US defence suppliers lag on cybersecurity readiness

Secureframe has published its 2026 State of Federal Cybersecurity Report, based on polling of more than 850 defence contractors, subcontractors, assessors and federal suppliers.

The report highlights a gap between meeting formal requirements and maintaining day-to-day security across the US defence supply chain. Many organisations remain exposed because of poor software visibility, limited intelligence sharing and uncertainty around compliance assessments.

One of the clearest findings concerns the software supply chain. More than a quarter of surveyed defence organisations said they had experienced a supply chain compromise in the past year, yet only 13% said they generate a Software Bill of Materials to identify exposure when new vulnerabilities emerge.

Threat intelligence sharing also appears uneven. While 60% of respondents said they consume standard government feeds, only 29% take part in industry-specific threat-sharing groups, leaving many without broader peer-to-peer visibility into current attack methods.

Another weakness lies in data scoping. Just 22% of organisations said they are actively defining where Controlled Unclassified Information sits within their networks, even though that step is widely seen as central to limiting risk, reducing complexity and containing compliance costs.

Cost pressures

The survey found that cost remains a major strain for companies preparing for Cybersecurity Maturity Model Certification reviews. Some 51% cited high readiness costs as a leading burden, and most Level 2 organisations estimated they would need between USD $50,000 and USD $150,000 to prepare.

Assessment consistency was another concern. Half of practitioners said assessors interpret requirements inconsistently, while 44% said they struggle to predict what evidence Certified Third-Party Assessor Organisations will request during reviews.

That combination of expense and uncertainty matters because certification requirements are increasingly flowing down from prime contractors to smaller suppliers. Businesses across the defence industrial base are therefore trying to meet similar demands at the same time, often with varying internal resources and limited specialist staff.

AI concerns

The findings also show widespread concern about AI-driven threats. About 85% of practitioners said they expect AI-powered attacks to affect their organisations within two years, yet only 28% said they feel fully confident in their ability to detect nation-state-level threats today.

The report argues that these pressures are pushing contractors beyond a narrow audit mindset. Rather than treating compliance as a periodic project, organisations are being forced to build continuous security practices into routine operations.

Among the practical steps it identifies, the report highlights reducing the amount of sensitive data inside company systems by isolating Controlled Unclassified Information in dedicated cloud environments that meet government requirements. It also points to earlier engagement with assessors so companies can align on likely evidence demands before formal certification begins.

Secureframe said businesses should treat documentation and evidence gathering as an ongoing process rather than a last-minute exercise before audits. It also recommended wider use of free US government resources, including intelligence sharing, protective DNS and cyber hygiene services.

The report noted that Microsoft 365 GCC High is currently used by 50% of the defence industrial base, suggesting many organisations are already shifting sensitive workloads into more tightly controlled environments. Even so, the survey suggests adoption of supporting practices remains patchy.

The report's strongest comments came from former US cybersecurity officials. Their remarks reflect the view that the weakest supplier can still offer adversaries a route into sensitive data, regardless of the size or maturity of the prime contractor.

"The adversary doesn't care about your headcount, they care about which path to CUI is the easiest. Today, that path runs to the supplier with the part-time MSP, because that CUI is the same, but the defense isn't," said Rob Joyce, former Director of NSA Cybersecurity and former White House Cybersecurity Coordinator.

A second contribution framed certification as a starting point rather than an end state. That view aligns with the report's broader message: many organisations can satisfy baseline rules without achieving the operational awareness needed to respond quickly to emerging threats.

"Compliance is the floor, not the goal. CMMC is just the bare minimum, we did it to get people to start thinking about cybersecurity, to grow, and to continue to work on it," said Stacy Bostjanick.