Skip to main content
HonestMOS
InvestigationsCongress made VA disability claims free to file. An entire industry charges veterans anyway — and nobody can stop them.
Follow the Money / Cybersecurity

$15 Billion a Year. Still Getting Hacked.

DoD spends approximately $15 billion annually on cybersecurity. CMMC will impose another $27 billion in compliance costs on defense contractors over five years. SolarWinds compromised nine federal agencies — including the NSA — undetected for eight months. OPM lost 21.5 million security clearance files to China while reporting full compliance. The F-35 technical data was stolen through a supply chain subcontractor. The gap between cybersecurity spending and cybersecurity outcomes is not an accident. It is the predictable result of an industry built around compliance rather than protection.

All data from public DoD budget documents, GAO/OIG reports, Congressional testimony, CISA publications, and open-source intelligence assessments.

DoD Cyber Budget (FY2024)
~$15B
Presidential budget request — up from ~$6.7B in FY2016
CMMC Total Compliance Cost
$27B
DoD's own estimate for 5-year contractor compliance burden
OPM Breach — Clearance Files
21.5M
Security clearance records stolen in 2014–15 despite full FISMA compliance
SolarWinds: Federal Agencies Hit
9
Including DoD, Treasury, NSA — none caught by compliance programs
Section 01

The Numbers — What $15B/Year Buys

The DoD cybersecurity budget is not a single line item. It is assembled from dozens of program elements across the services, DISA, CYBERCOM, and research accounts — making it difficult to state with precision and easy to state misleadingly. The ~$15B figure for FY2024 represents the Pentagon Comptroller’s aggregated estimate across all components and is the most commonly cited figure in Congressional testimony. The trajectory tells the story: from approximately $6.7B in FY2016 (already a post-OPM breach baseline) to nearly $15B in FY2024, DoD’s cybersecurity budget has more than doubled in eight years.

DoD Cybersecurity Budget Trajectory
FY2016$6.7BPost-OPM breach baseline
FY2018$8.5BFirst audit cycle; CYBERCOM elevation to unified command
FY2020$9.8BZero Trust strategy drafting begins
FY2022$11.2BPost-SolarWinds remediation included
FY2023$13.5BZero Trust Strategy published; CMMC 2.0 finalized
FY2024~$15BPresidential budget request; largest cyber line in DoD history

What the budget includes — and what it hides — matters for understanding whether the spending produces security. The following breakdown covers the major categories. Note what is absent: contractor compliance costs. The $27B in CMMC compliance burden on the defense industrial base does not appear in DoD’s budget. It appears in contractor overhead rates, which appear in contract prices, which eventually flow back through DoD’s acquisition accounts. The accounting obscures the full cost.

CYBERCOM and Cyber Mission Force~$3B+

U.S. Cyber Command operations, Cyber Mission Force (133 teams, 6,000+ personnel), joint cyber planning and operations. Does not include classified NSA budget line.

DISA Cybersecurity Programs~$2.5B

Defense Information Systems Agency runs JRSS (Joint Regional Security Stacks), SIPRNet and NIPRNet infrastructure security, the DoD Enterprise Cybersecurity Portfolio. The largest single infrastructure spend in the cyber budget.

Service Cyber Commands~$3B

Army Cyber Command (ARCYBER), Fleet Cyber Command (FCC/C10F), 16th Air Force / Air Forces Cyber, Marine Corps Cyberspace Command. Each service runs its own cyber workforce, training pipeline, and defensive operations.

CISA (Federal, not DoD)~$3B

Cybersecurity and Infrastructure Security Agency — technically not DoD but funds overlapping defense-adjacent missions: .gov network monitoring (EINSTEIN/CDM), industrial control system security, federal vulnerability disclosure.

NSA Cybersecurity DirectorateClassified

Established 2019 after merging NSA's defensive and threat intelligence functions. Budget classified. Responsible for releasing public advisories on nation-state TTPs and the new Cybersecurity Collaboration Center with industry.

RDT&E (Research, Development, Test & Evaluation)~$1.5B

Cyber-specific R&D across services and OSD: offensive cyber tool development, defensive platform research, AI-enabled threat detection, quantum-resistant cryptography. Much is classified.

Contractor Cybersecurity ComplianceNot DoD budget — contractor burden

CMMC assessments, NIST 800-171 implementation, C3PAO fees, and consulting costs are borne by the defense industrial base — 300,000+ contractors. This cost doesn't appear in the DoD budget line but is directly caused by DoD policy.

The federal cybersecurity total — adding CISA, NSA unclassified, and other agencies — exceeds $25B annually. This represents the world’s largest government cybersecurity investment. It has not produced commensurate security outcomes. Understanding why requires examining what the money is actually buying.

Section 02

CMMC — The $27 Billion Compliance Machine

The Cybersecurity Maturity Model Certification is DoD’s answer to a real problem: defense contractors were self-certifying cybersecurity compliance they didn’t have. CMMC replaces self-attestation with third-party verification. The program is conceptually sound. The implementation is a $27B industry that has created a certification ecosystem serving its own perpetuation.

What CMMC Is and Why It Exists

The Cybersecurity Maturity Model Certification (CMMC) is DoD's framework for verifying that defense contractors actually implement the cybersecurity controls they have been required to self-attest since 2017. The backstory matters: for years, contractors were required to implement NIST Special Publication 800-171 — a 110-control framework for protecting Controlled Unclassified Information (CUI). They were also required to self-assess their compliance and report a score to the Supplier Performance Risk System (SPRS). The problem: nobody verified these self-assessments. Contractors routinely reported high compliance scores — sometimes perfect 110/110 — while implementing a fraction of the required controls. The Defense Contract Audit Agency and DoD Inspector General documented this gap repeatedly. CMMC version 1.0, announced in 2020, was DoD's response: replace self-attestation with third-party verification by accredited assessors called C3PAOs (Certified Third-Party Assessment Organizations). CMMC 2.0, finalized in 2021 and entering rulemaking in 2023, simplified the framework to three levels and allowed self-attestation at Level 1, while requiring C3PAO assessment at Level 2 (the level covering most defense contractors handling CUI) and government-led assessment at Level 3.

Critical

The $27 Billion Compliance Machine

DoD published a regulatory impact analysis with the CMMC 2.0 proposed rule that estimated the total cost to the defense industrial base over five years at approximately $27 billion. This figure breaks down across three categories: initial assessment and certification costs, ongoing annual review and maintenance costs, and remediation costs for contractors who fail their initial assessments and must implement additional controls before re-attempting certification. The $27B is not DoD spending — it is the cost imposed on defense contractors, which is ultimately passed back to DoD through contract pricing. A contractor that spends $250,000 on a CMMC Level 2 assessment and then $100,000 per year on maintaining compliance will factor those costs into their overhead rates and bid prices. The government pays. DoD's own economic analysis acknowledged this circular cost structure but argued that the security benefits justified the expenditure. The benefits case rests on the assumption that CMMC assessments produce meaningfully more secure contractors — an assumption that the compliance theater record does not fully support.

