A new Defense Department (DoD) Office of Inspector General (OIG) audit finds that some of the Pentagon’s academic and research partners have not consistently implemented cybersecurity controls to protect controlled unclassified information (CUI) stored on their networks from insider and external threats.
The OIG reviewed 10 academic and industry partners that conduct R&D work on military technologies for DoD to gauge their security controls for protecting CUI.
Among other items that the OIG found during its review:
- Four of the 10 didn’t enforce use of multifactor authentication (MFA) or configure systems to enforce the use of strong passwords to access networks and systems;
- Three didn’t identify and mitigate network and system vulnerabilities in a timely manner;
- One didn’t monitor network traffic and scan its networks for viruses;
- Two didn’t encrypt workstation hard drivees to protect CUI from unauthorized access or disclosure;
- Four didn’t disable user accounts after periods of inactivity;
- Five didn’t protect CUI stored on removable media through automated controls to restrict the use of removable media;
- Two didn’t implement physical security controls; and
- One didn’t develop an incident response plan.
“These issues existed because DoD Component contracting officers did not verify whether contractors complied with [National Institute of Standards and Technology (NIST) special publication 800-171] cybersecurity requirements,” the OIG wrote.
“Without a framework for assessing cybersecurity requirements for existing contractors, the cybersecurity issues identified in this report could remain undetected on DoD contractor networks and systems, increasing the risk of malicious actors targeting vulnerable contractor networks and systems and stealing information related to the development and advancement of DoD technologies,” it said.
The OIG has recommended that the Defense Pricing and Contracting (DPC) principal director tell contracting officers to use their authority to assess contractor compliance with NIST SP 800-171 DoD Assessment Methodology for protecting CUI for contracts issued before Nov. 30, 2020.
Additionally, OIG recommended that the Commanding General of the Army Contracting Command, Commander of the Naval Sea Systems Command, Commander of the Air Force Research Laboratory, and the Director of Defense Research and Engineering for Research and Technology direct DoD component contracting officers to verify respective academic and research contractors implement controls and related to:
- Using MFA;
- Identifying and mitigating vulnerabilities;
- Developing plans of action and milestones;
- Encrypting CUI;
- Disabling inactive user accounts;
- Implementing technical security controls to protect CUI stored on removable media;
- Implementing physical security controls; and
- Documenting and testing incident response plans.