DoD OIG Releases Report on Audit of Contractor CUI Controls

NEXT STORY
2019 Navy Gold Coast Conference Recap

DoD OIG Releases Report on Audit of Contractor CUI Controls

8/1/2019

On July 25, 2019, the DoD Office of the Inspector General (OIG) publicly released an audit report that evaluated the implementation of security controls by contractors who maintain DoD controlled unclassified information (CUI). The audit was requested by the Secretary of Defense; 26 DoD contractors with contracts worth $1 million or more were selected for assessment. However, only nine of the selected contractors had contracts that could be evaluated for the purpose of this audit.

The audit was prompted by the troubling reports of 248 cyber incidents by DoD contractors to the DoD Cyber Crime Center between March 2015 and June 2018. Current cybersecurity policies are governed by DFARS 7012, which requires CUI to be maintained according to NIST 800-171 standards. The NIST CUI security requirements include: “controls for user authentication, user access, media protection, incident response, vulnerability management, and confidentiality of information.”

The audit found contractors failed to implement DoD-mandated security measures for CUI consistently. The report determined that the assessed contractors were deficient in the following list of security controls:

using multifactor authentication;
enforcing the use of strong passwords;
identifying network and system vulnerabilities;
mitigating network and system vulnerabilities;
protecting CUI stored on removable media;
-overseeing network and boundary protection services provided by a third-party company;
documenting and tracking cybersecurity incidents;
configuring user accounts to lock automatically after extended periods and unsuccessful logon attempts;
implementing physical security controls;
creating and reviewing system activity reports; and
granting system access based on the user’s assigned duties.

The audit also discussed failures on the part of contracting offices and requiring activities. The results state that they failed to:

-verify that contractors’ networks and systems met National Institute of Standards and Technology security requirements before contract award;
-notify contractors of the specific CUI category related to the contract requirements;
determine whether contractors access, maintain, or develop CUI to meet contractual requirements;
mark documents that contained CUI and notify contractors when CUI was exchanged between DoD agencies and the contractor; and
-verify that contractors implemented minimum security controls for protecting CUI.

In addition to their poor enforcement of CUI security controls, contracting offices and requiring activities did not have procedures to track contractors responsible for maintaining CUI. The shocking result of this is that the DoD does not and cannot know the amount of DoD CUI out there or whether it is being protected. Without knowing which contractors maintain CUI on their systems, they cannot ensure that those contractors comply with the NIST 800-171 requirements. The report states that this makes DoD CUI especially vulnerable to cyber incidents.

The OIG audit also identified an incident of classified information spillage. This classified material was unprotected for two years because the original spillage was not reported promptly by the contractor or the Defense Threat Reduction Agency. The report calls these types of incidents “a threat to national security.”

The report recommends that the process for monitoring security issues be revised and that contractors need to verify that they have taken steps to respond to security threats. Regarding the classified information spillage, the OIG recommends that the contractor’s performance be reviewed and administrative action be taken if necessary. It also recommends that the DoD CIO direct contracting offices and requiring activities to mandate that their contractors use stronger passwords and to implement locking functions after 15 minutes of inactivity and three unsuccessful login attempts. The final recommendation concerns the unsettling reality that DoD CUI is being maintained by contractors but not fully accounted for. To solve this problem, the OIG suggests a revision of policy that requires contracting offices and requiring activities to validate contractor compliance with CUI security requirements at least on an annual basis. It was also recommended that processes be established to track contractors’ access to, maintenance of, or development of CUI during the life of their contract. The final recommendation was a revision of language to require contracting offices to validate compliance with security requirements.

Topics: Cybersecurity

Comments (0)

Name *

Email *

Comment *

Please enter the text displayed in the image.

Characters *

Legal Notice *

NDIA is not responsible for screening, policing, editing, or monitoring your or another user's postings and encourages all of its users to use reasonable discretion and caution in evaluating or reviewing any posting. Moreover, and except as provided below with respect to NDIA's right and ability to delete or remove a posting (or any part thereof), NDIA does not endorse, oppose, or edit any opinion or information provided by you or another user and does not make any representation with respect to, nor does it endorse the accuracy, completeness, timeliness, or reliability of any advice, opinion, statement, or other material displayed, uploaded, or distributed by you or any other user. Nevertheless, NDIA reserves the right to delete or take other action with respect to postings (or parts thereof) that NDIA believes in good faith violate this Legal Notice and/or are potentially harmful or unlawful. If you violate this Legal Notice, NDIA may, in its sole discretion, delete the unacceptable content from your posting, remove or delete the posting in its entirety, issue you a warning, and/or terminate your use of the NDIA site. Moreover, it is a policy of NDIA to take appropriate actions under the Digital Millennium Copyright Act and other applicable intellectual property laws. If you become aware of postings that violate these rules regarding acceptable behavior or content, you may contact NDIA at 703.522.1820.

I have read the legal notice.

NDIA's Education offerings exist to build a more capable, qualified, and
efficient Defense Industrial Base to support our national security through
doing business with the Department of Defense.