Recent reports from the Department of Defense (DoD) outline common cybersecurity weaknesses for Controlled Unclassified Information (CUI) protection by contractors. CUI is information that is possessed or created for the U.S. government that, by law, requires dissemination controls and safeguarding. These required security controls are specified in NIST SP 800-171. When prospective contractors respond to the DoD about their cybersecurity capabilities they must attest that they comply with security requirements or will comply in the future.
The five audit reports, submitted from 2018 to 2023 contained assessments of 29 DoD contractors that are currently providing defense products and services. These reports are being used in the investigations of contractors alleged to have knowingly misrepresented their compliance to NIST SP 800-171. These investigations are being conducted by the United States Department of Justice (DoJ).
The reports from the DoD Office of Inspector General (OIG) outline weaknesses identified in federal government contractor officials verification processes that ensure contractor compliance with NIST SP 800-171 requirements. It also outlines inconsistencies in DoD contractor’s implementation of these cybersecurity requirements.
Inconsistencies in Contractor Implementation of Required Controls
Multifactor Authentication or Strong Passwords
It was noted that contractors audited in the assessments had insufficient enforcement of the use of strong passwords. Additionally, these same organizations often failed to implement multifactor identification. Multifactor authentication is a requirement for accessing non-privileged network and system accounts. Password complexity enforcement is a requirement where multifactor authentication where single factor authentication is in use.
System Activity and User Activity Reports
The report noted multiple failures of organizations to conduct regular generation and review of system activity and user activity reports. Regular performance of this function allows for identification of unauthorized access attempts that could lead to the breach of sensitive information. Information gained from this activity can also be used as forensic evidence when investigating malicious events.
Disabling Inactive User Accounts
Contractors assessed failed to disable user accounts after extended periods of inactivity in half of the assessments conducted. The NIST SP 800-171 requirement is used to prevent outdated or unused accounts from being used as penetration points for gaining access into an information system.
In a majority of the assessments conducted, it was discovered that contractors failed to implement sufficient physical security controls for the monitoring of facilities. These controls include devices such as video cameras that can allow organizations to identify and respond to security events.
Network and System Vulnerabilities
NIST SP 800-171 has requirements for conduct regular scans for network and system vulnerabilities. Vulnerabilities that are discovered should be documented and addressed in an organizations Plans of Actions and Milestones (PoAM) so that network and system weaknesses can be mitigated.
Scanning for Viruses and Malicious Code
This basic cybersecurity activity was not performed on networks and systems in half of the assessed organizations. NIST SP 800-171 has requirements for periodic scans of networks and systems as well as real-time scans of external sourced files to detect malicious code. These requirements include updating virus definitions and full-disk scans.
Weaknesses in DoD Verification Processes
The report noted areas in which DoD contracting officials had insufficient verification processes for ensuring contractor compliance to NIST SP 800-171 requirements. The areas corresponded with the reported inconsistencies of contractor implementation with the addition of the failure to recognize deficiencies in the protection of CUI on removable media.
The control of removable media on system components requirements are designed to restrict access to media and the use of certain types of media on systems. This would include the restriction or prohibition of flash drives and external hard disk drives. Applicable controls would include excluding use to devices provided or approved by the organization.
The requirement is designed to ensure that only authorized personnel can access and transfer data using removable media. It further ensures that any data transferred is protected from unauthorized access or disclosure.
Results of the Reports
As a result of the report, 116 recommendations were given to divisions within the Department of Defense. These recommendations are being instituted to improve assessments conducted by DoD contract officials. Additionally, these reports will focus contract officials attention to the reported deficiencies in future contractor assessments. It is therefore, recommended that organizations seeking contracts pay particular attention to their compliance status in these areas.
CVG Strategy Information Security Management System Consultants
This DoD report on common cybersecurity weaknesses for CUI protection will be used by contracting officers to assess contractor performance for future contracts and grants. Therefore it is in the best interest of organizations involved in defense contracts to ensure that their information security programs address these issues.
To assist businesses to meet the challenges in adopting CMMC 2.0 standards, CVG Strategy has developed an approach that combines the requirements of CMMC compliance with the ISO 27001 information security management system. This provides a coherent methodology for implementing and maintaining essential cybersecurity for businesses of any size.
We can help you meet your information security management system goals. CVG Strategy QMS experts are Exemplar Global Certified Lead Auditors. We can provide the training required to understand and engage in a ISMS and make it meet desired objectives. This process includes defining the context of your organization, creation of internal auditing processes and much more.
Identify Areas With CUI with CVG Strategy Signs
CVG Strategy provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.