{"id":238766,"date":"2026-06-30T00:30:00","date_gmt":"2026-06-30T04:30:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/30\/half-the-defense-base-still-builds-security-around-compliance\/"},"modified":"2026-06-30T01:00:08","modified_gmt":"2026-06-30T05:00:08","slug":"half-the-defense-base-still-builds-security-around-compliance","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/30\/half-the-defense-base-still-builds-security-around-compliance\/","title":{"rendered":"Half the defense base still builds security around compliance"},"content":{"rendered":"<p><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/06\/30\/federal-cybersecurity-compliance-report\/\">Half the defense base still builds security around compliance<\/a><\/p>\n<p><a href=\"https:\/\/www.helpnetsecurity.com\/2026\/06\/30\/federal-cybersecurity-compliance-report\/\">https:\/\/www.helpnetsecurity.com\/2026\/06\/30\/federal-cybersecurity-compliance-report\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-30 00:30:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.helpnetsecurity.com\">www.helpnetsecurity.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\n        CMMC requirements are appearing in defense contracts and moving down through supplier networks to thousands of companies new to this kind of compliance work. Many run on limited budgets with lean security teams. The picture comes from nearly 900 defense contractors, C3PAOs, federal suppliers, and cybersecurity professionals who attended the 2026 Secureframe National Cybersecurity Summit.<\/p>\n<p>Where CMMC adoption stands<br \/>\nAdoption varies across the defense industrial base. A small share have completed third-party certification at Level 2, with 16% certified through a C3PAO in SPRS. About a third hold a Level 2 self-assessment, and roughly a quarter hold a Level 1 self-assessment. Close to half have started compliance conversations with their suppliers, a sign that pressure moves down supply chains ahead of formal government enforcement.<br \/>\nCost is the friction point named most often. Just over half called the cost of readiness and assessment prohibitive, at 51%. Assessor inconsistency ranked nearly even with it. For a company that spends heavily on preparation and then meets an assessor who reads the requirements differently, the bill grows.<br \/>\nScope is where many companies get stuck. About one in five have yet to define where their controlled unclassified information lives across their systems. CUI scope is the foundation for every later step, and getting it wrong makes the work that follows harder and more expensive.<br \/>\nThe threats hitting hardest<br \/>\nPhishing remains the threat companies encounter most, named by 65% of respondents as a top impact over the past year. The character of that threat has changed. Autonomous agents now pick targets, write messages, watch for responses, and adjust in real time.<br \/>\nVendor and third-party risk stands out as the largest open gap, named by 58% of respondents as their biggest unresolved weakness. Supply chain compromise was among the most common incidents reported over the past year, and about a quarter said they experienced one.<br \/>\nDefenses for software supply chains run thin. About a third have none of the standard practices in place, such as vendor attestations or secure development policies. SBOM generation sits especially low, used by a small share of respondents. The polling does not point to which companies sit inside that gap. Shrav Mehta, Secureframe\u2019s CEO, told Help Net Security that he survey \u201cdidn\u2019t ask respondents to identify their organization size,\u201d which leaves no way to break that share down by company size from the poll data. The weakness shows up across the base, with the data leaving open whether the smallest subcontractors carry more of it.<br \/>\nRob Joyce, the former director of NSA cybersecurity, put it this way: \u201cThe adversary doesn\u2019t care about your headcount, they care about which path to CUI is the easiest. Today, that path runs to the supplier with the part-time MSP, because that CUI is the same, but the defense isn\u2019t.\u201d<br \/>\nConfidence in spotting nation-state activity<br \/>\nConfidence in detecting nation-state intrusions runs low. About 28% described their detection and response capabilities as mature against that level of threat. The campaigns most active against the defense base, including Volt Typhoon and Salt Typhoon, are built to blend in by mimicking the everyday tools IT staff rely on.<br \/>\nGeneral Paul Nakasone, the former NSA director, said: \u201cThere are likely adversaries in your network, and you probably don\u2019t know it.\u201d<br \/>\nGaps in intelligence and awareness<br \/>\nThreat intelligence consumption leans on government feeds. Most respondents draw on CISA alerts and FBI flash reports, which carry an inherent lag. Close to three in ten take part in ISAC sharing, a source that runs more current and more defense-specific. A small share go without structured intelligence of any kind.<br \/>\nAwareness of FedRAMP 20x runs low among this group. More than half were unfamiliar with the program, at 53%, even as most already run workloads in government cloud environments such as Microsoft 365 GCC High. The program changes how cloud providers earn federal authorization, which affects the tools these companies depend on.<br \/>\nCompliance as the starting point<br \/>\nMany security programs are built around the compliance checklist. Close to half said their program runs entirely on compliance requirements or has yet to be defined. For small businesses with thin resources, that approach is rational, since it meets contract requirements. Compliance shows whether a company has met a defined set of requirements. Whether those requirements match the threats in front of it is a separate question.<br \/>\nFrom compliance to resilience<br \/>\nCertification captures a moment in time, and the posture it measures drifts as staff turn over, vendors change, and configurations move. About 20% lack a formal process for staying compliant between assessments, which leaves them certified on paper with thin visibility into whether the posture holds. A quarterly internal review against an SPRS score gives smaller teams a starting point.<br \/>\nBracing for AI-driven attacks<br \/>\nAI-powered attacks top the list of concerns for the next two years. The figure reaching 85% is the one point of near consensus across company sizes and roles. That number measures how the defense base views the threat coming at it. Mehta said the survey\u2019s AI data \u201cfocuses on how organizations view AI within the threat landscape rather than their own internal adoption of AI for defensive use.\u201d How far these same companies have brought AI into their own defenses remains an open question.<br \/>\nAgentic frameworks let AI run attack chains from start to finish with little human direction, and vulnerability discovery has been industrialized at a scale no human team can match. The same tools sit within reach of defenders. Joyce told the audience: \u201cThe people that are using AI will outperform those who are not. I don\u2019t care if you\u2019re on offense or defense. Start adopting and integrating them into your workflows because it will help your defense.\u201d<br \/>\nExpanding regulatory requirements also drew strong responses, cited by 48% of respondents. Quantum computing concerns ranked high as well, and harvest now, decrypt later collection means data crossing defense networks may already sit in adversary hands.<\/p>\n<p>Demo: Prophet Agentic AI SOC Platform transforms alert triage and investigation<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Half the defense base still builds security around compliance https:\/\/www.helpnetsecurity.com\/2026\/06\/30\/federal-cybersecurity-compliance-report\/ Publish Date: 2026-06-30 00:30:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":238767,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/img.helpnetsecurity.com\/wp-content\/uploads\/2026\/06\/27060121\/compliance-1500.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,24,25,27],"class_list":["post-238766","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-cybersecurity","tag-phishing","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/238766"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=238766"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/238766\/revisions"}],"predecessor-version":[{"id":238768,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/238766\/revisions\/238768"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/238767"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=238766"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=238766"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=238766"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}