Contractor Cybersecurity Gaps Put U.S. Federal Government at Risk

New BitSight Insights report finds significant discrepancy between the cybersecurity performance of federal agencies and their contractors

BitSight, the Standard in Security Ratings, today released a new BitSight Insights report titled, “Beyond Uncle Sam: Analyzing the Security Posture of U.S. Government Contractors and Subcontractors,” which examines the security performance of the federal government and the cyber risk third-parties, contractors, and subcontractors pose. The findings reveal that the cybersecurity performance of government contractors lags federal agency performance in a number of categories, placing sensitive government data at risk.

“Tens of thousands of government contractors hold sensitive data or perform services on behalf of federal agencies. The U.S. government must be focused on evaluating, monitoring and improving the cyber hygiene of these contractors,” said Jacob Olcott, VP of Strategic Partnerships at BitSight. “Recent contractor regulations, like the new DOD requirements, are a start, but are too focused on check-the-box compliance. Cyber is a dynamic risk. By leveraging objective data and continuously monitoring the supply chain, the federal government will better comprehend the danger within its own ecosystem and begin to meaningfully mitigate this risk.”

BitSight researchers sampled over 1,200 U.S. federal government contractors across industries including aerospace and aviation, business services, healthcare and wellness, engineering, technology, and manufacturing, who provide critical products and services directly to the federal government and are central to national security, the national and global economy, and the environment. These organizations were compared to the performance of over 120 U.S. federal agencies.

Key Findings

• The mean BitSight Security Rating for federal agencies was 15 or more points higher than the mean of any contractor sector researched, indicating a security performance gap between the U.S. federal government and its contractor base.
• Over 8% of healthcare and wellness contractors have disclosed a data breach since January 2016; Aerospace/Defense firms had the next highest breach disclosure rate at 5.6%.
• While the U.S. federal government has made a concerted effort to fight botnets in recent months, botnet infections are prevalent amongst the government contractor base, particularly for healthcare and manufacturing contractors.
• Nearly 50% of contractors have a BitSight grade below C for the Protective Technology subcategory of the NIST Cybersecurity Framework, a sign that many are not following best practices for network encryption and email security.
• Nearly one in five users at Technology and Aerospace/Defense contractors have an outdated internet browser, making these employees and their organizations highly susceptible to new variants of malware.

Using evidence of security incidents from networks around the world, the BitSight Security Ratings Platform applies sophisticated algorithms to produce daily security ratings for organizations, ranging from 250 to 900, where higher ratings equate to lower risk. Previous studies from BitSight, independently verified by third parties, show that companies with a Security Rating of 500 or lower are nearly five times as likely to experience a publicly disclosed breach than companies with a Security Rating higher than 700. Studies also show that organizations with a higher frequency of botnet infections, actual system compromises, experience a higher likelihood of breach.

To download a full copy of the BitSight Insights report, including recommendations based on the findings, visit http://bitsig.ht/2FP6j2L.

About BitSight

BitSight is transforming how companies manage information security risk with trusted, time-tested and actionable security ratings. Founded in 2011, the company built its Security Ratings Platform to continuously analyze vast amounts of external data on security issues and behaviors in order to help organizations manage third party risk, underwrite cyber insurance policies, benchmark performance, conduct M&A due diligence and assess aggregate risk. Organizations worldwide, including seven of the top 10 cyber insurers, 20% of Fortune 500 companies, and 3 of the top 5 investment banks use BitSight’s proven Security Ratings technology on a daily basis to make integral risk and business decisions. With over 1,000 customers and the largest ecosystem of users and information, BitSight is the most widely used Security Ratings Service. For more information, please visit www.bitsighttech.com, read our blog or follow @BitSight on Twitter.