This past week the GAO released Special Report DODIG-2024-031: Common Cybersecurity Weaknesses Related to the Protection of DoD Controlled Unclassified Information on Contractor Networks. It is one of many reports on DoD cybersecurity audits of contractors dating back to 2018; however, this Special Report highlights all of the open recommendations made by the GAO to the DoD over the past five years. To put it into context, the report notes that the DoD, as of two months ago, had 183,562 active contracts for goods and services. Most of those contractors have some sort of control over Controlled Unclassified Information (CUI), whether that be in processing, transmission, and storage.
The Defense Federal Acquisition Regulation Supplement (DFARS), specifically DFARS 252.204-7012 require contractors safeguard information under National Institute of Standards and Technology (NIST) Special Publication (SP) 800‑171, which is divided into fourteen different categories, totaling 110 separate requirements. Over the past five years, the audits issued 116 recommendations to DoD contracting officers covering 12 components (quickly name them and you may qualify for Jeopardy). As of last week, 24 of the recommendations were still open-14 of which are at 122 days, three at 586 days and seven at 1531 days. Of the seven listed, five are from the Defense Pricing and Contracting Office and two from the DoD Chief Information Officer. For example, of the recommendations to the Defense Pricing and Contracting Office (which falls under the Assistant Secretary of Defense for Acquisition reads:
“We recommend that the Principal Director for Defense Pricing and Contracting, in coordination with the appropriate DoD Component responsible for developing policy, develop and implement policy requiring DoD Component contracting offices and requiring activities to maintain an accurate accounting of contractors that access, maintain, or develop CUI as part of their contractual obligations”
Why a recommendation such as above is still open could be due to variety of reasons, from changes in leadership to bureaucracy quicksand to simply disagreement as to the recommendation between the auditor and the agency.
What is somewhat timely about this report is that it comes in the wake of government agencies exercising their rights under the False Claims Act (FCA) to go against contractors who misrepresented their cybersecurity compliance with the federal government, the impetus of which comes from the Department of Justice’s Civil Cyber Fraud Initiative. I wrote about several of the cases last week.
What does all of this mean? The focus on supply chain cybersecurity within the federal government, to include the DoD, has never been wider. Not only will that continue the boom in the compliance career field, but it will also require a large volume of technical writers, internal assistance, and technical experts to fix the problems.
