Vulnerable Systems: Contractor Protection of Controlled Unclassified Information at Risk

Todd Overman
Bass, Berry & Sims PLC
Contact
LinkedIn
Facebook
X
Send
Embed

Bass, Berry & Sims PLC

The Department of Defense (DoD) Inspector General recently issued a report summarizing the findings of an audit into the protection of Controlled Unclassified Information (CUI) on contractor networks.  Based on an in-depth review into nine contractors, the audit uncovered some common practices that fall short of meeting the standards set forth in NIST SP 800-171, which contractors are obligated to follow under DFARS 252.204-7012.

Shortcomings Discovered in DoD Audit

These common lapses include the following, among others:

  • Inconsistent tracking of cybersecurity threats
  • Failure to consistently mitigate network vulnerabilities
  • Uneven use of strong passwords
  • Inconsistent use of multifactor identification

The audit likewise exposed the following:

  • Issues relating to protection of CUI stored on removable data
  • Over-allowance of system access based on a user’s assigned duties
  • Failure to configure user accounts to log off following 15 minutes of inactivity.

Importantly, the audit revealed that the DoD Component contracting offices did not develop or implement sufficient processes to ensure contractor compliance with required security controls.

These shortcomings, according to the report, expose valuable defense information to theft by malicious actors, thereby placing the nation’s security at risk.

Recommendations in Response to DoD Audit

To address these concerns, the report contains a number of specific recommendations, including that DoD should do the following:

  1. Validate contractor compliance with security requirements prior to awarding a contract
  2. Monitor compliance at least once per year throughout the performance period
  3. Take corrective action against contractors who fail to meet these requirements

In response, the Acting Director of Defense Pricing and Contracting (DPC) has agreed with the need to take corrective action against non-compliant contractors. He further indicated that the DPC will undertake a pilot program to develop a department-wide approach for assessing contractor compliance with NIST SP 800-171 requirements.

This report is a sign of things to come and should serve as guidance to contractors to ensure that they are meeting the requirements of DFARS 252.204-7012.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Bass, Berry & Sims PLC | Attorney Advertising

Written by:

Bass, Berry & Sims PLC
Bass, Berry & Sims PLC
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

Bass, Berry & Sims PLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide