The Department of Defense (DoD) Inspector General recently issued a report summarizing the findings of an audit into the protection of Controlled Unclassified Information (CUI) on contractor networks. Based on an in-depth review into nine contractors, the audit uncovered some common practices that fall short of meeting the standards set forth in NIST SP 800-171, which contractors are obligated to follow under DFARS 252.204-7012.
Shortcomings Discovered in DoD Audit
These common lapses include the following, among others:
- Inconsistent tracking of cybersecurity threats
- Failure to consistently mitigate network vulnerabilities
- Uneven use of strong passwords
- Inconsistent use of multifactor identification
The audit likewise exposed the following:
- Issues relating to protection of CUI stored on removable data
- Over-allowance of system access based on a user’s assigned duties
- Failure to configure user accounts to log off following 15 minutes of inactivity.
Importantly, the audit revealed that the DoD Component contracting offices did not develop or implement sufficient processes to ensure contractor compliance with required security controls.
These shortcomings, according to the report, expose valuable defense information to theft by malicious actors, thereby placing the nation’s security at risk.
Recommendations in Response to DoD Audit
To address these concerns, the report contains a number of specific recommendations, including that DoD should do the following:
- Validate contractor compliance with security requirements prior to awarding a contract
- Monitor compliance at least once per year throughout the performance period
- Take corrective action against contractors who fail to meet these requirements
In response, the Acting Director of Defense Pricing and Contracting (DPC) has agreed with the need to take corrective action against non-compliant contractors. He further indicated that the DPC will undertake a pilot program to develop a department-wide approach for assessing contractor compliance with NIST SP 800-171 requirements.
This report is a sign of things to come and should serve as guidance to contractors to ensure that they are meeting the requirements of DFARS 252.204-7012.
If you have any questions or would like guidance on DFARS 252.204-7012 to ensure that your company is meeting all of the criteria, please contact me or any member of our Government Contracts Practice Group.