Concern

Who Pays for the Assessment

A CMMC Level 2 assessment — required for any contractor handling Controlled Unclassified Information, which describes most meaningful defense work — currently costs between $25,000 and $250,000 depending on the size and complexity of the contractor's environment. This range is not a market anomaly; it reflects genuine variation in organizational complexity. A 10-person software shop building a DoD tool may spend $30,000 and two weeks of staff time on assessment. A mid-tier defense contractor with 500 employees, multiple classified facilities, and a complex IT environment may spend $200,000+ and six months of preparation. Assessment costs are paid to C3PAOs — Certified Third-Party Assessment Organizations — which are private companies accredited by the CMMC Accreditation Body (CyberAB). C3PAOs set their own pricing. The assessors who conduct the evaluations must hold individual certifications (CCA, CCP) from CyberAB, which in turn charges for those certifications. The certification ecosystem creates a self-reinforcing revenue stream: contractors pay for assessments, C3PAOs pay CyberAB for accreditation, assessors pay CyberAB for individual certifications, training companies charge for CMMC preparation courses, and consulting firms charge for gap analysis and remediation support. The CyberAB is a 501(c)(6) non-profit, but its executive compensation, operating model, and the ecosystem it has created are structured like a revenue-generating industry.

Critical

The Small Contractor Problem

DoD's defense industrial base includes approximately 300,000 contractors, the vast majority of which are small businesses. The NIST 800-171 controls and CMMC Level 2 requirements were designed with the security needs of the overall defense supply chain in mind — not the organizational capacity of a 5-person machine shop that makes specialized fasteners for an aircraft program. For a small manufacturer with annual DoD revenue of $500,000, a $50,000 assessment plus $80,000 in remediation costs plus $60,000 per year in ongoing compliance represents a cost burden that can make the DoD contract unprofitable or force the company to exit the defense market. This is not a theoretical concern. Industry surveys have consistently found that small and medium-sized defense contractors cite CMMC compliance cost as a significant barrier — some have reported actively declining DoD prime contractor solicitations they would otherwise pursue because the compliance cost eliminates the margin. A defense industrial base that loses its small and mid-tier manufacturers due to compliance burden becomes more concentrated in large prime contractors — which is precisely the opposite of the supply chain resilience DoD says it wants.

Concern

The Timeline Problem — Rules Before Assessors Exist

CMMC has been formally required in defense contracts since the CMMC 2.0 final rule took effect in December 2024, with phased inclusion in contracts beginning in 2025. The problem: the ecosystem of accredited C3PAOs and certified assessors needed to assess 300,000 contractors does not exist at anything close to the required scale. As of late 2024, CyberAB had accredited fewer than 100 C3PAOs, with the assessor pipeline still maturing. Basic queuing math: 100 assessment organizations cannot process 300,000 contractor assessments — even if each assessment takes only one week and each C3PAO can run multiple simultaneous engagements. DoD has handled this by phasing contract requirements gradually, allowing self-attestation at Level 1, and accepting SPRS scores while the C3PAO ecosystem grows. But the phased approach means the "compliance revolution" being marketed to contractors is, in practice, still mostly self-attestation — the same system that produced the false compliance claims CMMC was designed to replace.

Critical

The DOJ Cybersecurity Enforcement Actions

In 2021, the Department of Justice launched the Civil Cyber-Fraud Initiative, using the False Claims Act to pursue contractors who falsely certified cybersecurity compliance while failing to implement required controls. The theory: if a contractor signs a contract that includes cybersecurity requirements and represents compliance in SPRS, they have made a material representation to the government. If that representation is false and the contractor knowingly submitted it, it may constitute fraud. Several major enforcement actions followed. Aerojet Rocketdyne settled for $9M in 2022 after a whistleblower alleged the company had misrepresented its NIST 800-171 compliance — specifically, that internal reviews had found significant gaps that were not disclosed in the SPRS self-assessment. Comprehensive Health Services settled for $930,000 over inadequate cybersecurity at overseas facilities. Penn State University settled for $1.25M over false compliance certifications in research contracts. These settlements establish that false cyber compliance claims carry legal risk. They do not establish that compliance programs actually improve security — they establish that lying about compliance is now more expensive.

CMMC Level 2 Cost Range Per Contractor
$25K–$250K
Initial assessment fee (C3PAO)
300,000+
Defense contractors who must comply
$27B
DoD’s own 5-year total cost estimate
Section 03

Does CMMC Work? Compliance vs. Security

The critical question is not whether contractors implement CMMC controls — they will, because contract vehicles will require it. The question is whether implementing those controls actually makes the defense industrial base more secure against the threats that matter: sophisticated, patient, nation-state adversaries targeting Controlled Unclassified Information in the supply chain.

The Documented Disconnect: Compliance vs. Security Posture

The DoD Inspector General and the Department of Justice Civil Cyber-Fraud Initiative have both documented the gap between NIST 800-171 compliance paperwork and actual security posture. Under the self-attestation regime that preceded CMMC, contractors submitted scores to the Supplier Performance Risk System (SPRS) that routinely overstated compliance. DoD OIG found in a 2023 review that a sample of defense contractors reporting high SPRS scores had not implemented a significant fraction of the NIST 800-171 controls they claimed. The OIG could not determine compliance status for many controls because contractors lacked the documentation the framework requires. Self-attestation had become a checkbox exercise: contractors learned what score to report, not how to implement the controls behind it.

What CMMC Catches vs. What Nation-States Do

CMMC Level 2 verifies implementation of 110 controls covering access control, audit logging, configuration management, incident response, media protection, and other foundational practices. These controls address the basic security hygiene that prevents opportunistic attacks: unpatched software, default credentials, unrestricted network access, lack of logging. They are necessary and valuable for defense against commodity threats.

The nation-state actors that threaten the defense industrial base — APT10, APT40, APT41, Volt Typhoon — do not use commodity attack techniques against CMMC-compliant targets. They use zero-day vulnerabilities, supply chain compromises, social engineering of system administrators, and long-dwell lateral movement in environments where they have already bypassed perimeter controls. No NIST 800-171 control set prevents a zero-day. No compliance assessment detects a patient, credential-based intruder who has been in the network for three months. CMMC improves baseline hygiene among defense contractors. Whether it prevents the breaches that actually matter is a separate question — one that DoD has not answered with evidence.

The False Claims Act Enforcement Experiment

The DOJ Civil Cyber-Fraud Initiative (2021) represents a novel enforcement approach: use the False Claims Act to impose financial liability on contractors who falsely certify cybersecurity compliance. The initial enforcement actions — Aerojet Rocketdyne ($9M settlement), Penn State ($1.25M), Comprehensive Health Services ($930K) — established the legal theory and created deterrence for the most egregious misrepresentations.

The approach has limitations. False Claims Act cases are triggered by whistleblowers with insider knowledge — they do not provide systematic monitoring of compliance. The settlements reached represent a fraction of the compliance costs contractors will incur under CMMC. And the cases to date have involved fairly obvious gaps (contractors who did almost none of the required work, not contractors who implemented 95% of controls but had gaps in the remaining 5%). The enforcement experiment establishes that lying about compliance is now more expensive. It does not establish that compliance programs make contractors meaningfully more secure.

