Federal cybersecurity report flags supply chain gaps

Secureframe has released its 2026 State of Federal Cybersecurity Report, based on polling of more than 850+ defence contractors, subcontractors, assessors and federal suppliers.

The findings point to gaps in software supply chain visibility, threat intelligence sharing and preparedness for AI-driven attacks across the US defence industrial base.

More than a quarter of defence organisations surveyed said they experienced a supply chain compromise in the past year. Yet only 13% said they generate a Software Bill of Materials to identify software components and track exposure when vulnerabilities emerge.

Threat intelligence sharing also appeared limited beyond standard official channels. While 60% of respondents said they consume standard government feeds, only 29% said they participate in industry-specific threat-sharing groups.

That leaves many organisations with a narrower view of active threats, particularly in a supply chain where prime contractors and smaller suppliers have different levels of technical and staffing resources.

Another issue highlighted in the data was the handling of Controlled Unclassified Information. Just 22% of organisations said they are actively defining where that information sits within their networks, a step the report identifies as central to reducing complexity and controlling security costs.

Cost pressures

The survey found that compliance preparation remains expensive for many organisations seeking Cybersecurity Maturity Model Certification. Some 51% cited high assessment readiness costs as a leading burden, with most Level 2 organisations estimating they need between USD $50,000 and USD $150,000 to prepare.

Participants also described uncertainty around the assessment process. Half of practitioners said assessors do not always interpret requirements consistently, while 44% said they struggle to predict what evidence certified third-party assessor organisations will request.

Those findings suggest cost is being compounded by process risk, especially for suppliers that must allocate limited time and staff to preparing for reviews.

AI concerns

Concerns over emerging threats featured heavily in the results. Secureframe found that 85% of practitioners expect AI-powered attacks to affect them within two years, but only 28% said they feel fully confident in their ability to detect nation-state-level threats today.

The report also included remarks from former US cybersecurity officials on the pressure facing contractors across the defence supply chain.

"The adversary doesn't care about your headcount, they care about which path to CUI is the easiest. Today, that path runs to the supplier with the part-time MSP, because that CUI is the same, but the defense isn't," said Rob Joyce, Former Director of NSA Cybersecurity and Former White House Cybersecurity Coordinator.

The report argues that organisations need to stop treating compliance as a periodic exercise and instead embed it in day-to-day operations.

It recommends that contractors reduce the scope of sensitive systems by isolating Controlled Unclassified Information in secure cloud environments designed for government use. It also recommends engaging assessors earlier, maintaining documentation continuously rather than only before an audit, and making greater use of no-cost threat intelligence and cyber hygiene services offered by US government bodies.

One data point in the study showed that Microsoft 365 GCC High is used by 50% of the defence industrial base surveyed, indicating how widely government-specific cloud environments are already used among contractors.

Another recommendation focused on improving routine evidence collection so organisations are not assembling material at the last minute before certification assessments. The report presents that as a practical way to reduce disruption and limit the uncertainty that comes with formal reviews.

It also points to underused government support programmes, including services from the NSA Cybersecurity Collaboration Centre and the Cybersecurity and Infrastructure Security Agency, as a way for contractors to improve visibility without adding direct cost.

"Compliance is the floor, not the goal. CMMC is just the bare minimum, we did it to get people to start thinking about cybersecurity, to grow, and to continue to work on it," said Stacy Bostjanick, Former Director of CMMC Policy, DoD.