that helps employees recognize and report suspicious behavior from within the organization

People are both the biggest vulnerability and the first line of defense. Programs that invest in training see fewer incidents, stronger control enforcement, and less friction during assessments.

Scope Is Intentionally Managed

Mature organizations do not let CUI sprawl. They define where CUI lives, segment environments to reduce exposure, and continuously monitor the boundary. Over-scoping creates cost and complexity. Under-scoping creates audit risk. Managing scope deliberately is a hallmark of a program that is built to last.

Where Organizations Get It Wrong

The gap between compliant and mature is often not technical. It is organizational.

Common patterns that undermine otherwise solid programs:

• Delegating cybersecurity entirely to IT without executive accountability
• Treating a CMMC assessment as the finish line rather than a checkpoint
• Allowing documentation to drift from reality after an assessment
• Implementing tools without assigning owners or maintaining evidence
• Assuming that passing one audit means ongoing compliance is secured

None of these are technical failures. They are program failures. The organizations that sustain strong cybersecurity posture treat it as an ongoing operational discipline, not a project with a completion date.

Where to Start

Whether you are building toward CMMC certification, trying to strengthen your overall posture, or responding to increased pressure from primes, the path is the same:

• Define where CUI lives and flows across your organization
• Conduct a gap assessment against NIST SP 800-171 and build a realistic remediation roadmap
• Assign clear ownership of controls across IT, compliance, and leadership, not just IT
• Ensure your SSP reflects your actual environment today, not your intended state
• Build your evidence collection process before an assessment requires it
• Review your SPRS score for accuracy and defensibility

Early action creates flexibility. Late action creates constraints. The organizations that are most competitive in the DIB are the ones that treat cybersecurity maturity as a continuous business function, not a one-time compliance exercise. 

FAQs

What is the difference between being CMMC compliant and having a mature cybersecurity program?

CMMC compliance means you meet the minimum requirements to be eligible for DoD contracts. A mature cybersecurity program goes further by consistently enforcing controls, maintaining accurate documentation, evolving with threats, and integrating security across leadership and operations, not just IT.

What are the biggest cybersecurity gaps ISI sees in defense contractors?

The most common gaps are inconsistent MFA enforcement, SSPs that do not reflect the actual environment, disorganized or missing evidence, and the absence of executive ownership over cybersecurity risk. These are program and documentation failures as much as technical ones.

Do I need a GRC platform to have a mature cybersecurity program?

Not necessarily. What you need is a repeatable way to manage evidence, assign control ownership, and track remediation. Whether that requires a full GRC platform depends on the size and complexity of your environment. Smaller organizations with limited CUI scope can often manage with structured documentation and lightweight compliance tools.

How often should we reassess our cybersecurity posture?

At minimum, conduct a formal review annually and whenever your environment changes significantly, including new cloud services, personnel turnover, new contract requirements, or system changes. Threat environments change continuously, and your posture should reflect that.

Helpful ISI Links

• What Should Be in Your System Security Plan (SSP) for CMMC Level 2?
• CMMC Is Not a Cyber Problem. It's a Business Risk Issue
• CMMC POA&Ms Explained: What You Can and Cannot Defer
• Do You Really Need a GRC Platform for CMMC?
• Understanding SPRS Scores
• ISI Security Advisory: Heightened Iran Cyber Risk