Section 04

Major Breaches Despite the Spending

The pattern across every major DoD-adjacent breach is consistent: the breach exploited seams between compliance programs, not failures within them. The most expensive intrusions — OPM, SolarWinds, the NSA tool theft — all occurred in environments with documented compliance programs. The compliance frameworks caught the wrong things, or nothing at all.

OPM Breach

2014–2015China (APT10)

21.5M security clearance files + 4.2M federal personnel records

Compliance Status at Time of Breach

Full FISMA compliance. OPM received passing scores on federal security assessments.

How It Happened

Spearphishing email compromised a contractor's credentials. Lateral movement through OPM's under-segmented network. Attackers had access for approximately 11 months before discovery. The breach was detected not by OPM's own monitoring but by a contractor's security scan.

Impact

Every person who had applied for a federal security clearance since 1985. SF-86 forms contain the most detailed personal and behavioral information the government collects: addresses, relatives, foreign contacts, financial history, mental health disclosures, past drug use. Counterintelligence analysts assessed this as the most damaging intelligence loss in the history of the U.S. government. China now has a database that can identify every cleared American, their vulnerabilities, their family, and their history.

The Lesson Compliance Missed

FISMA compliance scores measure paperwork. They do not measure whether an attacker can move laterally through your network undetected for nearly a year.

SolarWinds (Sunburst)

2020Russia (SVR, Cozy Bear / APT29)

9+ federal agencies including DoD, Treasury, State, Justice, NSA, and DHS

Compliance Status at Time of Breach

All affected agencies had FedRAMP-authorized tools. EINSTEIN (the government's network monitoring system) did not detect the intrusion.

How It Happened

Supply chain attack: attackers compromised SolarWinds' software build pipeline and inserted malicious code (SUNBURST) into a legitimate software update for the Orion network monitoring platform. When federal agencies updated their SolarWinds software through normal patch management — the very process compliance frameworks require — they installed the backdoor. The attackers had been in SolarWinds' development environment since October 2019.

Impact

Attackers had persistent access to affected agency networks for 8–9 months before discovery. At DoD: the full scope remains partially classified. At Treasury: access to email systems. At DHS: including CISA itself — the agency responsible for federal cybersecurity. The intrusion was discovered not by any government monitoring program but by FireEye (now Mandiant), a private cybersecurity firm that noticed anomalous behavior while investigating a compromise of its own red team tools.

The Lesson Compliance Missed

Supply chain attacks bypass perimeter and endpoint controls entirely. No compliance framework requires verification of software build pipeline integrity. EINSTEIN specifically was designed to monitor network traffic, not software supply chains. The government's network monitoring system was watching for the wrong thing.

F-35 Technical Data

2007–2016 (multiple incidents)China

Technical specifications for radar systems, exhaust cooling, engine schemas, and defensive avionics

Compliance Status at Time of Breach

Lockheed Martin held all required NIST and DFARS cybersecurity certifications. The breach occurred through a subcontractor in the F-35 supply chain.

How It Happened

Multiple intrusions, most notably through a small Australian aerospace subcontractor (later identified in Australian government documents) that held F-35 technical data for its component work. The subcontractor had a security posture far below the prime contractor level. Attackers accessed and exfiltrated terabytes of technical data over an extended period. Australian Signals Directorate assessed that the stolen data was comprehensive enough to enable adversary aircraft designers to understand and potentially defeat the F-35's radar and cooling systems.

Impact

The J-20, China's first stealth fighter, entered service in 2017 and incorporates design features that defense analysts assessed as informed by stolen F-35 data — particularly the engine exhaust nozzles and canopy framing. The program cost the United States hundreds of millions in future countermeasures and intelligence capability loss. The supply chain entry point — a small foreign subcontractor — would not have been covered under the contractor cybersecurity requirements that existed at the time.

The Lesson Compliance Missed

Compliance requirements apply to prime contractors. The supply chain below the prime — thousands of subcontractors, many in allied nations, some with minimal security posture — was effectively unmonitored. A sophisticated adversary will find the weakest link.

CENTCOM Social Media Hack

2015ISIS (ISIL) sympathizers — "CyberCaliphate"

CENTCOM Twitter and YouTube accounts; some unclassified documents

Compliance Status at Time of Breach

Not a classified system breach. Social media accounts lacked two-factor authentication.

How It Happened

Credential compromise of CENTCOM's social media accounts. Not a sophisticated attack — basic credential stuffing or phishing. CENTCOM had not enabled multi-factor authentication on its public-facing social media accounts.

Impact

Immediate embarrassment: the command overseeing operations against ISIS had its social media hijacked by ISIS sympathizers. The documents published were unclassified but included military strategy presentations and officer contact information. The reputational and information operations impact was significant disproportionate to the technical sophistication of the attack.

The Lesson Compliance Missed

Basic hygiene failures cause real damage. Two-factor authentication on social media accounts costs nothing. This was not a nation-state attack with a nine-figure R&D budget behind it — it was a credential compromise that the most basic security practices would have prevented.

Microsoft Exchange Hack

2021China (HAFNIUM / APT40)

250,000+ email servers worldwide; multiple DoD contractor systems affected

Compliance Status at Time of Breach

Affected systems were running authorized Microsoft software. The vulnerability was a zero-day — no patch was available until after exploitation began.

How It Happened

Four previously unknown vulnerabilities (CVE-2021-26855, -26857, -26858, -27065) in on-premises Microsoft Exchange Server allowed unauthenticated code execution and full server compromise. HAFNIUM began exploiting these vulnerabilities in January 2021. Microsoft released emergency patches on March 2, 2021. By that date, tens of thousands of servers had already been compromised — including at defense contractors, research institutions, and government entities operating on-premises Exchange.

Impact

At DoD and contractor level: persistent access to email servers, lateral movement into internal networks, intellectual property exfiltration at multiple defense-adjacent research institutions. The scale of the compromise — 250,000+ servers in the initial exploitation wave — overwhelmed incident response capacity. Many affected organizations did not complete remediation for weeks after the patches were available.

The Lesson Compliance Missed

Zero-day vulnerabilities are undetectable by compliance frameworks. No audit checklist can flag a vulnerability that the software vendor does not know about. The faster response pathway — moving to cloud email platforms with Microsoft managing patching — had been resisted by many DoD and contractor environments due to data classification concerns and accreditation timelines.

NSA Contractor Data Theft

2014–2016 (multiple)Internal — contractor employees

NSA cyber tools, classified exploit code, internal NSA operations data

Compliance Status at Time of Breach

Maximum security clearance, access control, and insider threat programs in place.

How It Happened

Harold Martin, an NSA contractor employee at Booz Allen Hamilton (same employer as Edward Snowden), removed approximately 50TB of NSA data over 20 years — discovered in 2016. Separately, Nghia Pho, an NSA developer, brought classified NSA code home on a personal laptop running Kaspersky antivirus; the Kaspersky software flagged the files and transmitted them to Kaspersky servers in Russia. In 2016–17, the NSA's hacking tool library was stolen and published by the Shadow Brokers — a theft likely connected to the contractor access lapses. The EternalBlue exploit from that leaked library was subsequently weaponized in WannaCry and NotPetya, causing billions in global damage.

