The federal government relies on tens of thousands of contractors and subcontractors — often referred to as the federal “supply chain” — to provide critical services, hold or maintain sensitive data, deliver technology, and perform key functions. Along with the Federal Government itself, these contractors and subcontractors face a multitude of cyber threats.
To perform this assessment, BitSight researchers took a random sample of over 1,200 U.S. federal government contractors across the following industries: Aerospace/Defense, Business Services, Healthcare/Wellness, Engineering, Technology, and Manufacturing. The cybersecurity performance of these contractors was compared with the performance of over 120 U.S. federal agencies.
Comparison of Security Posture
There is a significant gap between the security performance of U.S. federal agencies and their contractors. To some this may be surprising, given large high-profile breaches of U.S. federal agencies in recent years. Many agencies maintain a strong security posture overall and the aggregate performance of agencies has increased steadily. The mean rating for agencies as of January 2018 was 725. This is markedly higher than any of the other sector of contractors for the U.S. federal government observed in this study.
The spread of BitSight Security Ratings amongst federal agencies and contractors as of February 1, 2018.
Within the federal contractor base, Healthcare/Wellness, Business Services, and Aerospace/Defense were the strongest security performers last year relative to other industries, performing between a 700–710 throughout the year, while Engineering, Technology, and Manufacturing were the weakest performers.
BitSight data shows that the U.S. federal government and its contractor base have pervasive botnet infections on their networks. A large number of contracting sectors — such as Healthcare/Wellness, Manufacturing, and Engineering — performed at a significantly lower rate than government agencies: 24% of Healthcare/Wellness and Manufacturing contractors have a BitSight botnet grade below B, while 15% of U.S. government agencies perform below a B. This data suggests that these organizations have ineffective security programs in place and may be experiencing ongoing data breaches.
What other risks exist within the federal contractor base?