DoD-Controlled Unclassified Information (CUI) - Contractors Need to Improve Compliance

The DoD FAR Supplement clause at 252.204-7012 requires that defense contractors who maintain DoD-controlled unclassified information (CUI) on their own networks and systems, to implement adequate security controls to protect such information. CUI is a designation for identifying unclassified information that requires proper safeguarding.

The DoD Office of Inspector General (OIG) recently published an audit report on how contractors are complying with these relatively new requirements - to determine whether contractors were protecting CUI on their networks and systems.

The report noted that from March 2015 through June 2018, 126 contractors reported 248 security incidents to the DoD cyber Crime Center including unauthorized access to contractors' networks by malicious actors, stolen equipment, inadvertent disclosure of information, data ex-filtration, and the exploitation of network and system vulnerabilities by malicious actors. That was enough to spur the Secretary of Defense into requesting the audit. The OIG's audit included an assessment of nine out of 12,705 contractors with DoD contracts worth $1 million or more. That seems like a pretty small sample size to assess global compliance rates.

The OIG found significant internal controls deficiencies at all nine contractors reviewed. But it attributed the root cause of those deficiencies to be the Government's fault. It noted that contracting officers have not established processes to

• verify that contractors' networks and systems meet security requirements before contract award
• notify contractors of the specific CUI category related to the contract requirements
• mark documents that contained CUI and notify contractors when CUI was exchanged between DoD agencies and the contract, and
• verify that contractors implemented minimum security controls for protecting CUI.

The report also noted that contracting offices did not know which contracts required contractors to maintain CUI because the DoD did not implement processes and procedures to track which contractors maintain CUI.

The OIG made a number of recommendations involving new controls and processes. In other words, it told DoD to get its act together and figure out whether contractors can comply prior to awarding contracts and set up tracking mechanisms to inventory CUI information.The OIG did not particularly care for DCMA's (Defense Contract Management Agency) response which fell short of stating how DCMA would verify contractor compliance and whether contractors corrected weaknesses identified in the report.