Impact

The NSA's cyber arsenal — tools developed at enormous cost and intelligence value — became public and available to criminal groups and nation-states. EternalBlue, originally an NSA exploit, was incorporated into the WannaCry ransomware that hit the UK National Health Service, FedEx, and others causing $4B+ in damages. The indirect cost of the NSA contractor security failures is measured in global economic harm.

The Lesson Compliance Missed

The insider threat is not solved by compliance frameworks. Harold Martin passed every background investigation and clearance renewal for twenty years while removing classified material. The access control systems that compliance frameworks require were in place. They did not catch him.

Section 05

The Contractor Cyber Complex

Cybersecurity in DoD is not primarily a government function. It is primarily a contractor function. The companies that advise DoD on cybersecurity policy are the same companies that profit from the cybersecurity programs that result from that policy. The revolving door between government cyber agencies and the private sector runs faster than in any other domain. Understanding who gets the money explains a great deal about why it is spent the way it is.

Who Gets the Money

The top cybersecurity contractors in the DoD space overlap almost entirely with the top defense contractors generally: Leidos holds multiple major cyber contracts including DISA enterprise services worth billions. Booz Allen Hamilton's cybersecurity practice — including its classified national intelligence work — generates more than $1B in annual revenue; the company employs roughly 29,000 government IT and cyber professionals. Raytheon Intelligence & Space (now RTX's Intelligence & Space segment) has major cyber and signals intelligence contracts across NSA, CYBERCOM, and the service cyber components. SAIC, ManTech, Peraton, Accenture Federal Services, and MITRE all hold significant cyber portfolios. The notable pattern: most of these companies also hold non-cyber defense contracts. Cybersecurity is not a specialty segment — it is vertically integrated into the same companies that build aircraft, manage logistics, and run DoD's base operations. The contractor ecosystem that advises DoD on cybersecurity policy is largely the same ecosystem that profits from the cybersecurity spending that results from that policy.

The Revolving Door in Cyber

The revolving door between government cyber agencies and private contractors runs faster than in any other defense domain. The premium on cleared cyber talent creates a predictable pattern: a signals intelligence analyst or NSA tool developer spends 5–8 years in government, gains clearances and technical skills that are nearly impossible to acquire in the private sector, then exits to a contractor for a salary 2–4 times their government pay. This is rational individual behavior. The systemic consequence is that the government continuously loses its best cyber talent to the private sector, while the private sector — which holds government contracts — effectively re-rents that talent back at contractor rates. CYBERCOM senior civilians, CISA alumni, and NSA directorate leadership are well represented in the executive ranks of the largest cyber contractors. This creates what critics call "institutional capture": the contractors who benefit from cybersecurity spending are staffed by the former government officials who designed the cybersecurity programs those contractors are paid to implement. The advisory boards that recommend policy and the contracting offices that evaluate bids are connected to the same professional networks.

The CISA Advisory Board and Industry Capture

CISA's Cybersecurity Advisory Committee (CSAC) includes representatives from technology companies, telecommunications firms, and cybersecurity vendors — many with direct financial interests in CISA's policy decisions. When CISA recommends that federal agencies adopt specific security architectures, those recommendations create markets for the products and services that implement those architectures. The advisory committee that recommends the policy frequently includes companies positioned to benefit from it. This is not unique to CISA and is not illegal — private sector expertise is genuinely valuable to government policymakers who face a talent deficit. But it creates a structural conflict that has produced specific outcomes: the Continuous Diagnostics and Mitigation (CDM) program, heavily shaped by industry input, generated billions in contracts for the vendors who participated in its design. EINSTEIN, the government network monitoring system built largely to industry specifications, cost over $6B and was assessed by independent evaluators as insufficient to detect modern nation-state intrusions — as SolarWinds demonstrated.

The Cleared Cyber Premium

A cybersecurity professional with an active Top Secret/SCI clearance commands a salary premium of 20–40% over an equally skilled professional without clearance, according to compensation surveys by ClearanceJobs and other cleared talent platforms. For specialized roles — cleared penetration testers, cleared reverse malware engineers, cleared red team operators — the premium can be higher. This premium is a direct subsidy from the government's classification system to cleared contractors. The government pays for the investigation that grants the clearance, pays indirectly for the training that produces the skill, and then pays above-market rates for the cleared contractor who combines both. From a taxpayer perspective, the clearance premium is a cost that would not exist if government cyber talent were retained internally. From a contractor perspective, the clearance premium is a competitive advantage that the classification system maintains artificially.

Major DoD Cybersecurity Contractors (Partial List)
Booz Allen Hamilton
~29K cyber/intel professionals, NSA/CYBERCOM primary contractor
Leidos
DISA enterprise services, multiple CYBERCOM support contracts
Raytheon Intelligence & Space
Signals intelligence systems, NSA tool development
SAIC
DoD IT modernization, cyber operations support
ManTech International
Cyber operations support, intelligence community
Peraton
NSA/NRO contractor ecosystem; acquired DXC U.S. Public Sector
Accenture Federal Services
CISA advisory, CDM program implementation
MITRE
FFRDC; ATT&CK framework, CVE program management (federally funded)
Section 06

CYBERCOM and NSA — The Dual-Hat Structure

U.S. Cyber Command is the military’s primary offensive and defensive cyber organization. It shares a commander, a headquarters, and most of its infrastructure with the National Security Agency. The dual-hat arrangement was a pragmatic decision at CYBERCOM’s founding. Whether it remains appropriate as both organizations have grown is a question Congress keeps revisiting without resolving.

CYBERCOM — What It Is

U.S. Cyber Command was established in 2009 as a sub-unified command under U.S. Strategic Command, elevated to a full unified combatant command in 2018. It is headquartered at Fort Meade, Maryland — the same installation as NSA. The command's publicly acknowledged budget is approximately $3B annually, though portions of its activities are funded through classified programs. CYBERCOM's operational arm is the Cyber Mission Force: 133 teams totaling approximately 6,200 personnel across four mission categories — National Mission Teams (protect critical infrastructure and DoD networks against nation-state attacks), Combat Mission Teams (support combatant commanders with offensive cyber operations), Cyber Protection Teams (defend DoD networks), and Support Teams. The force structure was declared fully operational in 2018, though capability maturity continues to develop.

The Dual-Hat Problem

The CYBERCOM commander simultaneously serves as the Director of the National Security Agency — an arrangement known as the "dual-hat." This has been the subject of ongoing debate since CYBERCOM's establishment. The case for maintaining the dual-hat: NSA and CYBERCOM are co-located, share infrastructure, and have deeply integrated intelligence and operations functions. Separating them would create friction in the intelligence-to-operations pipeline that is central to effective cyber operations. The case against: the two organizations have fundamentally different cultures (intelligence collection versus military operations), different legal authorities (Title 50 intelligence law versus Title 10 military law), and increasingly different missions as CYBERCOM matures. Critics argue the dual-hat allows NSA equities — specifically, NSA's interest in maintaining access to compromised systems for intelligence collection — to constrain CYBERCOM's defensive response to intrusions. When NSA has intelligence value from an adversary's access to a U.S. network, there is an institutional incentive to delay defensive action. Multiple Secretaries of Defense have reportedly considered separating the commands; as of 2026, the dual-hat persists.

