Contractors fail to secure sensitive DOD information

The Defense Department's unclassified information housed in contractor networks has not been adequately secured from cyberthreats, according to a new report from the department's inspector general.

After reviewing how DOD information is protected on contractor's networks and systems, the watchdog agency found that contractors failed to use multifactor authentication, enforce strong password use, identify and mitigate vulnerabilities or document and track cybersecurity incidents. Administrators also improperly assigned access privileges that did not align with users' responsibilities, the report stated.

According to the IG, the department "does not know the amount of DOD information managed by contractors and cannot determine whether contractors are protecting unclassified DOD information from unauthorized disclosure."

Moreover, the report cited a specific incident in which neither the Defense Threat Reduction Agency nor the contractor involved appropriately addressed the "spillage of classified information to unclassified cloud, internal contractor network and webmail environments…. As a result, classified information remained unprotected on the commercial cloud and the webmail server for almost two years."

The IG issued 25 recommendations, including raising the password character minimum to 15 and locking accounts for inactivity after 15 minutes. The principal deputy CIO disagreed with those specific recommendations, and the IG has asked for more input on implementing the measures.

The report coincides with two recent reports from the Government Accountability Office. One recommended that federal agencies bolster their cyber risk management and that the Department of Homeland Security take the lead in establishing guidance. The other said the Office of Management and Budget should conduct more CyberStat reviews with agencies.

This article was first posted to FCW, a sibling site to Defense Systems.