University researchers don’t do a good job of protecting military information

Defense Department components often give grants or contracts to colleges and universities, and companies for that matter, to do research. Now the Defense Office...

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Defense Department components often give grants or contracts to colleges and universities, and companies for that matter, to do research. That means they develop controlled, unclassified information, or CUI. Now the Defense Office of Inspector General has found, research contractors don’t do a good job of protecting that information from cyber attacks. Joining  the Federal Drive with Tom Temin  with details, the project manager for audit cyberspace operations in the DODIG office, Gregory Crawford.

Interview transcript

Tom Temin: Mr. Crawford, good to have you on.

Gregory Crawford: Good morning, Tom, thank you for having me.

Tom Temin: Talk about this issue in the large sense for us, what types of companies or universities or who are the entities that are getting these contracts?

Gregory Crawford: For this project, our sample size included a mix of academic institutions, not for profit research institutions, and other companies that conduct research and develop technologies for the DoD. And our focus was on the security controls in place to protect DoD controlled unclassified information or CUI, that is stored on a contractor-owned networks and systems. And simply put CUI is unclassified information that requires additional safeguarding and dissemination controls to protect the information. For this review, we assess the cybersecurity controls related to authenticating users, limiting access to only authorized and approved individuals, encrypting data, protecting information on removable media devices such as thumb drives, scanning and mitigating, identify vulnerable vulnerabilities on the network and the overall security posture of their network.

Tom Temin: Sure, and there are specific rules and regulations that these entities are required to follow, right, for CUI in order to legitimately get a contract?

Gregory Crawford: So yes, companies must follow the Defense Federal Acquisition Regulation Supplement Interim Rule, which was amended in September 2020 to implement impart a standardized methodology to assess contractor implementation of cybersecurity requirements. And all the contracts that we assess for this audit, the interim rule did apply to them. And the interim rule went into effect on Nov. 30, 2020. It was designed to enhance the protection of unclassified information in the hands of DoD contractors.

Tom Temin: And what did you find? How far or how closely did these entities that you examine follow that interim rule?

Gregory Crawford: Overall, we found that the contractors did not consistently implement cybersecurity controls required by the NIST 800-171. And some of the biggest problem areas that we identified pertaining to basic cyber hygiene practices, such as protecting information on removable media, as making sure that media is encrypted to apply a layer of protection in case it is ever lost or stolen, disabling inactive user accounts, and enforcing two-factor authentication for users to access information on their networks and systems. And we also found that contractors did not address identified network vulnerabilities in a timely manner.

Tom Temin: So basically, these are not something that’s really rocket science. These are basic cyber hygiene measures.

Gregory Crawford: Absolutely. That is correct.

Tom Temin: We’re speaking with Gregory Crawford. He’s project manager for audit cyberspace operations at the Defense Department’s Office of Inspector General. One of your findings was that the contracting officers are supposed to assure this, that these controls are in place, that the contractors are complying with that interim rule. How can the contracting officers themselves find this out?

Gregory Crawford: That’s a great question. So contracting officers and the contracting officers representatives, they have a responsibility for ensuring that contractors comply with cybersecurity requirements. And the contracting officers should select their contracting officer representatives that are qualified and technically proficient to determine compliance with the NIST security requirements. And the interim rule allows contracting officers to conduct on site or virtual verification of contractors’ implementation of the NIST 800-171 security requirements to provide the department with a greater confidence level that contractors are properly securing DoD information.

Tom Temin: So it’s not enough for the contractors to be able to say, yes, we’re doing all of this, but you recommending that the COR at least if not the contracting officer, him or herself, go there and check it out.

Gregory Crawford: Yes, some sort of verification by DoD personnel or approved third party organizations by the DoD, definitely should be done to make sure that the contractors are properly secure and DoD information.

Tom Temin: Do you think one of the issues here is that on campuses, and you mentioned a lot of these are academic institutions, there’s kind of an openness or presumption of trust that’s probably not appropriate for those that are handling information important to the Defense Department?

Gregory Crawford: We do utilize research institutions and academic institutions, those are partners with the DoD. But we definitely have to make sure that this information is protected and it doesn’t fall into the wrong hands.

Tom Temin: All right, so just briefly review your main recommendations and did the different components agree with you?

Gregory Crawford: Overall, we issued 10 recommendations for this report. And the DoD agreed with eight of the 10 recommendations, and they outlined their plans to address the weaknesses identified in the report. And we’re currently working with the department to come to a resolution on the remaining two recommendations. And specifically, we recommended that the principal director for defense pricing and contracting direct contracting officers to use their authority to assess contractor compliance with NIST 800-171 security requirements. In addition, we recommended that service and component leaders direct its contracting officers to verify that the contractors corrected the cybersecurity weaknesses we identified in the report.

Tom Temin: Right, because these recommendations went to in one case, the Commanding General of the Army Contracting Command, and Commander of Naval Sea Systems Command, Commander of the Air Force Research Laboratory. So these are directed at high level people within these organizations, which means you must consider these pretty important.

Gregory Crawford: Absolutely. And these findings are very critical and relevant. And these current times as contractors to handle sensitive DoD Information have been under increasing attacks from malicious individuals and malicious actors. So we definitely want to make sure that their proper controls are in place to protect that information.

Tom Temin: And I guess if all of these institutions get on with this and get on their game, they’ll be ready for when CMMC finally comes around?

Gregory Crawford: Yes, that is the plan.

Tom Temin: All right. Gregory Crawford is the project manager for audit cyberspace operations at the Defense Department’s OIG, thanks so much for joining me.

Gregory Crawford: You’re welcome. Thank you, Tom.

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.