Inspector General Robert P. Storch announced today that the Department of Defense Office of Inspector General released the “Special Report: Common Cybersecurity Weaknesses Related to the Protection of DoD Controlled Unclassified Information on Contractor Networks.”
The report outlines 24 open recommendations from previous DoD OIG audit reports aimed at addressing cybersecurity vulnerabilities among DoD contractors, including common weaknesses in the cybersecurity protocols of DoD contractors who process, store, and transmit controlled unclassified information (CUI). One of the most prevalent weaknesses identified in this report was the failure of DoD contractors to enforce multifactor authentication and lack of strong passwords.
This report summarizes a series of DoD OIG audit projects focused on cybersecurity challenges facing DoD contractors. From 2018 through 2023, the DoD OIG issued five audits that consistently found DoD contracting officials failed to establish processes to verify that contractors complied with selected Federal cybersecurity requirements for CUI, as required by the National Institute of Standards and Technology (NIST). Additionally, since 2022, the DoD OIG has participated in five investigations under the Department of Justice-led Civil Cyber Fraud Initiative, which targets Government contractors and grant recipients suspected of fraudulently attesting their compliance with the NIST cybersecurity requirements.
“Protecting sensitive government information in cyberspace is crucial,” said IG Storch. “For that reason, strengthening the DoD’s cybersecurity capabilities has been among our Top DoD Management and Performance Challenges for more than a decade, and it will continue to be one of our top oversight priorities.”
About Controlled Unclassified Information:
CUI refers to non-classified information generated or possessed by the Government, necessitating protective measures or dissemination controls in accordance with applicable laws, regulations, and Government-wide policies as defined in Executive Order 13526, “Classified National Security Information,” December 29, 2009.