Defend Forward — The Accountability Gap

CYBERCOM's publicly stated strategy since 2018 is "defend forward" — conducting operations in adversary networks before attacks reach U.S. systems. The 2018 DoD Cyber Strategy and subsequent CYBERCOM posture statements describe persistent engagement with adversary infrastructure: disrupting attack tools before they are deployed, imposing costs on adversary operators, and maintaining presence in contested networks. What this means in practice is largely classified. The accountability gap is significant: CYBERCOM conducts offensive cyber operations under authorities that are broadly defined, minimally disclosed to Congress, and not subject to public review. The War Powers Resolution, which constrains kinetic military action, does not have a clear analog for cyber operations. When CYBERCOM conducted operations against Iranian infrastructure after the attack on Saudi Aramco (2019), the legal authorities and operational scope were disclosed only partially to Congressional oversight committees, and not publicly at all. The result is a multi-billion-dollar offensive capability operating in near-total opacity.

The Cyber Mission Force Reality

The 133-team Cyber Mission Force represents the U.S. military's primary cyber workforce. The 6,200+ personnel who make up these teams are a combination of military (primarily Air Force and Army Cyber), civilian government, and in some cases contractor personnel embedded in teams. The quality of these teams is uneven. Service members recruited for cyber roles do not always have the technical depth of private sector counterparts — the military training pipeline, while improved, still produces practitioners who need 2–3 years of experience to reach journeyman level in offensive or defensive operations. The retention problem is acute: a Cyber Mission Force operator who has served 4 years and developed meaningful offensive capability can exit to a contractor for double the pay immediately upon separation. The military cyber career field has higher attrition than traditional combat arms because the skills developed are directly transferable to the private sector. CYBERCOM has requested Special Pays and Retention Incentives from Congress to address this; the measures have been partially funded but have not reversed the attrition trend.

Section 07

The Patch Problem — Known Vulnerabilities, Unpatched Systems

The most consistent finding in breach investigations is not zero-day exploitation — it is known vulnerabilities exploited weeks, months, or years after patches were available. DoD systems have a documented patching problem. The causes are structural, the incentives work against rapid patching, and the compliance framework that should address it sometimes makes it worse.

The Documented Statistic Nobody Acts On

Multiple analyses — from Verizon's annual Data Breach Investigations Report to CISA's own Known Exploited Vulnerabilities (KEV) catalog data — consistently find that the majority of successful intrusions exploit vulnerabilities for which patches were available at the time of exploitation. The Ponemon Institute's 2019 study found 60% of breach victims cited a known, unpatched vulnerability as the attack vector. CISA's KEV catalog, launched in 2021, lists vulnerabilities with confirmed evidence of active exploitation and mandates federal agencies patch them within defined timelines. As of 2024, the catalog lists over 1,100 entries. Independent assessments have found that federal agencies — including DoD components — routinely miss KEV remediation deadlines, with some critical vulnerabilities remaining unpatched on government systems 90+ days after mandatory deadlines. The compliance framework requires a patch management program. It does not guarantee patches are actually applied.

Why DoD Systems Don't Patch

The reasons DoD and contractor systems fail to patch known vulnerabilities are well-understood and rarely addressed. Legacy systems: a significant portion of DoD's IT infrastructure runs on operating systems and software that are no longer supported by vendors, meaning patches are not available — only expensive custom maintenance agreements or replacement. Operational availability: combat and mission-critical systems have uptime requirements that preclude the maintenance windows needed for patching. A network operations center monitoring active operations cannot be taken offline for a software update; neither can avionics software on an aircraft in an operational deployment cycle. Testing bureaucracy: in DoD's accreditation framework, software changes — including security patches — require testing before deployment on authorized systems. An emergency patch that Microsoft releases in response to active exploitation may take weeks to move through DoD's test-and-deploy pipeline, during which the vulnerability remains open. IT staffing: the government cyber workforce shortage means that many system administrators are managing too many systems to maintain aggressive patch schedules. A single sysadmin managing 200 systems cannot keep all of them at current patch levels simultaneously.

The KEV Catalog and the Gap

CISA's Known Exploited Vulnerabilities catalog is one of the most actionable cybersecurity tools the federal government has produced. It identifies specific CVEs with confirmed active exploitation and mandates that Federal Civilian Executive Branch agencies remediate them within 2 weeks (for critical) or 6 months (for others). The catalog is free, specific, and prioritized — it addresses the "we don't know what to patch first" problem that organizations cite as a barrier to effective patch management. DoD components are subject to the catalog's requirements. The compliance rate has improved since the catalog's launch but remains below 100%. An independent 2023 assessment by Rezilion found that federal agencies still had a significant percentage of KEV-listed vulnerabilities unpatched at any given time. The challenge is not knowledge — it is the operational and administrative barriers to acting on that knowledge at the scale of DoD's infrastructure. A $15B cybersecurity budget that cannot consistently patch vulnerabilities on a government-maintained list of actively exploited flaws is, on some level, spending money on the wrong things.

Legacy Systems and the Accreditation Trap

DoD's Authorization to Operate (ATO) process — the formal accreditation that certifies a system to operate on DoD networks — creates an unintended barrier to security. To obtain an ATO, a system must be tested and assessed against DISA STIGs (Security Technical Implementation Guides) and other requirements. Once an ATO is granted, it is valid for a period (typically 3 years). When a patch or security update is applied to an accredited system, the change may technically require a reassessment or at minimum documentation in the System Security Plan. In practice, this means that security patches trigger bureaucratic processes — Plan of Action and Milestones updates, ISSM review, ATO amendment requests — that create friction and delay. The result is a perverse incentive: applying a security patch creates compliance documentation burden, so some system owners delay patching to avoid the paperwork. The compliance framework, designed to make systems more secure, has created an incentive structure that in some cases makes patching slower.

The CISA KEV Catalog at a Glance (as of 2026)
1,100+
Vulnerabilities with confirmed active exploitation
2–6 wks
Mandated federal remediation window
<100%
Actual federal compliance rate at any given time
Section 08

Zero Trust — The Next $10 Billion Program, or Real Reform?

DoD’s Zero Trust Strategy (2022) is the most substantive architectural shift in government cybersecurity in a generation. It is also a $15B+ implementation program entering an acquisition environment with a documented history of turning good ideas into compliance theater. Whether Zero Trust becomes genuine security reform or the next CMMC — an expensive compliance exercise that reshapes the vendor market without commensurately improving security — depends on execution choices being made right now.

What Zero Trust Actually Means

Zero Trust is an architectural philosophy, not a product. The core principle, articulated by John Kindervag at Forrester in 2010 and subsequently adopted by NIST in SP 800-207, is that no user, device, or network segment should be automatically trusted based on location. Traditional network security was built on a perimeter model: inside the network is trusted, outside is untrusted. Once an attacker is inside — through a compromised credential, a VPN vulnerability, or a supply chain attack — they can move laterally with minimal friction. Zero Trust replaces this with continuous verification: every access request, from any user on any network, must be authenticated and authorized based on identity, device health, and context. Least-privilege access means users and systems can only reach what they actually need, not everything on the internal network. Micro-segmentation limits lateral movement: even if an attacker compromises one system, they cannot move freely to others. In practice, implementing Zero Trust requires replacing or significantly modifying identity management, network architecture, endpoint management, and logging infrastructure — simultaneously.

