DOD must clear up some cybersecurity rules for contractors, IG audit says
Defense contractors remain a weak link in the Department of Defense’s cybersecurity, but current regulations are hampering potential improvements, according to a new DOD inspector general report on the handling of controlled but unclassified information.
The report notes basic cybersecurity practices — such as multi-factor authentication, strong passwords and reviewing system activity reports — where not being followed by the nine randomly selected contractors the IG investigated.
Top Defense officials told investigators, however, that they couldn’t mandate strong passwords and automatic logouts for contractors, citing conflicts with existing federal regulations as well as Executive Order 13556 from 2010. The regulations set the scope for management of controlled but unclassified information.
One of the two rules, 32 Code of Federal Regulation section 2002, states in part agencies “may not implement safeguarding or dissemination controls for any unclassified information other than those controls consistent with the [controlled unclassified] Program.” The IG disagreed that the regulation blocks the DOD from implementing cybersecurity practices such as using strong passwords.
DOD officials concurred, though, with the need for broad reviews of how information is handled by contractors and the DOD.
The report also cites some communication failures. A failure to properly mark controlled but unclassified information, for example, blinded contractors to what steps they needed to take to ensure information security. DOD contracting offices “inconsistently tracked” which contractors had what type of information, leaving both sides of the contracting process in the dark, the report states.
The DOD is in the process of revamping the cybersecurity standards, which are based on documents from the National Institute of Standards and Technology. Contractors have struggled to follow them, so the Pentagon developed its own model called the Cybersecurity Maturity Model Certification. The new standards are projected to be a required part of DOD contracting early next year, according to Pentagon officials.
While the report set out to investigate the handling of unclassified information, it noted that a DOD contracting office did not take appropriate action to address a spillage of classified information to unclassified environments.
“Neither the Defense Threat Reduction Agency nor the contractor took prompt action to report and address the spillage of classified DoD information,” the report stated.
Official responses from contracting and cybersecurity officials agreed to “implement a plan to verify” that cybersecurity weaknesses are corrected. The DOD IG requested further comments from many of the officials quoted in the report on steps they plan to take to improve information security. While 20 of the 45 recommendations from the IG have been implemented in DOD agencies, only four have been verified, according to the report.
