Uncontrolled Information: DoD Audit Finds Contractor Lapses in Protecting Controlled Unclassified Information
Client Alert | 1 min read | 08.02.19
The Department of Defense Inspector General has released a much-anticipated audit report regarding the protection of Controlled Unclassified Information (CUI) on contractor networks. Begun last summer at the Defense Secretary’s request, the audits found that contractors are not consistently implementing cybersecurity standard NIST SP 800-171, despite being required to do so under DFARS 252.204-7012. The report calls particular attention to common shortcomings regarding multifactor authentication, strong passwords, vulnerability management, and removable media, among others.
The report recommends that DoD:
- Verify that contractors are identifying, responding to, and reporting cyber incidents involving CUI;
- Assess contractors’ ability to protect CUI as part of the solicitation process; and
- Validate, at least annually, that contractors are complying with their contractual cybersecurity requirements.
These recommendations are consistent with recent DoD efforts to establish a “Cybersecurity Maturity Model Certification” that would require contractors to be certified compliant with contractually-specified cybersecurity requirements to be eligible for award.
Contacts

Partner and Crowell Global Advisors Senior Director
- Washington, D.C.
- D | +1.202.624.2698
- Washington, D.C. (CGA)
- D | +1 202.624.2500
Insights
Client Alert | 2 min read | 07.15.26
CMMC Phase II Suspension Requires Reconsideration of Such Requirements in Solicitations
As discussed in more detail here, the U.S. Department of War (DoW) recently issued a memorandum (Memo 26-P-1023, dated July 13, 2026) directing the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements (Level I and II self assessments are still permitted). Significantly, the memo directs that “all pending and future CMMC implementation milestones across DoW solicitations and contracts are held in abeyance until further notice.” Moreover, the DoW issued a memorandum on implementing these requirements (available here), directing agencies to issue amendments removing CMMC Level 2 and 3 requirements from active solicitations “as soon as practicable.” Contractors should monitor the government’s compliance with this requirement and should be prepared, if needed, to file a bid protest to protect their rights.
Client Alert | 3 min read | 07.15.26
Client Alert | 3 min read | 07.14.26
Client Alert | 3 min read | 07.13.26
Amici Rally Behind Liberty Global, Urging Tenth Circuit to Rein in Economic Substance Doctrine
