Defense

Defense contractors aren't securing sensitive information, watchdog finds

cybersecurity (Rawpixel/Shutterstock.com)

Contractors routinely fail to secure the Defense Department's unclassified information from cyberthreats when it's housed on their systems and networks, according to a new report from the department's watchdog agency.

The DOD inspector general released a report July 25 after reviewing how DOD information is protected on contractor's networks and systems. The IG found that contractors were not consistently adhering to DOD's cybersecurity standards, which are based on controls created by the National Institute of Standards and Technology.

Specifically, contractors failed to use multifactor authentication, enforce strong password use, identify and mitigate vulnerabilities or document and track cybersecurity incidents. Administrators also improperly assigned access privileges that did not align with users' responsibilities, the report stated.

According to the IG, the department "does not know the amount of DOD information managed by contractors and cannot determine whether contractors are protecting unclassified DOD information from unauthorized disclosure."

Moreover, the report cited a specific incident in which neither the Defense Threat Reduction Agency nor the contractor involved appropriately addressed the "spillage of classified information to unclassified cloud, internal contractor network and webmail environments…. As a result, classified information remained unprotected on the commercial cloud and the webmail server for almost two years."

The IG issued 25 recommendations, including raising the password character minimum to 15 and locking accounts for inactivity after 15 minutes. The principal deputy CIO disagreed with those specific recommendations, and the IG has asked for more input on implementing the measures.

The report coincides with two recent reports from the Government Accountability Office. One recommended that federal agencies bolster their cyber risk management and that the Department of Homeland Security take the lead in establishing guidance. The other said the Office of Management and Budget should conduct more CyberStat reviews with agencies.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at lwilliams@fcw.com, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


Featured

  • Cybersecurity
    CISA chief Chris Krebs disusses the future of the agency at Auburn University Aug. 22 2019

    Shared services and the future of CISA

    Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency at DHS, said that many federal agencies will be outsourcing cyber to a shared service provider in the future.

  • Telecom
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA softens line on looming EIS due date

    Think of the September deadline for agencies to award contracts under the General Services Administration's $50-billion telecommunications contract as a "yellow light," said GSA's telecom services director.

  • Defense
    Shutterstock photo id 669226093 By Gorodenkoff

    IC looks to stand up a new enterprise IT program office

    The intelligence community wants to stand up a new program executive office to help develop new IT capabilities.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.