Uncontrolled Information: DoD Audit Finds Contractor Lapses in Protecting Controlled Unclassified Information

Client Alert | 1 min read | 08.02.19

The Department of Defense Inspector General has released a much-anticipated audit report regarding the protection of Controlled Unclassified Information (CUI) on contractor networks. Begun last summer at the Defense Secretary’s request, the audits found that contractors are not consistently implementing cybersecurity standard NIST SP 800-171, despite being required to do so under DFARS 252.204-7012. The report calls particular attention to common shortcomings regarding multifactor authentication, strong passwords, vulnerability management, and removable media, among others.

The report recommends that DoD:

Verify that contractors are identifying, responding to, and reporting cyber incidents involving CUI;
Assess contractors’ ability to protect CUI as part of the solicitation process; and
Validate, at least annually, that contractors are complying with their contractual cybersecurity requirements.

These recommendations are consistent with recent DoD efforts to establish a “Cybersecurity Maturity Model Certification” that would require contractors to be certified compliant with contractually-specified cybersecurity requirements to be eligible for award.

Contacts

Evan D. Wolff
Partner
He/Him/His
- Washington, D.C.
  - D | +1.202.624.2615
ZXdvbGZmQGNyb3dlbGwuY29t
Maida Oringher Lerner
Senior Counsel
She/Her/Hers
- Washington, D.C.
  - D | +1.202.624.2596
bWxlcm5lckBjcm93ZWxsLmNvbQ==
Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==

Insights

Client Alert | 8 min read | 06.06.25

Litigation Funding Reforms: Clarity for UK Funders and Litigants Post-PACCAR

On 2 June 2025 the Civil Justice Council (a UK public body that advises on civil justice and civil procedure) (“CJC”) issued its Review of Litigation Funding Final Report (the “Report”). The CJC has provided comprehensive recommendations on the regulation and reform of litigation funding in England and Wales. The highlight recommendation of the Report is for the UK Government to remove third party litigation funding from the regulations and requirements of the Damages-Based Agreements Regulations 2013 (“DBA Regulations”), reversing the judgment of the Supreme Court in PACCAR.[1] Meanwhile, the UK Court of Appeal has recently endorsed a position that the Competition Appeal Tribunal (“CAT”) may order that third party funders of collective proceedings be paid first from litigation proceeds before claimants according to waterfall provisions in their funding agreements....

Client Alert | 2 min read | 06.06.25
USPTO Director Clarifies Burden on IPR Petitioners Relying on Prior Art Cited During Prosecution
Client Alert | 5 min read | 06.05.25
The Abolition of Directors’ “Quasi-Immunity” by Book 6 Looked at in the Light of the Belgian B2B Contractual Terms Legislation
Client Alert | 3 min read | 06.04.25
CMS Issues Letters to Hospitals on Gender-Affirming Care Practices

View All Insights