Uncontrolled Information: DoD Audit Finds Contractor Lapses in Protecting Controlled Unclassified Information

Client Alert | 1 min read | 08.02.19

The Department of Defense Inspector General has released a much-anticipated audit report regarding the protection of Controlled Unclassified Information (CUI) on contractor networks. Begun last summer at the Defense Secretary’s request, the audits found that contractors are not consistently implementing cybersecurity standard NIST SP 800-171, despite being required to do so under DFARS 252.204-7012. The report calls particular attention to common shortcomings regarding multifactor authentication, strong passwords, vulnerability management, and removable media, among others.

The report recommends that DoD:

Verify that contractors are identifying, responding to, and reporting cyber incidents involving CUI;
Assess contractors’ ability to protect CUI as part of the solicitation process; and
Validate, at least annually, that contractors are complying with their contractual cybersecurity requirements.

These recommendations are consistent with recent DoD efforts to establish a “Cybersecurity Maturity Model Certification” that would require contractors to be certified compliant with contractually-specified cybersecurity requirements to be eligible for award.

Contacts

Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==
Kate M. Growley
Partner and Crowell Global Advisors Senior Director
- Washington, D.C.
  - D | +1.202.624.2698
- Washington, D.C. (CGA)
  - D | +1 202.624.2500
a2dyb3dsZXlAY3Jvd2VsbC5jb20=

Insights

Client Alert | 3 min read | 05.29.26

Rough Seas for International Cartels: DOJ Indicts Four of the Largest Container Manufacturers and Executives for Price-Fixing

Last week, the U.S. Department of Justice (DOJ) Antitrust Division (the Division) revealed criminal charges against China International Marine Containers (Group) Co., Ltd. (CIMC) and several other major Chinese companies and executives involved in the manufacture and sale of standard dry shipping containers, which are used for shipping dry, unrefrigerated cargo on ships around the world. One of the executives was arrested at an airport in France and is awaiting extradition to the U.S. The indictment charged these defendants with violating Section 1 of the Sherman Act by conspiring to restrict output and fix prices of standard dry containers, including in the U.S. market, from 2019 to 2024....

Client Alert | 3 min read | 05.28.26
PFAS Regulatory Alert: EPA Rolls Back RCRA Proposed Rule on “Hazardous Waste” but Does Not Disturb Proposed RCRA Rule on PFAS
Client Alert | 8 min read | 05.28.26
Texas Targets Big Tech With Wave of Suits and Investigations, Part of Nationwide Trend
Client Alert | 7 min read | 05.27.26
Colorado Hits Reset on AI Regulation: SB 26-189 Repeals and Reenacts the Colorado AI Act

View All Insights