In an article published by Law360, we examined a report issued by the U.S. Department of Defense (DoD) Inspector General on July 23, which summarizes the findings of an audit into the protection of controlled unclassified information (CUI) on contractor networks.
The DoD reviewed nine contractors’ information systems and revealed some deficiencies that do not meet the standards set forth in National Institute of Standards and Technology (NIST) Special Publication 800-171. The exposed deficiencies include: not mitigating vulnerabilities on their networks and systems, not scanning their network for vulnerabilities, not mitigating high vulnerabilities identified in the contractor’s management programs and more.
To address these deficiencies, the report contained multiple recommendations for the DoD to better validate and enforce compliance with NIST standards. In response, the DoD has already agreed to implement many of the recommendations listed in the report, including a pilot program to establish a department-wide approach for assessing contractor compliance with NIST standards.
“How the planned pilot program will interact with the DoD’s announced plans for the cybersecurity maturity model certification and the shift to third party certifiers is an open question but should serve as another signal that the DoD is ramping up its oversight and enforcement efforts. Indeed, contractors who fail to comply with NIST standards may soon find themselves at a significant competitive disadvantage,” we explained in the article.