Information security

Defense Contractors Not Doing Enough to Protect Controlled Unclassified Info, Auditor Says

The Department of Defense’s research and development contractors are not doing enough to protect sensitive information in their networks from cyberattacks, a government watchdog said in a new report.

Following a review of 10 such contractors, the DOD Office of the Inspector General said it found inconsistency in their implementation of security measures for controlled unclassified information.

The DOD defines CUI as information whose loss or compromise can pose significant national security risks. CUI is considered the “path of least resistance” for adversaries because of its less stringent controls than classified information, according to the Defense Counterintelligence and Security Agency.

Shortcomings were found in the use of multi-factor authentication, identification of network and system vulnerabilities, monitoring of network traffic, encryption of workstation data storage and restrictions for removable media, OIG said.

According to the auditor, the issues exist because the DOD’s contracting officers did not verify whether the contractors complied with the National Institute of Standards and Technology Special Publication 800-171 requirements.

OIG added that while the department has interim rules requiring its agencies to verify NIST SP 800-171 compliance, the policy only applies to contracts awarded or modified after Nov. 30, 2020.

The inspector general recommended that the defense pricing and contracting principal director extend the policy to contracts awarded prior to the said date.

The DOD is currently on track to implement the Cybersecurity Maturity Model Certification program, which is aimed at strengthening protections for CUI.

OIG said that the department’s contracting officers must step up their assessment of NIST 800-171 implementation as CMMC is not expected to be fully implemented until fiscal year 2025.