Defense Researchers Lack Consistent Cybersecurity Safeguards, IG Finds

Academic and research institutions that team up with the Defense Department to develop next- generation military technologies don’t always have the best cybersecurity practices in place to thwart data theft and insider threat risks, according to a recent watchdog report. 

The Defense Department’s Office of Inspector General (OIG) audited 10 defense research organizations and found that nearly half had cybersecurity deficiencies that could put controlled unclassified data at risk. 

Failing to properly secure removable media, such as external hard drives, was the most common cyber slip-up, according to the report, with half of the 10 surveyed defense contractors being found to not have automated controls (e.g. whitelisting) implemented to enforce policies for controlled unclassified information (CUI) on removable media.

Other common problems were leaving user accounts functional after long periods of inactivity and using weak passwords or not employing multi-factor authentication, which occurred in 40% of the observed contractors. Moreover, three contractors did not have a network setup to automatically scan for viruses or intrusions. Other deficiencies included having unencrypted data on relevant workstations and not having an incident response plan.

Overall, four contractors had at least three observed deficiencies, while another four only had one. Names and specific descriptors of the research entities were redacted from the report, which was publicly released Feb. 24.

The OIG report said that DOD contracting officers didn't verify contractor compliance with cybersecurity requirements articulated in the National Institute of Standards and Technology's foundational SP 800-171 guidance.  

An interim Defense Federal Acquisition Regulation rule requires such verification for DOD contracts and orders completed after Nov. 30, 2020. In reply comments, the principal director for Defense Pricing and Contracting said additional rulemaking would be needed to apply the requirements retroactively. 

That interim rule is one of the first steps to the Defense Department implementing its Cybersecurity Maturity Model Certification program, which is based on the NIST controls and aims to verify defense contractors cyber-preparedness through third-party and self-assessments with documentation on all contracts by 2025. 

The OIG report indicated that contracting officers had authority to "independently assess, based on risk, and verify whether academic and research institutions comply with NIST SP 800-171 requirements for protecting CUI" without additional rulemaking.

The report also noted that self-assessments of the observed contractors didn’t preclude problems with implementation of security controls and were "not an effective method for determining compliance with NIST SP 800-171 security requirements."

The report is requesting further management comment from the Defense Pricing and Contracting Principal Director and the Director of Defense Research and Engineering for Research and Technology on unresolved recommendations in the report.