Uncontrolled Information: DoD Audit Finds Contractor Lapses in Protecting Controlled Unclassified Information
Client Alert | 1 min read | 08.02.19
The Department of Defense Inspector General has released a much-anticipated audit report regarding the protection of Controlled Unclassified Information (CUI) on contractor networks. Begun last summer at the Defense Secretary’s request, the audits found that contractors are not consistently implementing cybersecurity standard NIST SP 800-171, despite being required to do so under DFARS 252.204-7012. The report calls particular attention to common shortcomings regarding multifactor authentication, strong passwords, vulnerability management, and removable media, among others.
The report recommends that DoD:
- Verify that contractors are identifying, responding to, and reporting cyber incidents involving CUI;
- Assess contractors’ ability to protect CUI as part of the solicitation process; and
- Validate, at least annually, that contractors are complying with their contractual cybersecurity requirements.
These recommendations are consistent with recent DoD efforts to establish a “Cybersecurity Maturity Model Certification” that would require contractors to be certified compliant with contractually-specified cybersecurity requirements to be eligible for award.
Contacts
Partner, Crowell Global Advisors Senior Director
- Washington, D.C.
- D | +1.202.624.2698
- Washington, D.C. (CGA)
- D | +1 202.624.2500
Insights
Client Alert | 5 min read | 10.22.25
Sixth Circuit Reaffirms Privilege Protections During Internal Investigations
On October 3, 2025, the Sixth Circuit reaffirmed that the attorney-client privilege and the work-product doctrine protections apply to materials created during attorney-led internal investigations. In re FirstEnergy Corp., No. 24-3654 (6th Cir. Oct. 3, 2025).
Client Alert | 4 min read | 10.21.25
Pivot Point for 340B: HRSA Rebate Model Pilot Program Approaches Launch
Client Alert | 5 min read | 10.20.25
What’s new for Belgian Construction Contracts under the New Book 7 of the Civil Code
Client Alert | 3 min read | 10.17.25
California Enacts New Requirements and Restrictions for Health Care Transactions