OIG report is critical of information security at academic and research contractors

On February 22, 2022, the U.S. Department of Defense (DoD) Office of Inspector General (OIG) issued a report centered on ten academic and research institutions that develop military technologies. The OIG report focused on compliance with cybersecurity requirements under NIST Special Publication (SP) 800-171 and DoD’s lax oversight of research institutions’ adherence to cybersecurity protocols. Research security programs – including cybersecurity – are an increasing focus of government audit and enforcement activity.

Background

Institutions that conduct sensitive research on behalf of the military may be subject to Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which addresses contractor cybersecurity responsibilities for implementing NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and for reporting cyber incidents. NIST SP 800-171 provides information security requirements for safeguarding Controlled Unclassified Information (CUI) on non-Federal information systems and networks. The requirements specifically focus on user access, incident response, media protection, confidentiality of information, and vulnerability management, among other items. The 7012 clause requires DoD contractors that handle CUI to: (1) Safeguard covered defense information; (2) Report cyber incidents within 72 hours; (3) Isolate and submit malicious software to DoD; and (4) Facilitate damage assessment.

 

The OIG Report

The OIG report, “Audit of the Protection of Military Research Information and Technologies Developed by Department of Defense Academic and Research Contractors”, found that universities and research contractors omitted to consistently implement the necessary cybersecurity protocols to protect CUI stored on their networks from internal and external cyber threats.

The OIG report made eight findings on research contractor protocols used to store, process, and transmit CUI. Out of the ten contractors reviewed, the OIG specifically found that:

  • One failed to create an incident response plan;1
  • One failed to monitor network traffic and scan its network for viruses;
  • Two failed to implement physical security protocols (e.g., security guards, biometric readers, access card readers, and physical access control logs);
  • Two failed to encrypt workstation hard drives to safeguard CUI from unauthorized disclosure or access;
  • Three failed to identify and resolve system and network vulnerabilities in a timely fashion;
  • Four failed to deactivate user accounts after prolonged periods of inactivity;
  • Four failed to enforce the use of multifactor authentication or enforce the use of strong passwords to access their systems and networks; and
  • Five failed to use automatic controls to restrict the use of removable media to protect CUI stored on removable media.

The OIG cited DoD contracting officers (COs) for failure to confirm whether contractors complied with NIST SP 800-171’s cybersecurity requirements. Although Interim DFARS Rule 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements, which was published at 85 Fed. Reg. 61505 (Sept. 29, 2020) (Interim Rule), requires DoD COs to verify contractor compliance with NIST 800-171, the Interim Rule only applies to new DoD contracts, delivery orders, and task orders awarded after November 30, 2020, or contracts amended after November 30, 2020, that extend the period of performance. The Interim Rule does not apply to the existing contracts that the OIG audited, but it established the NIST SP 800-171 DoD Assessment Methodology (NIST Assessment Methodology), which provides for the assessment of a contractor’s implementation of NIST SP 800-171 security requirements as required by DFARS clause 252.204-7012. The NIST Assessment Methodology has been formally implemented through DFARS clauses 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements and 252.204-7020, NIST SP 800-171 DoD Assessment Requirements (see our analysis of the NIST Assessment Methodology here). 

 

OIG Recommendations

In reaction to the findings listed above and the gap in oversight left by the Interim Rule, the OIG recommended that the Principal Director of Defense Pricing and Contracting (DPC) direct contracting officers to use their authority to evaluate contractor compliance with NIST SP 800-171 for contracts awarded prior to November 30, 2020.

DPC disagreed with the OIG’s recommendation, asserting that such activity would require additional rulemaking and negotiations. The OIG then clarified that COs already possessed requisite authority to require additional cybersecurity assessments as detailed in the NIST SP 800-171 DoD Assessment Methodology.

According to the OIG, the NIST Assessment Methodology allows DoD to assess contractor compliance if risk factors necessitate such an assessment. The OIG argues that the audit’s findings “support the need” for DoD to invoke its authority under the NIST Assessment Methodology.

The OIG also urged COs to verify that research institutions implement controls regarding:

  • Identifying and mitigating vulnerabilities in a timely manner;
  • Using multifactor authentication;
  • Developing plans of action and milestones;
  • Deactivating inactive user accounts;
  • Encrypting CUI;
  • Implementing physical security protocols throughout facilities that maintain CUI;
  • Implementing technical security controls to safeguard CUI stored on removable media; and
  • Creating, documenting, and testing incident response plans.

 

Observations and Suggestions

At a minimum, academic and research organizations that contract with the Federal government should be mindful of the information system security requirements of FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems”, which applies to institutions that process, store, or transmit “Federal contract information” (defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”). 

Moreover, institutions that contract with DoD and that also process, store, or transmit CUI must meet the requirements of DFARS clauses 252.204-7012, 252.204-7019, and 252.204-7020, as explained above.

And given high profile security incidents in recent years involving federally sponsored research, the Federal government continues to prioritize cybersecurity. For example, under National Security Presidential Memorandum 33 (NSPM-33), research organizations awarded in excess of $50 million per year in Federal research funding will soon need to certify to implementation of a research security program that includes cybersecurity protocols (see our analysis of the research security programs and NSPM-33 here). Moreover, the Department of Justice has announced a Civil Cyber-Fraud Initiative through which it will use the False Claims Act (FCA) to target cybersecurity related fraud by government contractors and grant recipients (see our discussion of the Civil Cyber-Fraud Initiative here).  

The current regulations, cyber initiatives, and OIG report make clear that research institutions must not only develop proper cybersecurity protocols, but actually use them.  Institutions may wish to consider the following actions:

  • Review agreements for cybersecurity requirements.
  • Insofar as organizations handle CUI, evaluate whether current cybersecurity policies and procedures comply with NIST SP 800-171’s requirements.
  • Develop, review, and update, as appropriate, system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
  • Periodically test cybersecurity controls to ensure they actually accomplish their intended goals.
  • Review and update training programs to ensure that employees are aware of cybersecurity best practices (e.g., creating strong passwords, using proper encryption).
  • Document and test cybersecurity incident response plans.
  • Acquaint information security teams with the following resources:
    • NIST Self-Assessment Handbook, regarding successful NIST cybersecurity protocols;
    • NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, providing federal and nonfederal organizations with assessment procedures and a methodology that can be employed to conduct assessments of the CUI security requirements in NIST SP 800-171;
    • NIST Assessment Methodology, documenting a standard methodology that enables a strategic assessment of a contractor’s implementation of NIST SP 800-171; and
    • DoD Frequently Asked Questions, addressing questions related to Safeguarding Covered Defense Information and Cyber Incident Reporting.
  • Mobilize a cross-disciplinary team (IT/Security, Human Resources, travel, export control, legal, etc.) to explore how a “research security program” under NSPM-33 would function within the organization.

 

Next steps

Federal scrutiny of contractor cybersecurity compliance is surging.  Our team is guiding many research organizations as they develop and implement the requisite cybersecurity compliance programs and respond to cyber incidents. Please contact us at any point.

 

Authored by William Ferreira, Michael Scheimer, Stacy Hadeka, and Will Crawford.

 

References

1  The OIG report defines an incident response plan as “a set of instructions or procedures to help information technology (IT) personnel detect, respond to, and limit the effects of a malicious cyberattack.”

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.