Twenty percent of America’s largest 100 defense contractors are highly susceptible to a ransomware attack, according to a research from Black Kite.
Several critical vulnerabilities were detected that contractors should address immediately, including:
- Nearly 43% of federal defense contractors have out-of-date systems, contributing to a “D+” rating in patch management
- 42% of contractors have had at least one compromised credential within the past 90 days, and 40 contractors received an “F” in credential management
Ransomware susceptibility high for defense contractors
The top 100 federal contractors averaged an RSI of 0.39 but 20% scored above the critical threshold of 0.6. By comparison, earlier reports showed that 10% of pharmaceutical manufacturers and 49% of automobile manufacturers were above the critical RSI threshold, indicating they were highly susceptible to a ransomware attack.
- The top 100 averaged a “C+” grade for information disclosure
- SSL/TLS strength and application security are both lagging, with an overall “C” grade
“Cybercriminals are targeting critical infrastructure more than ever, with each attack having a stronger impact on our national security. The trends we’re seeing in our RSI findings are alarming,” said Black Kite‘s CSO Bob Maley.
“When organizations maintain a continuous view of their cyber risk posture, they are armed with detailed information to protect their most critical assets and controls.”
Contractors showing high compliance levels
There were several positive findings as the overall security posture of contractors received a “B” grade. Furthermore, when looking at 17% of the Cybersecurity Maturity Model Certification (CMMC) controls needed to maintain high compliance levels, 96% of the contractors were already compliant.
“The September 2025 CMMC deadline is not as far away as it seems,” said Maley. “CMMC level one covers basic cyber hygiene that all organizations, both private and public, should have covered. Higher levels offer advanced protection models that will eventually be a security requirement.”