On November 30, 2023, the Inspector General of the Department of Defense (“DoD IG”) released a Special Report: Common Cybersecurity Weaknesses Related to the Protection of DoD Controlled Unclassified Information on Contractor Networks (the “Report”). Between 2018 and 2023, the DoD IG reports it conducted five audits related to DoD contractors’ protection of Controlled Unclassified Information (“CUI”), in accordance with the cybersecurity requirements in National Institute of Standards and Technology (“NIST”) Special Publication (“SP”) 800-171. Additionally, the Report states that since 2022, the DoD IG has provided support/assessments for five investigations under the Department of Justice’s (“DOJ”) Civil Cyber Fraud Initiative (“CCFI”).[1]
Based on the DoD IG audits and participation in the CCFI investigations, the Report provides information about the common cybersecurity weaknesses for protection of CUI identified by the DoD IG. In particular, the Report identifies the six most common cybersecurity weaknesses, which we summarize in the following table:
Weakness Identified | Description | How Often It Occurred |
Multifactor Authentication (MFA) or Strong Passwords Not Enforced | MFA is authentication using two or more different factors to achieve authentication. Such factors include something known to the user (e.g., a personal identification number or password), something in the user’s possession (e.g., a cryptographic identification device or token), or a physical aspect of the user (e.g., biometric information). If MFA is not used, NIST SP 800-171 requires use of complex passwords. | 4/5 of the audits, and 2/5 of the CCFI assessments |
System Activity and User Activity Reports Not Generated/ Reviewed | NIST SP 800-171 requires organizations to generate audit records to allow for monitoring, analyzing, investigating, and reporting unauthorized system activity. | 3/5 of the audits, and 4/5 of the CCFI assessments |
Inactive User Accounts Not Disabled | NIST SP 800-171 requires organizations to disable user accounts after an extended period of inactivity. Outdated or unused accounts provide network penetration points that may go undetected. | 1/5 of the audits, and 3/5 of the CCFI assessments |
Physical Security Not Controlled/Monitored | Physical security controls are required to monitor physical facilities containing contractor networks and systems. Examples of such controls include use of video surveillance equipment/cameras. | 3/5 of the audits, and 4/5 of the CCFI assessments |
Network and System Vulnerabilities Not Timely Identified/ Mitigated | NIST SP 800-171 requires organizations to scan for vulnerabilities in their networks, systems, and applications periodically, and develop plans of action and milestones if they are unable to mitigate the vulnerabilities in a timely manner. | 4/5 of the audits, and 5/5 of the CCFI assessments |
Networks/Systems Not Scanned for Viruses | NIST SP 800-171 requires organizations to perform periodic scans of organizational networks and systems and real-time scans of files from external sources to detect malicious code. It also requires system monitoring to include external and internal monitoring through a variety of tools and techniques including network monitoring software and scanning tools. | 2/5 of the audits, and 4/5 of the CCFI assessments |
The Report suggests contracting officers use this list of the six most common cybersecurity weaknesses identified by the DoD IG as a starting point for potential focus areas when assessing contractor compliance with NIST SP 800-171 requirements. As such, these six common weaknesses provide a good starting point for contractors to prioritize when assessing their own cybersecurity compliance.
FOOTNOTES
[1] To date, the DOJ has publicly announced four settlements under the CCFI. The fifth referenced investigation could relate to the Pennsylvania State University case (which we previously discussed here and here), or perhaps another investigation which has not yet been disclosed.