Department of Defense Issues Report Critical of Contractor Cybersecurity Compliance
The Inspector General (IG) for the U.S. Department of Defense (DOD) issued a report critical of recent efforts by contractors to protect Controlled Unclassified Information (CUI). The report, which followed the DOD IG's efforts to support five separate investigations carried out by the U.S. Department of Justice (DOJ) in furtherance of the its Civil Cyber-Fraud Initiative, identified common contractor cybersecurity weaknesses. For its part, one of the primary objectives of the Civil Cyber-Fraud Initiative is to investigate contractors self-certifying to cybersecurity compliance and whether those self-certifications are accurate. The IG and DOJ uniformly found that they were not, and the IG warned in its report that such inaccuracies could lead to violations of the False Claims Act, which includes treble damages and penalties of up to $27,018 per false claim (or invoice).
The common cybersecurity shortfalls found by the IG include failures by contractors to:
- enforce strong passwords
- control or monitor personnel access to facilities, networks or systems
- generate and review network, systems and user access reports
- monitor configuration settings to detect deviations from configuration baselines or unauthorized software
- disable user accounts after extended periods of activities
- report, document or track incident-handling
- identify or mitigate network and system vulnerabilities in a timely manner
- scan networks or systems for malware or malicious codes
For each of the five contractors reviewed, the best performing one still had four shortfalls of the eight categories above, while two contractors were not compliant with seven of the eight requirements.
The report also tracked previous recommendations made to DOD and noted that a good number of them were still outstanding – some for more than 1,500 days as of October 2023. Those long-outstanding recommendations include the IG's recommendations for DOD to enforce cybersecurity standards on contractors, including locking computers after three unsuccessful login attempts or 15 minutes or utilizing strong passwords that meet DOD requirements. A separate recommendation suggested that DOD assess whether contractors are complying with "NIST requirements." Similarly, the IG also recommended that DOD update its policy to require component contracting officers validate contractor compliance with National Institute of Standards and Technology Special Publication 800-171.
Taken as a whole, the IG report demonstrates that not only is DOD closely monitoring contractor compliance with cybersecurity standards, but the initiative has resulted in at least five investigations (the ones identified in the report in addition to others that DOJ may not have involved the IG with). This, coupled with new and forthcoming requirements (including the Cybersecurity Maturity Model Certification), serve as a strong signal to contractors that DOD continues to advance its efforts to ensure cybersecurity compliance.