DoD OIG Releases Report on Audit of Contractor CUI Controls
On July 25, 2019, the DoD Office of the Inspector General (OIG) publicly released an audit report that evaluated the implementation of security controls by contractors who maintain DoD controlled unclassified information (CUI). The audit was requested by the Secretary of Defense; 26 DoD contractors with contracts worth $1 million or more were selected for assessment. However, only nine of the selected contractors had contracts that could be evaluated for the purpose of this audit.
The audit was prompted by the troubling reports of 248 cyber incidents by DoD contractors to the DoD Cyber Crime Center between March 2015 and June 2018. Current cybersecurity policies are governed by DFARS 7012, which requires CUI to be maintained according to NIST 800-171 standards. The NIST CUI security requirements include: “controls for user authentication, user access, media protection, incident response, vulnerability management, and confidentiality of information.”
The audit found contractors failed to implement DoD-mandated security measures for CUI consistently. The report determined that the assessed contractors were deficient in the following list of security controls:
- using multifactor authentication;
- enforcing the use of strong passwords;
- identifying network and system vulnerabilities;
- mitigating network and system vulnerabilities;
- protecting CUI stored on removable media;
- -overseeing network and boundary protection services provided by a third-party company;
- documenting and tracking cybersecurity incidents;
- configuring user accounts to lock automatically after extended periods and unsuccessful logon attempts;
- implementing physical security controls;
- creating and reviewing system activity reports; and
- granting system access based on the user’s assigned duties.
The audit also discussed failures on the part of contracting offices and requiring activities. The results state that they failed to:
- -verify that contractors’ networks and systems met National Institute of Standards and Technology security requirements before contract award;
- -notify contractors of the specific CUI category related to the contract requirements;
- determine whether contractors access, maintain, or develop CUI to meet contractual requirements;
- mark documents that contained CUI and notify contractors when CUI was exchanged between DoD agencies and the contractor; and
- -verify that contractors implemented minimum security controls for protecting CUI.
In addition to their poor enforcement of CUI security controls, contracting offices and requiring activities did not have procedures to track contractors responsible for maintaining CUI. The shocking result of this is that the DoD does not and cannot know the amount of DoD CUI out there or whether it is being protected. Without knowing which contractors maintain CUI on their systems, they cannot ensure that those contractors comply with the NIST 800-171 requirements. The report states that this makes DoD CUI especially vulnerable to cyber incidents.
The OIG audit also identified an incident of classified information spillage. This classified material was unprotected for two years because the original spillage was not reported promptly by the contractor or the Defense Threat Reduction Agency. The report calls these types of incidents “a threat to national security.”
The report recommends that the process for monitoring security issues be revised and that contractors need to verify that they have taken steps to respond to security threats. Regarding the classified information spillage, the OIG recommends that the contractor’s performance be reviewed and administrative action be taken if necessary. It also recommends that the DoD CIO direct contracting offices and requiring activities to mandate that their contractors use stronger passwords and to implement locking functions after 15 minutes of inactivity and three unsuccessful login attempts. The final recommendation concerns the unsettling reality that DoD CUI is being maintained by contractors but not fully accounted for. To solve this problem, the OIG suggests a revision of policy that requires contracting offices and requiring activities to validate contractor compliance with CUI security requirements at least on an annual basis. It was also recommended that processes be established to track contractors’ access to, maintenance of, or development of CUI during the life of their contract. The final recommendation was a revision of language to require contracting offices to validate compliance with security requirements.