An inspector general (IG) for the Department of Defense (DoD) found internal control weaknesses relating to contractors installing cybersecurity controls that protect networks and systems containing DoD controlled unclassified information (CUI).
Processes were not implemented to verify that contractors complied with Federal and DoD requirements related to protecting CUI maintained in non-Federal systems and organizations, the IG report says. Ten contractors were identified as having weaknesses, based on the IG analysis. Cybersecurity incidents were not documented or tracked correctly in some instances and multifactor authentication was also not used in others.
To ensure the integrity of cybersecurity protections, the IG suggested that DoD offices could include right-to-audit statements in contracts that would “allow representatives of the agencies to assess the cybersecurity protections implemented on contractor networks and systems that maintain DoD CUI.”
Among other recommendations, the IG suggests that contract offices within the DoD coordinate with the Pentagon to develop and implement a plan that would verify the contractors have corrected the weaknesses. Conflicts with Federal regulations restrict mandating strong passwords and automatic logouts for contractors, Defense officials told investigators. The IG disagreed that the Federal regulations cited by DoD officials would prevent implementing stronger cybersecurity practices.
The IG made 45 total recommendations to the Defense Department to correct these oversights in control weaknesses for contractors. Of those 45, 20 have been implemented across DoD agencies, with four being verified.