Federal contractors with lax cybersecurity standards may soon regret it.

According to a report issued by security ratings company BitSight on February 15, sensitive US government data is being put at risk by contractors who fail to adhere to even the simplest cybersecurity best practices, like routinely patching old software and switching out passwords.

Data breaches have been reported by 5.6% of all defense contractors and 4.3% of all technology contractors. The worst offenders, as a category, were health care contractors where data breaches stood at 8%. Just two years ago, lapses on the part of the Office of Personnel Management’s security contractors allowed the theft of sensitive personal information on over 21 million federal employees.

Feds Cracking Down

The federal government has begun its crackdown on erring contractors. The Defense Department came out with new cybersecurity guidelines for its contractors last year, and last month the General Services Administration (GSA) updated its own requirements for increased security.

Contractors who fail to shape up can face civil penalties of up to $11,000 per violation. Contractors who are found to have made false statements about their compliance may be laid low with treble damages.

Security Failures

The BitSight report revealed that “botnet infections are prevalent amongst the government contractor base, particularly for Healthcare/Wellness and Manufacturing contractors” and that nearly half of all federal contractors are “not following best practices for network encryption and email security.” Particularly egregious was the substantial use of an outdated and leaky internet browser which was a security nightmare all on its own.

Another area of concern cited in the BitSight report was the limited number of common service providers that form the backbone of the federal contractor system. Webhosting, email services, and DNS services are delivered by a highly-concentrated group that could be the target of attack by any entity seeking to take down the system.

Such a takedown will be catastrophic for the federal security posture, the operation of federal agencies will be compromised, and the delivery of government services would most likely become chaotic.

In the meantime, one takeaway from the new cybersecurity guidelines is that federal contractors will be held to a much stricter timeframe to report data breaches. The Defense Department has specified a 72-hour window between the discovery of a breach and the report to the government.

Perhaps the most significant of the federal government’ initiatives towards greater cybersecurity is the deployment of a new policy from the interagency Committee on National Security Systems (CNSS). Last July, the CNSS touted “an integrated, organization-wide cybersecurity risk management program to achieve and maintain an acceptable level of cybersecurity risk for organizations that own, operate, or maintain national security systems.” CNSS has also emphasized the need for greater mobile security for the federal government.