DoD IG Report Provides Insight Into Common Missteps When Protecting CUI

Townsend Bourne, Nikole Snyder
Sheppard Mullin Richter & Hampton LLP
Contact
LinkedIn
Facebook
X
Send
Embed

Sheppard Mullin Richter & Hampton LLP

On November 30, 2023, the Inspector General of the Department of Defense (“DoD IG”) released a Special Report: Common Cybersecurity Weaknesses Related to the Protection of DoD Controlled Unclassified Information on Contractor Networks (the “Report”). Between 2018 and 2023, the DoD IG reports it conducted five audits related to DoD contractors’ protection of Controlled Unclassified Information (“CUI”), in accordance with the cybersecurity requirements in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171. Additionally, the Report states that since 2022, the DoD IG has provided support/assessments for five investigations under the Department of Justice’s (“DOJ”) Civil Cyber Fraud Initiative (“CCFI”).[1] 

Based on the DoD IG audits and participation in the CCFI investigations, the Report provides information about the common cybersecurity weaknesses for protection of CUI identified by the DoD IG. In particular, the Report identifies the six most common cybersecurity weaknesses, which we summarize in the following table:

Weakness Identified Description How Often It Occurred
Multifactor Authentication (MFA) or Strong Passwords Not Enforced  MFA is authentication using two or more different factors to achieve authentication. Such factors include something known to the user (e.g., a personal identification number or password), something in the user’s possession (e.g., a cryptographic identification device or token), or a physical aspect of the user (e.g., biometric information). If MFA is not used, NIST SP 800-171 requires use of complex passwords. 4/5 of the audits, and 2/5 of the CCFI assessments
System Activity and User Activity Reports Not Generated/ Reviewed NIST SP 800-171 requires organizations to generate audit records to allow for monitoring, analyzing, investigating, and reporting unauthorized system activity. 3/5 of the audits, and 4/5 of the CCFI assessments
Inactive User Accounts Not Disabled NIST SP 800-171 requires organizations to disable user accounts after an extended period of inactivity. Outdated or unused accounts provide network penetration points that may go undetected. 1/5 of the audits, and 3/5 of the CCFI assessments
Physical Security Not Controlled/Monitored Physical security controls are required to monitor physical facilities containing contractor networks and systems. Examples of such controls include use of video surveillance equipment/cameras. 3/5 of the audits, and 4/5 of the CCFI assessments
Network and System Vulnerabilities Not Timely Identified/ Mitigated NIST SP 800-171 requires organizations to scan for vulnerabilities in their networks, systems, and applications periodically, and develop plans of action and milestones if they are unable to mitigate the vulnerabilities in a timely manner. 4/5 of the audits, and 5/5 of the CCFI assessments
Networks/Systems Not Scanned for Viruses NIST SP 800-171 requires organizations to perform periodic scans of organizational networks and systems and real-time scans of files from external sources to detect malicious code. It also requires system monitoring to include external and internal monitoring through a variety of tools and techniques including network monitoring software and scanning tools. 2/5 of the audits, and 4/5 of the CCFI assessments

The Report suggests contracting officers use this list of the six most common cybersecurity weaknesses identified by the DoD IG as a starting point for potential focus areas when assessing contractor compliance with NIST SP 800-171 requirements. As such, these six common weaknesses provide a good starting point for contractors to prioritize when assessing their own cybersecurity compliance.

FOOTNOTES

[1] To date, the DOJ has publicly announced four settlements under the CCFI. The fifth referenced investigation could relate to the Pennsylvania State University case (which we previously discussed here and here), or perhaps another investigation which has not yet been disclosed.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Sheppard Mullin Richter & Hampton LLP | Attorney Advertising

Written by:

Sheppard Mullin Richter & Hampton LLP
Sheppard Mullin Richter & Hampton LLP
Contact
more
less

Sheppard Mullin Richter & Hampton LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide