<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=26304&amp;fmt=gif">
Security Ratings

Analyzing Security Ratings of U.S. Federal Agencies & Government Contractors

Noah Simon | February 20, 2018

The federal government relies on tens of thousands of contractors and subcontractors — often referred to as the federal “supply chain” — to provide critical services, hold or maintain sensitive data, deliver technology, and perform key functions. Along with the Federal Government itself, these contractors and subcontractors face a multitude of cyber threats.

security ratings of federal government & contractors

In response, U.S. federal agencies have or are considering expanding cybersecurity requirements for their contractor base and adopting best practices for evaluating and monitoring those entities. While the Department of Defense (DOD) has recently tightened requirements, the General Services Administration (GSA) is planning to follow suit and demand that contractors meet guidelines set by the National Institutes of Standards and Technology.

In our recently published BitSight Insights, BitSight researchers set out to understand the security performance of government contractors. (BitSight recently performed a similar study with Financial Service organizations and their supply chain). What is the cybersecurity performance of U.S. federal contractors, and how does that compare to the performance of U.S. federal agencies?

To perform this assessment, BitSight researchers took a random sample of over 1,200 U.S. federal government contractors across the following industries: Aerospace/Defense, Business Services, Healthcare/Wellness, Engineering, Technology, and Manufacturing. The cybersecurity performance of these contractors was compared with the performance of over 120 U.S. federal agencies.

Comparison of Security Posture

There is a significant gap between the security performance of U.S. federal agencies and their contractors. To some this may be surprising, given large high-profile breaches of U.S. federal agencies in recent years. Many agencies maintain a strong security posture overall and the aggregate performance of agencies has increased steadily. The mean rating for agencies as of January 2018 was 725. This is markedly higher than any of the other sector of contractors for the U.S. federal government observed in this study.

fig1-headline ratings.png

The spread of BitSight Security Ratings amongst federal agencies and contractors as of February 1, 2018.

Within the federal contractor base, Healthcare/Wellness, Business Services, and Aerospace/Defense were the strongest security performers last year relative to other industries, performing between a 700–710 throughout the year, while Engineering, Technology, and Manufacturing were the weakest performers.

Prevalence of Botnet Infections

In May 2017, President Trump released an Executive Order on Cybersecurity that called upon the Secretaries of Commerce and Homeland Security to dramatically reduce botnets across the internet. Previous BitSight research has consistently shown that botnets (and other forms compromised systems) increase the likelihood of a publicly disclosed breach: organizations with a BitSight botnet grade of B or lower are more than twice as likely to experience a data breach. Botnets can deliver high-volume network attacks and distribute spam and malware to organizations.

fig3-botnet grade dist.png

BitSight data shows that the U.S. federal government and its contractor base have pervasive botnet infections on their networks. A large number of contracting sectors — such as Healthcare/Wellness, Manufacturing, and Engineering — performed at a significantly lower rate than government agencies: 24% of Healthcare/Wellness and Manufacturing contractors have a BitSight botnet grade below B, while 15% of U.S. government agencies perform below a B. This data suggests that these organizations have ineffective security programs in place and may be experiencing ongoing data breaches.

What other risks exist within the federal contractor base?

Download the BitSight Insights report to learn which other cyber risks exist amongst the federal contractor base.

security ratings of federal government & contractors

Suggested Posts

Cybersecurity Metrics Your CIO Expects You to Know

Creating a third-party vendor risk management program is a top priority in today’s threat landscape. It’s critical to not only put a program in place, but understand the cybersecurity metrics you should be looking at within your own...

READ MORE »

Third Party Tiering: The Cornerstone of a Strong Third-Party Risk Management Program

With the number of third parties connected to businesses increasing, risk and security teams need to ensure they are spending the right amount of attention on the right third parties. To do this, organizations need a clearly defined,...

READ MORE »

A Forward-Looking View Into Security Performance

For the last five years, BitSight Security Ratings have been helping companies gain insight into the efficacy of their security programs, as well as the security performance of third and fourth party vendors. Today, the BitSight Security...

READ MORE »

Subscribe to get security news and updates in your inbox.