The Department of Defense (DoD) Inspector General recently issued a report summarizing the findings of an audit into the protection of Controlled Unclassified Information (CUI) on contractor networks. Based on an in-depth review into nine contractors, the audit uncovered some common practices that fall short of meeting the standards set forth in NIST SP 800-171, which contractors are obligated to follow under DFARS 252.204-7012.
Shortcomings Discovered in DoD Audit
These common lapses include the following, among others:
- Inconsistent tracking of cybersecurity threats
- Failure to consistently mitigate network vulnerabilities
- Uneven use of strong passwords
- Inconsistent use of multifactor identification