What We Did:
The objective of this audit was to determine whether contractors that conduct military research and develop technologies for the DoD have security controls in place to protect controlled unclassified information (CUI) stored on their networks from insider and external cyber threats. CUI is information created or possessed on behalf of the Government that requires safeguarding or dissemination controls according to applicable laws, regulations, and Government wide policies.
What We Found:
The 10 academic and research contractors we assessed did not consistently implement required cybersecurity controls to protect CUI stored on their networks from insider and external cyber threats. Specifically,
• four did not enforce the use of multifactor authentication or configure their systems to enforce the use of strong passwords to access their networks and systems;
• three did not identify and mitigate network and system vulnerabilities in a timely manner;
• one did not monitor network traffic and scan its network for viruses;
• two did not encrypt workstation hard drives to protect CUI from unauthorized access or disclosure;
• four did not disable users accounts after extended periods of inactivity;
• five did not protect CUI stored on removable media by using automated controls to restrict the use of removable media;
• two did not implement physical security controls, [REDACTED] and
• one did not develop an incident response plan.
These issues existed because DoD Component contracting officers did not verify whether contractors complied with NIST SP 800 171 cybersecurity requirements. Although the Defense Pricing and Contracting (DPC) Principal Director implemented interim DFARS Rule 2019 D041, “Assessing Contractor Implementation of Cybersecurity Requirements,” on September 29, 2020, requiring DoD Component contracting officers to verify contractor implementation of the cybersecurity requirements in NIST SP 800 171, the interim rule only applies to new DoD contracts, task orders, and delivery orders awarded after November 30, 2020, or contracts modified after November 30, 2020, that extend the period of performance.
The interim rule does not apply to existing contracts, including the contracts that we reviewed during the audit. Without a framework for assessing cybersecurity requirements for existing contractors, the cybersecurity issues identified in this report could remain undetected on DoD contractor networks and systems, increasing the risk of malicious actors targeting vulnerable contractor networks and systems and stealing information related to the development and advancement of DoD technologies.
What We Recommend:
We recommend that the Principal Director for DPC direct contracting officers to use their authority as outlined in the NIST SP 800 171 DoD Assessment Methodology to assess contractor compliance with NIST SP 800 171 cybersecurity requirements for protecting controlled unclassified information for contracts issued before November 30, 2020.
We also recommend that the Commanding General of the Army Contracting Command; Commander of the Naval Sea Systems Command (NAVSEA); Commander of the Air Force Research Laboratory (AFRL), and the Director of Defense Research and Engineering for Research and Technology (DDR&E [R&T]) direct DoD Component contracting officers to verify that their respective academic and research contractors implement controls related to:
• using multifactor authentication;
• identifying and mitigating vulnerabilities in a timely manner;
• developing plans of action and milestones;
• encrypting CUI;
• disabling inactive user accounts;
• implementing technical security controls to protect CUI stored on removable media;
• implementing physical security controls; and
• documenting and testing incident response plans.