Special Report: Common Cybersecurity Weaknesses Related to the Protection of DoD Controlled Unclassified Information on Contractor Networks
United States. Department Of Defense. Office Of The Inspector General
From the document: "This special report provides insight into the common cybersecurity weaknesses identified in DoD Office of Inspector General (OIG) audit reports and through our support to the Defense Criminal Investigative Service and the Department of Justice on Civil Cyber-Fraud Initiative investigations related to DoD contractor compliance with Federal cybersecurity requirements for protecting controlled unclassified information (CUI). CUI is not classified information but is information created or possessed by the Government that requires safeguarding or dissemination controls according to applicable laws, regulations, and Government-wide policies as defined in Executive Order 13526, 'Classified National Security Information,' December 29, 2009. From 2018 through 2023, the DoD OIG issued five audit reports focusing on DoD contractors' inconsistent implementation of Federal cybersecurity requirements for protecting CUI that are contained in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171. Since 2022, the DoD OIG has provided support for five investigations under the Civil Cyber Fraud Initiative, which targets government contractors and grant recipients suspected of fraudulently attesting their compliance with the NIST SP 800-171 cybersecurity requirements. The common cybersecurity weaknesses identified in this special report provide DoD contracting officers with potential focus areas when assessing contractor performance and DoD contractors and grant recipients with potential focus areas before attesting to their compliance with NIST SP 800-171."
Department of Defense, Office of Inspector General, Report No. DODIG-'2024-'031. 24p.