On February 22, 2022, the Office of Inspector General (OIG) of the United States Department of Defense (DoD) released a report focusing on ten academic and research institutions that are developing military technologies. The OIG report focused on compliance with cybersecurity requirements under NIST Special Publication (SP) 800-171 and the DoD’s lax oversight of research institutes’ adherence to cybersecurity protocols. . Security research programs, including cybersecurity, are increasingly at the center of government audit and enforcement activities.

Background

Institutions that conduct sensitive research on behalf of the military may be subject to Clause 252.204-7012 of the Defense Federal Acquisition Regulations Supplement (DFARS), Protecting Covered Defense Information and Reporting Cyber ​​Incidentswhich addresses contractor cybersecurity responsibilities for implementing NIST SP 800-171, Protection of Controlled Unclassified Information in Non-Federal Systems and Organizations and to report cyber incidents. NIST SP 800-171 provides information security requirements for safeguarding controlled unclassified information (CUI) on non-federal information systems and networks. The requirements specifically focus on user access, incident response, media protection, information privacy, and vulnerability management, among other elements. Clause 7012 requires DoD contractors handling CUIs to: (1) protect covered defense information; (2) Report cyber incidents within 72 hours; (3) Isolate and submit Malware to DoD; and (4) Facilitate damage assessment.

The OIG report

The OIG report, “Audit of the Protection of Military Research Information and Technologies Developed by Department of Defense Academic and Research Contractors,” found that universities and research providers were failing to consistently implement necessary cybersecurity protocols to protect CUIs stored on their networks from internal and external attacks. external cyber threats.

The OIG report made eight findings about research contractors’ protocols used to store, process, and transmit CUI. Of the ten contractors reviewed, the OIG specifically found that:

  • One failed to create an incident response plan;1
  • One failed to monitor network traffic and scan its network for viruses;
  • Two failed to implement physical security protocols (for example., security guards, biometric readers, access card readers and physical access control logs);
  • Two failed to encrypt workstation hard drives to protect CUI from disclosure or unauthorized access;
  • Three failed to identify and resolve system and network vulnerabilities in a timely manner;
  • Four failed to deactivate user accounts after long periods of inactivity;
  • Four failed to enforce the use of multi-factor authentication or enforce the use of strong passwords to access their systems and networks; and
  • Five did not use automatic controls to restrict the use of removable media to protect CUIs stored on removable media.

The OIG cited DoD contracting officers (COs) for failing to confirm whether contractors complied with NIST SP 800-171 cybersecurity requirements. Although DFARS Interim Rule 2019-D041, Assessing the contractor’s implementation of cybersecurity requirements, which was released at 85 Fed. Reg. 61505 (September 29, 2020) (interim rule), requires DoD COs to verify subcontractor compliance with NIST 800-171, interim rule only applies to new contracts, delivery orders, and orders DoD task contracts awarded after November 30, 2020, or contracts amended after November 30, 2020 that extend the period of performance. The interim rule does not apply to existing contracts that the OIG has audited, but it does establish the NIST SP 800-171 DoD evaluation methodology (NIST Evaluation Methodology), which provides for the evaluation of implemented by a subcontractor of NIST SP 800-171 security requirements. as required by DFARS clause 252.204-7012. The NIST assessment methodology has been formally implemented via DFARS clauses 252.204-7019, Notice of NIST SP 800-171 DoD Evaluation Requirements and 252.204-7020, NIST SP 800-171 DoD Evaluation Requirements (see our analysis of NIST’s assessment methodology here).

OIG Recommendations

In response to the findings listed above and the oversight vacuum left by the interim rule, the OIG recommended that the Senior Director of Defense Pricing and Contracting (DPC) direct procurement officers to use their authority to assess contractor compliance with NIST SP 800-171. for contracts awarded before November 30, 2020.

DPC disagreed with the OIG’s recommendation, saying such activity would require additional regulation and negotiation. The OIG then clarified that COs already have the authority to require additional cybersecurity assessments, as outlined in NIST SP 800-171 DoD assessment methodology.

According to the OIG, the NIST assessment methodology allows the DoD to assess contractor compliance if risk factors require such an assessment. The OIG argues that the audit findings “confirm the need” for the DoD to invoke its authority under NIST’s assessment methodology.

The OIG also urged country offices to verify that research institutes implement controls regarding:

  • Identify and mitigate vulnerabilities in a timely manner;
  • Use of multi-factor authentication;
  • Development of action plans and milestones;
  • Disable inactive user accounts;
  • CUI encryption;
  • Implement physical security protocols in all facilities that maintain the CUI;
  • Implement technical security controls to protect CUIs stored on removable media; and
  • Create, document and test incident response plans.

Comments and Suggestions

At a minimum, academic and research organizations contracting with the federal government should be aware of the information systems security requirements of FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” which applies to institutions that process, store or transmit “Federal Contractual Information” (defined as “information, not intended for public dissemination, that is provided by or generated for the government under a contract to develop or provide a product or service to the government, but excluding information provided by the government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”).

In addition, institutions contracting with the DoD that also process, store, or transmit CUI must meet the requirements of DFARS Clauses 252.204-7012, 252.204-7019, and 252.204-7020, as explained above.

And given the high-profile security incidents of recent years involving federally sponsored research, the federal government continues to prioritize cybersecurity. For example, under National Security Presidential Memorandum 33 (NSPM-33), research organizations that receive more than $50 million a year in federal research funding will soon be required to certify the implementation of a security program. research that includes cybersecurity protocols (see our analysis of research security programs and NSPM-33 here). Additionally, the Department of Justice announced a Civilian Cyber ​​Fraud Initiative whereby it will use the False Representation Act (FCA) to target cybersecurity fraud by government contractors and grant recipients (see our discussion of the Civilian Cyber ​​Fraud Initiative here).

Current regulations, cyber initiatives, and the OIG report make it clear that research institutions should not only develop proper cybersecurity protocols, but actually use them. Institutions may wish to consider the following actions:

  • Review agreements for cybersecurity requirements.
  • To the extent that organizations manage CUI, assess whether current cybersecurity policies and procedures comply with NIST SP 800-171 requirements.
  • Develop, review and update, as necessary, system security plans that describe system boundaries, system operating environments, how security requirements are implemented, and relationships with or connections to other systems.
  • Periodically test cybersecurity controls to ensure that they actually achieve their intended objectives.
  • Review and update training programs to ensure employees are aware of cybersecurity best practices (for example., create strong passwords, use proper encryption).
  • Document and test cybersecurity incident response plans.
  • Familiarize information security teams with the following resources:
    • NIST Self-Assessment Handbook, regarding successful NIST cybersecurity protocols;
    • NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, providing federal and non-federal organizations with assessment procedures and methodology that can be used to conduct CUI security requirements assessments in NIST SP 800-171;
    • NIST Assessment Methodology, documenting a standard methodology that enables strategic assessment of a contractor’s implementation of NIST SP 800-171; and
    • DoD Frequently Asked Questions, addressing issues related to protecting covered defense information and reporting cyber incidents.
  • Mobilize an interdisciplinary team (IT/Security, HR, Travel, Export Controls, Legal, etc.) to explore how a “Security Research Program” under NSPM-33 would work within the organization.
References

1 The OIG report defines an incident response plan as “a set of instructions or procedures to help IT personnel detect, respond to, and mitigate the effects of a malicious cyberattack.”