On November 30, 2023, the Inspector General of the Department of Defense (“DoD IG”) released a Special Report: Common Cybersecurity Weaknesses Related to the Protection of DoD Controlled Unclassified Information on Contractor Networks (the “Report”). Between 2018 and 2023, the DoD IG reports it conducted five audits related to DoD contractors’ protection of Controlled Unclassified Information (“CUI”), in accordance with the cybersecurity requirements in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171. Additionally, the Report states that since 2022, the DoD IG has provided support/assessments for five investigations under the Department of Justice’s (“DOJ”) Civil Cyber Fraud Initiative (“CCFI”).[1]
Based on the DoD IG audits and participation in the CCFI investigations, the Report provides information about the common cybersecurity weaknesses for protection of CUI identified by the DoD IG. In particular, the Report identifies the six most common cybersecurity weaknesses, which we summarize in the following table:
The Report suggests contracting officers use this list of the six most common cybersecurity weaknesses identified by the DoD IG as a starting point for potential focus areas when assessing contractor compliance with NIST SP 800-171 requirements. As such, these six common weaknesses provide a good starting point for contractors to prioritize when assessing their own cybersecurity compliance.
FOOTNOTES
[1] To date, the DOJ has publicly announced four settlements under the CCFI. The fifth referenced investigation could relate to the Pennsylvania State University case (which we previously discussed here and here), or perhaps another investigation which has not yet been disclosed.