DoD's Zero Trust Strategy

DoD published its Zero Trust Strategy in November 2022, setting a target of achieving "Target Level" Zero Trust capabilities across DoD by FY2027 — roughly 90 capabilities across seven pillars (User, Device, Application/Workload, Data, Network/Environment, Automation/Orchestration, Visibility/Analytics). The strategy is unusually specific for a DoD strategic document: it names specific capabilities, assigns responsible organizations, and sets implementation timelines. DISA published the DoD Zero Trust Reference Architecture to provide technical guidance on implementation. The program office estimated implementation costs at $15B+ across the DoD enterprise — roughly a year's worth of the existing cyber budget on top of existing spending, for a multi-year modernization of fundamental infrastructure. As of 2024, implementation progress is mixed: some components (notably DISA and the services' cyber commands) have made meaningful progress on identity and access management modernization; others are still in planning phases.

Zero Trust Washing — The Compliance Theater Risk

The cybersecurity vendor market responded to DoD's Zero Trust mandate with extraordinary speed: within 18 months of the strategy's publication, virtually every major security vendor had rebranded existing products as "Zero Trust" solutions. Firewall vendors sell "Zero Trust Network Access." Identity vendors sell "Zero Trust identity." Endpoint vendors sell "Zero Trust endpoint protection." The problem: many of these products implement some Zero Trust principles in some contexts, but purchasing them does not constitute Zero Trust architecture. An organization can buy every "Zero Trust" product on the market and still have a fundamentally perimeter-based security architecture if the products are not properly integrated and configured. DoD's strategy document acknowledges this risk, explicitly stating that Zero Trust is "not a product to buy" but "a set of capabilities." Whether this framing survives contact with the acquisition process — which buys products, not philosophies — is the central question. CMMC was supposed to end checkbox security. Zero Trust could become the next checkbox.

Who Is Actually Implementing vs. Planning

Honest assessment of DoD Zero Trust progress as of 2026: DISA has made substantive progress on the Identity, Credential, and Access Management (ICAM) pillar — the foundation of any Zero Trust implementation — through the Thunderdome program, which is deploying ZTNA (Zero Trust Network Access) capabilities for classified networks. The Air Force has been cited as a positive example of genuine Zero Trust implementation in specific programs. Army, Navy, and the defense agencies are at various stages of planning, assessment, and early implementation. The honest constraint: achieving meaningful Zero Trust across the entire DoD enterprise — including the legacy systems that cannot support modern identity and access management — within the FY2027 timeline would require a pace of implementation that DoD IT programs have never achieved. The GAO issued a report in 2023 assessing DoD Zero Trust progress as behind schedule on a majority of the 91 tracked activities. That is the expected state for any DoD IT modernization program. The question is whether Zero Trust will be the exception.

DoD Zero Trust Strategy — Seven Pillars
01
User
02
Device
03
Application / Workload
04
Data
05
Network / Environment
06
Automation / Orchestration
07
Visibility / Analytics

DoD targeted achieving ~90 capabilities across these seven pillars by FY2027. GAO (2023) found the majority of tracked implementation activities behind schedule.

Section 09

What Service Members Actually Experience

Cybersecurity briefings talk about nation-states and supply chain attacks. The day-to-day reality for service members is CAC readers that don’t work, three-network friction, and annual phishing tests that everyone treats as a speed-click competition. The gap between the threat model being funded and the security culture being enforced is where most real-world compromise happens.

CAC and the Authentication Friction Tax

The Common Access Card (CAC) is the military's primary identity credential — a smartcard that service members insert into a reader to authenticate to government systems. In theory, CAC authentication is good security: it provides two-factor authentication (something you have + something you know, the PIN) that is significantly stronger than password-only authentication. In practice, the CAC ecosystem generates significant operational friction. Readers fail. Cards expire. Systems that don't recognize a fresh CAC require helpdesk intervention. When a soldier deploys to a location without reliable connectivity, CAC-dependent authentication can fail entirely. The CAC's reliance on PKI certificates means that when a certificate expires or is revoked, the service member loses access until the card is updated — a process that, in some locations and commands, can take days. Service members learn to work around CAC requirements when they can, or to maintain parallel informal systems (unsecured personal devices, shared accounts) to accomplish mission tasks when the official system is unavailable. The security controls designed to protect information sometimes cause service members to route around them entirely.

NIPR/SIPR/JWICS — The Three-Network Reality

DoD operates three primary network enclaves at different classification levels: NIPRNet (Non-classified Internet Protocol Router Network — unclassified), SIPRNet (Secret Internet Protocol Router Network — Secret), and JWICS (Joint Worldwide Intelligence Communications System — Top Secret/SCI). The physical separation of these networks — you cannot copy a file from SIPR to NIPR without an approved transfer process — is a security control that prevents data from moving between classification levels without authorization. The operational reality for a service member who works across multiple classification levels is that they manage multiple separate computers or terminals, multiple separate accounts, multiple separate email systems, and multiple separate applications that do not share data. A staff officer who receives a classified tasking on SIPR and needs to communicate the unclassified portions to a coalition partner on NIPR must manually translate and re-enter information, with every transfer subject to review and approval. The security is real. The cost in time and friction is also real — and is rarely captured in the cybersecurity budget.

Annual Phishing Tests Nobody Believes In

Every DoD-affiliated service member and civilian employee participates in annual cybersecurity awareness training — typically including simulated phishing campaigns where the organization sends fake phishing emails and tracks who clicks. The training is federally mandated, carefully tracked for compliance, and universally regarded by service members with a mixture of eye-rolling and resignation. The training is not ineffective in isolation: click rates on simulated phishing tests do decrease after training. The problem is that the training is designed around a compliance metric (completion rate, click rate reduction) rather than a security outcome (actual resistance to sophisticated spearphishing). The simulated phishing emails that appear in annual training look nothing like the spearphishing emails that nation-states use to compromise DoD systems. APT29's SolarWinds spearphishing was targeted, contextually appropriate, and timed to exploit specific organizational contexts — attributes that no compliance-driven annual training exercise prepares users for. The training that gets checked off is not the training that would have prevented the breaches that happened.

What Actually Gets People's Accounts Compromised

The most common ways DoD personnel actually lose account access or become compromise vectors are not exotic nation-state techniques. They are: password reuse between government and personal accounts (so when a commercial site is breached, the credential works on government systems); phishing emails targeting personal email addresses (which have no EINSTEIN monitoring) and then using stolen personal credentials to access government systems through authorized pathways; personal devices connected to unit WiFi or used to access government systems through BYOD programs; and use of unauthorized cloud storage services (personal Google Drive, Dropbox) to share files that are technically government data. The compliance training teaches users to recognize suspicious email attachments. The actual attack vectors frequently bypass email entirely. The mismatch between the training DoD provides and the threats that actually affect personnel is a documented gap in DoD's awareness program that compliance metrics do not capture.

The Security vs. Mission Tradeoff

Service members at the operational level routinely face decisions that pit security controls against mission requirements. A signals intelligence team deploying to a forward location with limited connectivity cannot wait three days for SIPR helpdesk to resolve a certificate error. A battalion S3 who needs to share a planning product with adjacent units in a time-sensitive situation will use an unclassified channel if the classified channel is down — because the mission comes first. A logistics officer who needs to update a supply system from a location with no approved government device will use a personal device if no alternative exists. These are not failures of individual discipline. They are predictable responses to security controls that were not designed with operational reality in mind. Cybersecurity officials who design controls in government office buildings and then deploy those controls to forward combat environments should not be surprised when the controls are routed around.

The Workaround Problem

Every security control that makes the mission harder creates a workaround incentive. When the workaround is less visible than the control — unsecured personal device instead of broken government device, personal Gmail instead of unavailable NIPR email, USB drive instead of dysfunctional file transfer system — the workaround becomes the actual vulnerability. A $15B cybersecurity program that produces security theater on the surface and workarounds in practice has not improved security. It has made visible controls more robust while pushing actual behavior into the shadows where no compliance program looks.

Section 10

Reform and What’s Actually Working

Not everything is compliance theater. Some cybersecurity initiatives have produced measurable improvement. The programs that work tend to share common features: they align incentives (bug bounties pay for findings, not hours), they address specific, measurable gaps (KEV catalog targets proven exploitation), and they operate at the appropriate level of abstraction (continuous vetting monitors behavior over time, not point-in-time assessments). The reform record suggests that the choice between compliance and security is not binary — but that compliance-first programs reliably underperform security-first ones.

2016Hack the Pentagon Bug BountyWorking

Launched in April 2016 by the Defense Digital Service, Hack the Pentagon was the first federal government bug bounty program — and it was genuinely successful. In the pilot program, 1,400 registered hackers found 138 valid vulnerabilities in DoD public-facing websites over 24 days. Total cost: $150,000 in bounties. The same vulnerability assessment from a traditional government contractor would have cost significantly more and found fewer vulnerabilities — because contracted assessors are paid by the day, not by the finding. Subsequent programs (Hack the Army, Hack the Air Force, DoD Vulnerability Disclosure Policy) have collectively resulted in thousands of vulnerabilities reported and remediated. Bug bounties work because they align incentives: skilled hackers earn money for finding real problems, not for checking boxes. The programs remain modest in scale relative to total cyber spending but represent one of the clearest examples of evidence-based security spending in the DoD portfolio.

2021Continuous Vetting Replacing Periodic ReinvestigationWorking

The OPM breach was partly enabled by a background investigation system that assessed personnel at fixed intervals (typically 5 years for TS) and then considered them "cleared" until the next investigation. A lot can change in 5 years. The National Background Investigation Service (NBIS) and the transition to Continuous Vetting (CV) — which monitors cleared personnel for automated indicators of concern in financial records, criminal databases, and other sources on an ongoing basis — addresses this gap. Continuous Vetting does not replace human judgment; it flags anomalies for human review. But it dramatically compresses the window between when a concerning behavior occurs and when it is visible to security managers. The system has been credited with identifying clearance concerns that would not have surfaced until the next periodic reinvestigation. It is also more cost-effective: automated monitoring at scale is cheaper per person-year than full manual investigations.

2021CISA Vulnerability Disclosure PolicyWorking

CISA's Vulnerability Disclosure Policy (VDP) platform, launched in 2021, gives security researchers a legal and structured pathway to report vulnerabilities in federal agency websites and systems. Before VDP, security researchers who discovered vulnerabilities in government systems faced genuine legal risk — reporting the vulnerability could be interpreted as unauthorized access under the Computer Fraud and Abuse Act. VDP provides a safe harbor for good-faith research and a routing mechanism to get reports to the right agency team. DoD has operated its own VDP since 2016; the CISA platform extended equivalent coverage across all civilian federal agencies. The program costs virtually nothing compared to the intelligence value of the vulnerabilities it surfaces. It is one of the few government cybersecurity initiatives that explicitly inverts the usual dynamic: instead of spending money to tell contractors to assess government systems, the government enables the public to help for free.

2022DIB Cybersecurity Information SharingPartial

The Defense Industrial Base Cybersecurity (DIBNet) program and the voluntary DIB CS Program provide a mechanism for DoD and cleared defense contractors to share threat intelligence — specifically, information about adversary tactics, indicators of compromise, and active campaigns targeting the defense industrial base. When NSA or CYBERCOM observes a nation-state actor targeting defense contractors, they can push threat indicators to participating companies through the DIBNet portal, enabling defenders to hunt for and block those specific threats. Participation is voluntary and the information sharing is not instantaneous, but the program represents a genuine improvement over a model where every contractor independently attempted to understand the threat landscape. The limitation: the program primarily serves mid-to-large contractors with dedicated security teams capable of acting on threat intelligence. The small subcontractors who represent the weakest links in the supply chain — and the ones most often targeted — are the least likely to have the resources to participate effectively.

2023CISA Known Exploited Vulnerabilities CatalogWorking

CISA's KEV catalog is the closest thing the federal cybersecurity community has produced to an actionable, evidence-based prioritization framework. Rather than requiring agencies to assess and prioritize thousands of CVEs themselves — a task that overwhelms under-resourced security teams — the catalog identifies the specific vulnerabilities with confirmed active exploitation and mandates remediation timelines. The catalog is free, updated continuously, and machine-readable for integration into security automation. Independent assessments have found that agencies focusing on KEV remediation get more security value per dollar than those following traditional vulnerability scoring (CVSS) alone — because CVSS scores measure theoretical severity, while KEV tracks actual exploitation. The catalog is not sufficient alone (it doesn't address zero-days by definition), but it is the most practical tool DoD and federal agencies have for prioritizing patch management against real-world threats.

2023Software Bill of Materials (SBOM) RequirementsPartial

In response to the SolarWinds supply chain attack, the Biden administration's May 2021 Executive Order on Improving the Nation's Cybersecurity mandated that software vendors selling to the federal government provide a Software Bill of Materials — a machine-readable inventory of all software components, including open-source libraries, that make up their product. The idea: if you know what's in your software, you can quickly assess whether a newly discovered vulnerability affects you. CISA developed SBOM standards and DoD began incorporating SBOM requirements into contracts. As of 2024, implementation is partial — large prime contractors are beginning to produce SBOMs for new deliverables, but the supply chain below the prime (sub-tier suppliers, open-source components) remains largely untracked. SBOM is directionally correct but technically complex to implement at scale, and the government lacks the tooling to process and act on the SBOMs it is beginning to collect.

The Talent Pipeline Problem

The Shortage

The global shortage of qualified cybersecurity professionals is estimated at 3.5 million unfilled positions by 2025, according to (ISC)² research. The DoD shortage is acute within that global context. Government pay scales for cyber positions are below private sector equivalents for comparable skills — particularly at the senior practitioner level where the most valuable offensive and defensive skills reside. DoD has attempted to address this through special pay authorities (Special Bonus and Special Pay for Cyber Workforce), expanded ROTC and service academy cyber programs, and initiatives like CyberCorps: Scholarship for Service (which funds college students in exchange for government service commitments). These measures have had modest effect on the pipeline. The fundamental economics work against the government: a mid-career penetration tester who would earn $180,000 at a major consulting firm will earn $120,000 in a comparable GS-14 position — and the government cannot close that gap without comprehensive pay reform.

