Security ratings firm BitSight recently released a report citing a gap in cybersecurity performance between the U.S. Government and contractors. 

The report was the result of a comparative security assessment between 1,212 randomly selected government contractors and 122 federal agencies. The assessment found that federal agencies were at least 15 points better than the mean for government contractor security ratings, albeit on a broad scale of 250 to 900.

The study found that almost half of all contractors were graded “below C” for Protective Technology countermeasures recommended by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. The overall highest scoring industries were aerospace and defense, business services, and health care; while the technology, engineering, and manufacturing sectors were the lowest. Specific to data breaches, the health care industry fared the worst among all sectors with 8 percent reporting a breach since 2016. This was closely followed by the aerospace and defense industry with 5.6 percent reporting a breach.

The report attributed low cybersecurity scores in part to deficient network encryption, lack of email protection, and outdated internet browsers.  

Of potential interest to contractors, the report also made recommendations to federal agencies regarding cybersecurity gaps existing in industry. BitSight encouraged agencies to conduct cybersecurity audits of potential contractors, as well as requiring prime contractors to more strictly monitor subcontractors’ adherence to cybersecurity requirements beyond mere “flow down” requirements of current contract clauses. Lastly, BitSight cautioned government to closely monitor risks posed by technology services and cloud computing services. 

These findings may further sharpen the U.S. Government’s focus on enhancing cybersecurity among its supply chain, and highlight the importance of assessing cybersecurity risk within contractors’ business operations. 

 

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kate M. Growley, CIPP/G, CIPP/US Kate M. Growley, CIPP/G, CIPP/US

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory…

Kate M. Growley (CIPP/US, CIPP/G) is a director in Crowell & Moring International’s Southeast Asia regional office. Drawing from over a decade of experience as a practicing attorney in the United States, Kate helps her clients navigate and shape the policy and regulatory environment for some of the most complex data issues facing multinational companies, including cybersecurity, privacy, and digital transformation. Kate has worked with clients across every major sector, with particular experience in technology, health care, manufacturing, and aerospace and defense. Kate is a Certified Information Privacy Professional (CIPP) in both the U.S. private and government sectors by the International Association of Privacy Professionals (IAPP). She is also a Registered Practitioner with the U.S. Cybersecurity Maturity Model Certification (CMMC) Cyber Accreditation Body (AB).

Photo of Michael G. Gruden, CIPP/G Michael G. Gruden, CIPP/G

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked…

Michael G. Gruden is a counsel in Crowell & Moring’s Washington, D.C. office, where he is a member of the firm’s Government Contracts and Privacy and Cybersecurity groups. He possesses real-world experience in the areas of federal procurement and data security, having worked as a Contracting Officer at both the U.S. Department of Defense (DoD) and the U.S. Department of Homeland Security (DHS) in the Information Technology, Research & Development, and Security sectors for nearly 15 years. Michael is a Certified Information Privacy Professional with a U.S. government concentration (CIPP/G). He is also a Registered Practitioner under the Cybersecurity Maturity Model Certification (CMMC) framework. Michael serves as vice-chair for the ABA Science & Technology Section’s Homeland Security Committee.

Michael’s legal practice covers a wide range of counseling and litigation engagements at the intersection of government contracts and cybersecurity. His government contracts endeavors include supply chain security counseling, contract disputes with federal entities, suspension and debarment proceedings, mandatory disclosures to the government, prime-subcontractor disputes, and False Claims Act investigations. His privacy and cybersecurity practice includes cybersecurity compliance reviews, risk assessments, data breaches, incident response, and regulatory investigations.