SecurityScorecard Report: 58% of Breaches Impacting Leading U.S. Federal Contractors Caused by Third-Party Attack Vectors

NEW YORK--(BUSINESS WIRE)--SecurityScorecard today released new research revealing that 58% of breaches impacting the top 100 U.S. federal contractors involved third-party attack vectors, highlighting a critical vulnerability in the government supply chain.

In the wake of Chinese state-sponsored threat actors hacking the U.S. Treasury Department by a third-party technology vendor, this report underscores the serious vulnerabilities federal contractors face — from social engineering to persistent supply chain risks. Strengthening cybersecurity across the federal supply chain is no longer optional; it’s a matter of national urgency.

Ryan Sherstobitoff, Senior Vice President of Threat Research and Intelligence at SecurityScorecard, said: “Federal contractors are the backbone of the U.S. Government, but a single weak link can jeopardize the entire federal supply chain. The U.S. Treasury breach is a clear example of the risks we face. Unless the public and private sectors work together to tackle third-party vulnerabilities, national security will remain dangerously exposed.”

Key findings

• 35% of contractors experienced publicly reported breaches, with 14% having multiple incidents (2–5 breaches each).
• 58% of breaches involved third-party attack vectors, double the global average of 29%.
• Ransomware operators accounted for 41.25% of all breaches, with their share rising to 46.5% in third-party incidents.
• 28% of contractors had at least one observable malware infection or compromised device on their networks in the past year.
• State-sponsored groups accounted for 35% of attributable breaches, but their role in third-party breaches rose to 39.5%.
• Application security was the most significant vulnerability for 41% of contractors, far surpassing other categories. Nearly half (46%) of the most impactful security issues originated from this area.

Cybersecurity recommendations for federal contractors

Based on this analysis, the SecurityScorecard STRIKE team offers actionable insights for federal contractors to strengthen cybersecurity:

• Extend Cyber Maturity Model Certification (CMMC): The CMMC framework ensures contractors meet strict cybersecurity standards. Contractors in defense & national security scored highest in the report, showing the model’s effectiveness. Expanding CMMC to civilian agencies could address vulnerabilities and strengthen federal supply chain security.
• Prioritize third-party risk management: Current third-party risk management (TPRM) practices should target scenarios where contractor breaches risk exposing U.S. government interests. Streamlined vetting can help prioritize critical risks without overloading review processes.
• Expand to fourth-party risk management: Many breaches originate from fourth-party vendors used by contractors. Federal agencies should evaluate whether contractors have strong TPRM programs to reduce the risk of cascading vulnerabilities.
• Require disclosure of breach histories: Requiring contractors to disclose breach histories would improve transparency. While SEC rules cover publicly traded firms, privately owned contractors are not subject to that SEC requirement. This step could enhance vetting processes.
• Target key security gaps: Application security, DNS health, and patching cadence are critical vulnerabilities. Agencies should prioritize these factors in assessments, starting with public-facing websites and DNS records.
• Address both criminal and state-sponsored threats: Ransomware groups accounted for 41.25% of attributable breaches in the report, posing a significant risk alongside state-sponsored attacks. Federal contractors must strengthen defenses to address both types of threats effectively.

Methodology

This report evaluates the SecurityScorecard ratings and publicly available breach histories of the top 100 federal contractors for FY2023, highlighting problems and patterns that pose substantial third-party cyber risks to the U.S. Government.

Additional resources

• Download “Defending the Federal Supply Chain: A Cyber Security Assessment of the Top 100 U.S. Government Contractors”
• To learn more about SecurityScorecard threat intelligence, visit our website.

About STRIKE

The STRIKE threat intelligence team combines unique threat intelligence, incident response experience, and supply chain cyber risk expertise. Backed by SecurityScorecard technology, STRIKE is a strategic advisor to CISOs worldwide, empowering the entire digital ecosystem to identify, measure, and resolve cyber risk.

About SecurityScorecard

Funded by world-class investors, including Evolution Equity Partners, Silver Lake Partners, Sequoia Capital, GV, Riverwood Capital, and others, SecurityScorecard is the global leader in cybersecurity ratings, response, and resilience, with more than 12 million companies continuously rated.

Founded in 2014 by security and risk experts Dr. Aleksandr Yampolskiy and Sam Kassoumeh, SecurityScorecard’s patented security ratings technology is used by over 25,000 organizations for enterprise risk management, third-party risk management, board reporting, due diligence, cyber insurance underwriting, and regulatory oversight.

SecurityScorecard makes the world safer by transforming how companies understand, improve, and communicate cybersecurity risks to their boards, employees, and vendors. SecurityScorecard achieved the Federal Risk and Authorization Management Program (FedRAMP) Ready designation, highlighting the company’s robust security standards to protect customer information, and is listed as a free cyber tool and service by the U.S. Cybersecurity & Infrastructure Security Agency (CISA). Every organization has the universal right to its trusted and transparent Instant SecurityScorecard rating. For more information, visit securityscorecard.com or connect with us on LinkedIn.