CIO Influence
CIO Influence News Security

SecurityScorecard Report: 58 Percent of Breaches Impacting Leading U.S. Federal Contractors Caused by Third-Party Attack Vectors

by Business Wire
SecurityScorecard Report: 58 Percent of Breaches Impacting Leading U.S. Federal Contractors Caused by Third-Party Attack Vectors

Report highlights the urgent need for federal contractors to address third-party risks as cybersecurity gaps threaten national security

SecurityScorecard today released new research revealing that 58% of breaches impacting the top 100 U.S. federal contractors involved third-party attack vectors, highlighting a critical vulnerability in the government supply chain.

Also Read: CIO Influence Interview with Kevin Bocek, Chief Innovation Officer at Venafi

“Defending the Federal Supply Chain: A Cyber Security Assessment of the Top 100 U.S. Government Contractors”

In the wake of Chinese state-sponsored threat actors hacking the U.S. Treasury Department by a third-party technology vendor, this report underscores the serious vulnerabilities federal contractors face — from social engineering to persistent supply chain risks. Strengthening cybersecurity across the federal supply chain is no longer optional; it’s a matter of national urgency.

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, said: “Federal contractors are the backbone of the U.S. Government, but a single weak link can jeopardize the entire federal supply chain. The U.S. Treasury breach is a clear example of the risks we face. Unless the public and private sectors work together to tackle third-party vulnerabilities, national security will remain dangerously exposed.”

Key findings

  • 35% of contractors experienced publicly reported breaches, with 14% having multiple incidents (2–5 breaches each).
  • 58% of breaches involved third-party attack vectors, double the global average of 29%.
  • Ransomware operators accounted for 41.25% of all breaches, with their share rising to 46.5% in third-party incidents.
  • 28% of contractors had at least one observable malware infection or compromised device on their networks in the past year.
  • State-sponsored groups accounted for 35% of attributable breaches, but their role in third-party breaches rose to 39.5%.
  • Application security was the most significant vulnerability for 41% of contractors, far surpassing other categories. Nearly half (46%) of the most impactful security issues originated from this area.

Cybersecurity recommendations for federal contractors

Based on this analysis, the SecurityScorecard STRIKE team offers actionable insights for federal contractors to strengthen cybersecurity:

Also Read: CIO Influence Interview with Anuj Jaiswal, Vice President of Products at Fortanix

  • Extend Cyber Maturity Model Certification (CMMC): The CMMC framework ensures contractors meet strict cybersecurity standards. Contractors in defense & national security scored highest in the report, showing the model’s effectiveness. Expanding CMMC to civilian agencies could address vulnerabilities and strengthen federal supply chain security.
  • Prioritize third-party risk management: Current third-party risk management (TPRM) practices should target scenarios where contractor breaches risk exposing U.S. government interests. Streamlined vetting can help prioritize critical risks without overloading review processes.
  • Expand to fourth-party risk management: Many breaches originate from fourth-party vendors used by contractors. Federal agencies should evaluate whether contractors have strong TPRM programs to reduce the risk of cascading vulnerabilities.
  • Require disclosure of breach histories: Requiring contractors to disclose breach histories would improve transparency. While SEC rules cover publicly traded firms, privately owned contractors are not subject to that SEC requirement. This step could enhance vetting processes.
  • Target key security gaps: Application security, DNS health, and patching cadence are critical vulnerabilities. Agencies should prioritize these factors in assessments, starting with public-facing websites and DNS records.
  • Address both criminal and state-sponsored threats: Ransomware groups accounted for 41.25% of attributable breaches in the report, posing a significant risk alongside state-sponsored attacks. Federal contractors must strengthen defenses to address both types of threats effectively.

Methodology

This report evaluates the SecurityScorecard ratings and publicly available breach histories of the top 100 federal contractors for FY2023, highlighting problems and patterns that pose substantial third-party cyber risks to the U.S. Government.

[To share your insights with us as part of editorial or sponsored content, please write to psen@itechseries.com]

Business Wire, a Berkshire Hathaway company, is the global leader in press release distribution and regulatory disclosure. Public relations, investor relations, public policy and marketing professionals rely on Business Wire for secure and accurate distribution of market-moving news and multimedia. Founded in 1961, Business Wire is a trusted source for news organizations, journalists, investment professionals and regulatory authorities, delivering news directly into editorial systems and leading online news sources via its multi-patented NX network. Business Wire’s global newsrooms are available to meet the needs of communications professionals and news media worldwide.

Related posts

Samsung Highest Performing SAS Enterprise SSD to take Server Storage Performance to Next Level

CIO Influence News Desk

Zafin Expands Collaboration with IBM to Help Financial Institutions Accelerate Modernization with Hybrid Cloud

CIO Influence News Desk

SentinelOne Partners with Armis for Unparalleled Asset Intelligence

CIO Influence News Desk