DOD isn't meeting some of the cybersecurity standards it set for contractors

The Defense Department has been inconsistent in meeting the cyber standards it holds contractors to when it comes to securing sensitive but unclassified information. But they're working on it. 

A recent Government Accountability Office released on May 19 highlights how DOD inconsistently implemented certain requirements for its controlled unclassified information systems from specific controls to authorizing systems to operate. 

"Our analysis of DOD-reported data determined that DOD components have taken actions to implement selected cybersecurity requirements for CUI systems, but none were fully compliant," as of January, the report states. 

DOD's systems with controlled unclassified information (CUI) only complied with 78% of the 110 security requirements that are part of its unified cybersecurity standard for contractors, the Cybersecurity Maturity Model Certification program, according to the report. To be certified, contractors would have to meet all of those controls, which align with the NIST SP 800-171 standards. 

DOD is not required to meet the CMMC standard, the report notes, but the chief information officer has taken steps to ensure components are improving their cybersecurity posture, issuing guidance that outlined requirements for CUI systems with a March 2022 deadline for compliance. 

The GAO reported that about 80% of the department's CUI systems met those requirements as of February 2022. The report did not include any recommendations for DOD officials.