The US federal government relies on tens of thousands of contractors and subcontractors – sometimes referred to as the federal “supply chain” – to provide critical services, hold or maintain sensitive data, deliver technology and perform key functions. When it comes to their cyber-risk, BitSight has found that the cybersecurity posture of US federal contractors lags far behind that of federal agencies.
In an analysis of 1,200 federal government contractors, the mean BitSight Security Rating for federal agencies was at least 15 or more points higher than the mean of any contractor sector.
“To some this may be surprising: Some agencies have made public their large data breaches in recent years,” the report noted. “However, many agencies maintain a strong security posture overall and the aggregate performance of agencies has increased steadily. The mean rating for agencies as of January 2018 was 725. This is markedly higher than any of the other sector of contractors for the US federal government observed in this study.”
The analysis reveals that 8% of healthcare/wellness contractors have disclosed a data breach since January 2016; aerospace/defense firms had the next highest breach disclosure rate at 5.6%. It also reveals that botnet infections are especially prevalent among the government contractor base, particularly for healthcare/wellness and manufacturing contractors.
The report uncovered an issue with best practices, as well: many contractors are simply not following them. On the network encryption and email security front, nearly 50% of contractors have a BitSight grade below C for the “protective technology” subcategory of the NIST Cybersecurity Framework.
Also, nearly one in five users at technology and aerospace/defense contractors have an outdated internet browser, making these employees and their organizations highly susceptible to new variants of malware.
“US government contractors, subcontractors and other third parties can be the cause of significant losses of government data,” the report notes. “Agency leadership must ensure that these organizations are protecting the sensitive government data with which they have been entrusted. Political, technology and civil service leaders within an agency all must be involved in addressing this risk.”