Contractors that research and develop new technologies for the Department of Defense are not consistent in safeguarding the DOD’s controlled unclassified information, according to a new audit by the Pentagon’s inspector general.
The watchdog reviewed the cybersecurity controls of 10 such contractors and found issues in how they used multifactor authentication, identified and mitigated vulnerabilities in their systems, encrypted systems and protected against users transferring controlled unclassified information (CUI) via removable media, among other things, as required by DOD’s acquisition laws.
The audit comes as the DOD moves toward requiring contractors that handle CUI — data that is sensitive and “requires safeguarding or dissemination controls” but is not classified — to certify their cybersecurity maturity either through a third-party assessment or, in some cases, self-assessment under the Cybersecurity Maturity Model Certification (CMMC).
But CMMC isn’t set to be in place across the DOD until at least fiscal 2025, and until then, it’s incumbent upon contracting officers to verify that contractors adhere to cybersecurity requirements for handling CUI set by the National Institute of Standards and Technology, per an interim Defense Federal Acquisition Regulation Supplement (DFARS) rule implemented in September 2020.
The issue is that DOD interprets that rule to apply only to contracts awarded or modified after Nov. 30, 2020. And thus, “the interim rule does not apply to existing contracts, which includes all of the contracts that we reviewed during the audit,” the IG says.
“Without a framework for assessing cybersecurity requirements for existing contractors, the cybersecurity issues identified in this report could remain undetected on DoD contractor networks and systems, increasing the risk of malicious actors targeting vulnerable contractor networks and systems and stealing information related to the development and advancement of DoD technologies,” the report reads.
Therefore, in the interim, the IG recommends that contracting officers “independently” assess and verify if contracting institutions comply with cybersecurity requirements.
“If the DoD does not verify that all contractors using CUI implement … requirements, regardless of when the contract was awarded or modified, there is an increased risk that DoD CUI related to national security could fall into the hands of our adversaries,” the IG said.
The Defense Pricing and Contracting principal director, however, disagreed with the IG’s recommendation and has not taken action to resolve it because it would take additional rulemaking to be able to enforce and would “result in substantial administrative and financial burden to the DoD.”
According to the IG, that’s not the case. Under the existing rule, it argues in the report, “contracting officers had the authority to require additional assessments as outlined” in NIST’s standards and the director should direct those officers to use that authority in such a manner.
The findings of the IG’s report are extremely relevant today as defense contractors have been increasingly under attack from bad actors, including nation-state adversaries like Russia. Earlier this month, the Cybersecurity and Infrastructure Security Agency issued an alert declaring that for nearly two years, “Russian state-sponsored cyber actors” have targeted the emails and other data of U.S. defense contractors that handle sensitive information about weapons development, computer systems, intelligence-gathering technology and more.