A new report from the Defense Department inspector general details common cybersecurity "weaknesses" on federal contractor networks that are handling controlled unclassified information for military services and agencies.
“The common cybersecurity weaknesses identified in this special report provide DOD contracting officers with potential focus areas when assessing contractor performance and DOD contractors and grant recipients with potential focus areas before attesting to their compliance with NIST SP 800-171,” the Dec. 4 report says.
NIST Special Publication 800-171 establishes security requirements for protecting CUI and defense contractors are required to meet all 110 controls to do business with DOD.
The December report says, “From 2018 through 2023, the DOD OIG issued five audit reports on DoD contractors’ inconsistent implementation of the NIST SP 800-171 cybersecurity controls required by DFARS 252.204-7012 for protecting CUI.”
“Those reports contained assessments of 29 DOD contractors providing products and services for 12 DOD Components. The five reports contained 116 recommendations to DOD Component contracting officers to ensure that the contractors corrected the weaknesses identified in the reports,” according to the latest IG report.
The DOD IG’s most recent two reports looked at the department’s implementation and oversight of the CUI program and an audit on the “Protection of Military Research Information and Technologies Developed by Department of Defense Academic and Research Contractors.”
The biggest issues are multifactor authentication or strong passwords and not protecting CUI on removable media.
The report also goes through weaknesses found in Justice Department-led Civil Cyber-Fraud Initiative audits.
“The CCFI combines the DOJ’s expertise in civil fraud enforcement, government procurement, and cybersecurity to combat new and emerging cyber threats to the security of sensitive information and critical networks and systems. Under the False Claims Act and through the CCFI, the DOJ pursues cybersecurity-related fraud by government contractors and grant recipients,” the report says.
The report continues, “This includes holding accountable contractors who fraudulently attest on cybersecurity compliance self-assessments that security mechanisms were in place (or planned) to protect information that requires protection in accordance with DFARS 252.204-7012.”
The DOD IG took the findings from its audits and the CCFI investigations to identify six common cybersecurity weaknesses and summarize them in them in the report.
The weaknesses are not implementing MFA, system activity or user activity reports, disabling inactive user accounts, physical security, network and system vulnerabilities and scanning for viruses and malicious code.
The Pentagon is in the process of setting up a regime where defense contractors will need to obtain a third-party assessment of their compliance with NIST 800-171 through the Cybersecurity Maturity Model Certification program.