Audit finds DOD agencies failed to check contractor cybersecurity

摘要

A new Defense Department inspector general audit has found DOD agencies routinely failed to check whether defense contractors were protecting sensitive information on their networks with the required security controls. The July 23 redacted report, "Audit of Protection of DOD Controlled Unclassified Information on Contractor-Owned Networks and Systems," shows DOD contractors did not consistently implement security requirements like multifactor authentication, while the military services and defense agencies didn't have processes to verify whether the companies were using the cybersecurity controls. The audit was requested by former Defense Secretary Jim Mattis after the reported breach of a Navy contractor by Chinese operatives resulted in the theft of unclassified but sensitive data related to advanced submarine warfare capabilities.