What the Budget Buys Instead

The cybersecurity budget gap between skilled people and available funding is filled primarily by contractors. A contractor penetration tester or security engineer costs the government 2–3x what a direct-hire government employee would cost (fully loaded contractor labor rates include overhead, G&A, and profit). The government buys contractor labor in part because it cannot hire and retain the direct-hire workforce it needs. The result is a system that spends more money to get less control: contractors work the contract, then move to the next one; institutional knowledge walks out the door with them; the government program managers who oversee contractor work often lack the technical background to evaluate what they're getting. This is not a contractor problem — it is a workforce policy problem. The cybersecurity talent shortage cannot be solved by spending more money on contractors who are themselves constrained by the same shortage. It requires structural changes to government compensation, career paths, and hiring speed that Congress has been unwilling to make.

Commercial vs. Government Security

The commercial sector's approach to cybersecurity differs from DoD's in ways that are instructive. Large commercial technology companies — Apple, Google, Microsoft, Amazon — invest heavily in security because breaches carry immediate, measurable reputational and financial costs. They run continuous deployment of security updates, employ bug bounty programs at scale, require hardware security features in all new devices, and build security into product architecture from the start (secure by design). DoD's procurement and deployment timelines operate on a different schedule: new systems take years to field, security requirements are added to existing procurement rather than baked into architecture, and the accountability for breaches is diffuse enough that no individual program manager bears the full cost of a security failure. The commercial sector's advantage is not more money — it is tighter feedback loops between security investment and security outcome. The government's compliance framework creates the illusion of accountability (were the controls implemented?) without the substance (did the controls prevent a breach?).

Frequently Asked Questions

Is the DoD cybersecurity budget actually $15 billion?

The FY2024 Presidential budget request for DoD cybersecurity activities was approximately $14.9B, commonly rounded to ~$15B. This figure includes CYBERCOM operations, DISA cybersecurity programs, service cyber commands, and R&D investments. It does not include classified NSA programs or the contractor compliance costs (CMMC) imposed on the defense industrial base. The $25B+ figure sometimes cited for "federal cybersecurity spending" adds CISA, NSA unclassified programs, and other non-DoD agencies.

Does CMMC actually make contractors more secure?

The honest answer is: probably somewhat, but far less than the compliance cost suggests. CMMC Level 2 requires third-party verification of NIST 800-171 implementation — which is meaningfully better than the self-attestation it replaces, since many contractors were self-reporting compliance they did not have. Whether implementing NIST 800-171 controls actually prevents sophisticated nation-state attackers from stealing data is a different question. OPM was fully FISMA compliant. SolarWinds affected FedRAMP-authorized environments. Compliance frameworks catch hygiene failures and basic misconfigurations. They are not designed to stop advanced persistent threat actors with nation-state resources.

What was the OPM breach and why does it matter?

21.5 million people who had applied for federal security clearances had their SF-86 forms stolen — detailed applications including every address they'd lived at, every foreign contact, financial history, mental health information, past drug use, and family relationships. The SF-86 is designed to surface vulnerabilities that would make someone a counterintelligence risk. China now has a database of the exact vulnerabilities of every cleared American who applied for a clearance since 1985. Defense and counterintelligence officials have called it the most damaging intelligence loss in U.S. history.

What is the dual-hat arrangement between CYBERCOM and NSA?

The CYBERCOM commander simultaneously serves as the Director of the National Security Agency — one person leads both organizations. The arrangement has been in place since CYBERCOM's founding and reflects the co-location, shared infrastructure, and integrated intelligence-operations relationship between the two organizations. Critics argue the dual-hat creates conflicts between NSA's intelligence collection equities (wanting to preserve access to compromised systems for intelligence value) and CYBERCOM's defensive mission (wanting to eject adversaries from U.S. networks). Congress has repeatedly debated separating the commands; as of 2026, the dual-hat persists.

Why does DoD keep getting breached despite the spending?

Several reasons, none satisfying: (1) The spending is disproportionately on compliance — verifying that controls exist — not on operational security — whether those controls stop real attacks. (2) The biggest breaches (SolarWinds, OPM) exploited gaps between compliance silos, not failures within any individual compliant system. (3) Supply chain attacks are nearly impossible to prevent through current compliance frameworks. (4) The DoD cyber workforce is chronically understaffed and under-compensated relative to private sector competitors. (5) Legacy systems that cannot be patched or modernized remain in the attack surface indefinitely.

The Bottom Line

$15 Billion and the Wrong Model

DoD cybersecurity spending has more than doubled since 2016. The major breaches have continued. SolarWinds. The Microsoft Exchange zero-days. The NSA tool theft that produced EternalBlue, which was weaponized in WannaCry. The F-35 technical data. These are not random failures. They are the predictable outcomes of a security architecture built around compliance verification rather than threat-driven defense.

Compliance frameworks — FISMA, CMMC, DISA STIGs, FedRAMP — measure the presence of controls. They do not measure whether those controls stop sophisticated adversaries. OPM was compliant. The 21.5 million clearance files are now in Beijing. The compliance industry — C3PAOs, training companies, consulting firms, certification bodies — generates revenue from the compliance process regardless of whether compliance produces security. The contractor ecosystem that advises DoD on cybersecurity policy profits from the cybersecurity spending that results from that advice.

The programs that work — Hack the Pentagon, Continuous Vetting, the KEV catalog — share a common feature: they measure security outcomes, not compliance artifacts. Bug bounties pay for vulnerabilities found, not forms completed. Continuous Vetting detects behavioral anomalies, not static posture. KEV tracks active exploitation, not theoretical severity. These programs are small relative to the total cyber budget. They are more effective per dollar than most of what surrounds them.

The cybersecurity problem is not a budget problem. It is a model problem. More money flowing through the same compliance-oriented model produces more compliance. Whether it produces more security is a different question — one that the $15B/year budget process is structurally disinclined to answer honestly.

Related Intelligence
Intel Brief

Weekly intel from the ranks. No spam. Unsubscribe anytime.

Data sources: DoD Comptroller FY2024 budget request and cybersecurity investment summary; GAO reports on federal cybersecurity (GAO-23-105256, GAO-22-104982, and prior years); DoD OIG contractor cybersecurity assessments; DoD Zero Trust Strategy (2022) and DISA Zero Trust Reference Architecture; CMMC 2.0 regulatory impact analysis and proposed rule (Federal Register 2023); CISA Known Exploited Vulnerabilities catalog; Congressional Research Service analyses of CYBERCOM, NSA, and CISA budgets; Senate Armed Services Committee testimony transcripts; Verizon Data Breach Investigations Report (DBIR) 2023; (ISC)² Cybersecurity Workforce Study 2023; public court filings and DOJ press releases for False Claims Act enforcement actions. Program attribution for SolarWinds (APT29/SVR) per joint advisory from CISA, FBI, NSA, and international partners (2021). OPM breach attribution (China/APT10) per OPM Director Congressional testimony and open-source intelligence consensus. F-35 supply chain exfiltration per Australian Signals Directorate public statements and U.S. Congressional testimony. All unclassified — no classified sources used or implied.

← Back to Spending Hub