Black Kite detected several critical vulnerabilities that contractors should address immediately, including:
- Nearly 43% of federal defense contractors have out-of-date systems, contributing to a "D+" rating in patch management
- 42% of contractors have had at least one compromised credential within the past 90 days, and 40 contractors received an "F" in credential management
Black Kite's Ransomware Susceptibility IndexTM (RSI™) measures the likelihood of a ransomware attack on a scale from 0.0 (less susceptible) to 1.0 (more susceptible)*.
The top 100 federal contractors averaged an RSI™ of 0.39 but 20% scored above the critical threshold of 0.6. By comparison, earlier Black Kite reports showed that 10% of pharmaceutical manufacturers and 49% of automobile manufacturers were above the critical RSI™ threshold, indicating they were highly susceptible to a ransomware attack.
- The top 100 averaged a "C+" grade for information disclosure
- SSL/TLS strength and application security are both lagging, with an overall "C" grade
Any organization can get a free RSI™ report to review themselves by going to: https://blackkite.com/ransomware-susceptibility/
"Cybercriminals are targeting critical infrastructure more than ever, with each attack having a stronger impact on our national security. The trends we're seeing in our RSI findings are alarming," said Black Kite's Chief Security Officer Bob Maley. "When organizations maintain a continuous view of their cyber risk posture, they are armed with detailed information to protect their most critical assets and controls.
There were several positive findings as the overall security posture of contractors received a "B" grade. Furthermore, when looking at 17% of the Cybersecurity Maturity Model Certification (CMMC) controls needed to maintain high compliance levels, 96% of the contractors were already compliant.
"The September 2025 CMMC deadline is not as far away as it seems," said Maley. "CMMC level one covers basic cyber hygiene that all organizations, both private and public, should have covered. Higher levels offer advanced protection models that will eventually be a security requirement."
About Black Kite
One in four organizations suffered from a cyber-attack in the last year, resulting in production, reputation, and financial losses. The real problem is adversaries attack companies via third parties, island-hopping their way into target organizations. Black Kite is redefining third-party risk management (TPRM) with the world's first global third-party cyber risk monitoring platform, built from a hacker's perspective. With 300+ customers across the globe and counting, we're committed to improving the health and safety of the entire planet's cyber ecosystem with the industry's most accurate and comprehensive cyber intelligence.
While other security ratings service (SRS) providers try to narrow the scope, Black Kite provides the only standards-based cyber risk assessments that analyze your supply chain's cybersecurity posture from three critical dimensions: technical, financial, and compliance.
For more information, contact Adam Benson at [email protected] or 202.999.9104.
SOURCE Black Kite