Publicly Released: February 24, 2022
Objective
The objective of this audit was to determine whether contractors that conduct military research and develop technologies for the DoD have security controls in place to protect controlled unclassified information (CUI) stored on their networks from insider and external cyber threats. CUI is information created or possessed on behalf of the Government that requires safeguarding or dissemination controls according to applicable laws, regulations, and Government‑wide policies.
Background
The DoD works with academia and industry partners that research the development of military technologies. These partners include [REDACTED], and other DoD contractors that conduct research for the DoD. DoD contracting officers are responsible for oversight of DoD contractors and ensuring compliance with Defense Federal Acquisition Regulation Supplement (DFARS) requirements.
DFARS clause 252.204‑7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting,” requires contractors that maintain CUI to implement security controls specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800‑171, which lists security requirements for safeguarding sensitive information on non‑Federal information systems. The requirements include controls related to user authentication, user access, media protection, incident response, vulnerability management, and confidentiality of information.
Finding
The 10 academic and research contractors we assessed did not consistently implement required cybersecurity controls to protect CUI stored on their networks from insider and external cyber threats. Specifically,
- four did not enforce the use of multifactor authentication or configure their systems to enforce the use of strong passwords to access their networks and systems;
- three did not identify and mitigate network and system vulnerabilities in a timely manner;
- one did not monitor network traffic and scan its network for viruses;
- two did not encrypt workstation hard drives to protect CUI from unauthorized access or disclosure;
- four did not disable users accounts after extended periods of inactivity;
- five did not protect CUI stored on removable media by using automated controls to restrict the use of removable media;
- two did not implement physical security controls, [REDACTED] and
- one did not develop an incident response plan.
These issues existed because DoD Component contracting officers did not verify whether contractors complied with NIST SP 800‑171 cybersecurity requirements. Although the Defense Pricing and Contracting (DPC) Principal Director implemented interim DFARS Rule 2019‑D041, “Assessing Contractor Implementation of Cybersecurity Requirements,” on September 29, 2020, requiring DoD Component contracting officers to verify contractor implementation of the cybersecurity requirements in NIST SP 800‑171, the interim rule only applies to new DoD contracts, task orders, and delivery orders awarded after November 30, 2020, or contracts modified after November 30, 2020, that extend the period of performance.
The interim rule does not apply to existing contracts, including the contracts that we reviewed during the audit. Without a framework for assessing cybersecurity requirements for existing contractors, the cybersecurity issues identified in this report could remain undetected on DoD contractor networks and systems, increasing the risk of malicious actors targeting vulnerable contractor networks and systems and stealing information related to the development and advancement of DoD technologies.
Recommendations
We recommend that the Principal Director for DPC direct contracting officers to use their authority as outlined in the NIST SP 800‑171 DoD Assessment Methodology to assess contractor compliance with NIST SP 800‑171 cybersecurity requirements for protecting controlled unclassified information for contracts issued before November 30, 2020.
We also recommend that the Commanding General of the Army Contracting Command; Commander of the Naval Sea Systems Command (NAVSEA); Commander of the Air Force Research Laboratory (AFRL), and the Director of Defense Research and Engineering for Research and Technology (DDR&E [R&T]) direct DoD Component contracting officers to verify that their respective academic and research contractors implement controls related to:
- using multifactor authentication;
- identifying and mitigating vulnerabilities in a timely manner;
- developing plans of action and milestones;
- encrypting CUI;
- disabling inactive user accounts;
- implementing technical security controls to protect CUI stored on removable media;
- implementing physical security controls; and
- documenting and testing incident response plans.
Management Comments and Our Response
The DPC Principal Director disagreed with the recommendation, stating that additional rulemaking and negotiations would be required to make changes applicable to contracts awarded before November 30, 2020, and result in substantial administrative and financial burden to the DoD. In response to the Principal Director’s concerns, we revised the report and recommendation to clarify that additional rulemaking and negotiations would not be required because contracting officers had the authority to require additional assessments as outlined in the NIST SP 800‑171 DoD Assessment Methodology. Therefore, we request that the Principal Director provide additional comments describing the methods in which contracting officers will use their current authority to conduct assessments of contractor compliance with NIST SP 800‑171 security requirements for contracts awarded before November 30, 2020.
The DDR&E (R&T) Acting Director disagreed with the recommendation, stating that the contractor implemented the NIST SP 800‑171 security requirements related to encrypting CUI stored on workstations and protecting CUI on removable media. While the contractor relies on physical security controls, the controls were not sufficient to reduce insider threats. Therefore, we request that the Acting Director provide additional comments describing what actions DDR&E (R&T) plans to take to ensure that the contractor establishes the necessary controls.
The Commanding General of the Army Contracting Command, the NAVSEA Inspector General, responding for the NAVSEA Commander, and the AFRL Commander agreed to verify its contractors implement controls related to the security weaknesses we identified.
This report is the result of Project No. D2021-D000CR-0085.000.