According to the hard-to-believe-this-isnt-bullshit department, a report by BitSight ranks Department of Defense contractors’ cyber security lower than breached retailers and banks (emphasis added):

When measured in aggregate, network controls at breached J.P. Morgan Chase and Home Depot, combined with the rest of the retail and financial sectors, rated higher than the top companies supporting the U.S. military, according to BitSight. It’s important to note that BitSight’s rating is a median score, and some individual companies scored higher.

The defense industrial complex is one of the most regulated sectors in the United States. Similarly, background investigation providers for OPM are congressionally mandated to log access to all databases holding personal information and review the log files daily.

But these paper policies are not working, according to security experts and recent events.

Federal officials say they cannot ascertain the extent of breaches of national security-sensitive data at OPM background checkers, USIS and KeyPoint Government Solutions, because neither had sufficient logs. The widely held assumption is that Beijing’s cyberspies copied employee files, potentially to blackmail U.S. personnel and their contacts.

It almost sounds like BitSight is pandering for more Department of Defense business.