An independent risk assessment conducted this month found that the security posture of U.S. government contractors was markedly worse than the federal agencies that use these third-party services, suggesting contractors must raise their game and bridge the gap.
The analysis, performed by security ratings firm BitSight, encompassed more than 120 federal agencies, and over 1,200 federal government contractors divided across six different industry sectors. Using its own methodology and grading system, BitSight found that the mean security score for each industry-segmented contractor group was at least 15 points lower than the mean security rating of the 120+ federal agencies.
The six studied contractor industry segments were: aerospace/defense, business services, health care/wellness, engineering, technology, and manufacturing.
A BitSight research report detailing the study further reveals that almost 50 percent of the contractors earned a C grade or worse for failing to adequately adhere to the “Protective Technology” guidelines laid out by the NIST (National Institute of Standards and Technology) Cybersecurity Framework. The engineering sector fared the worst in this respect, with 61 percent of contractors grading out at C or below. (Manufacturing was the next worst industry, with 53 percent scoring a C or worse).
By comparison, only 24 percent of federal agencies scored a C or below, while 38 percent earned an A grade. None of the federal agencies received an F score.
However, federal agencies did not always come out on top: they scored worse than all but two contractor categories — technology and aerospace/defense — for using outdated web browsers.