The Department of Defense's Office of the Inspector General released the results of an audit that sought to confirm contractors' capacity to secure controlled unclassified information on their respective systems and networks.
The audit confirmed a number of gaps in contractors' security capabilities, including password usage, mitigation of system vulnerabilities and multifactor authentication, DoD OIG said Tuesday.
DoD OIG found that the agency's contracting offices have not developed approaches that will help validate contractual requirements, send contractor notifications, mark CUI documents and confirm implementation of CUI security controls. In addition, the report confirmed that the Defense Threat Reduction Agency did not take prompt action to mitigate the leak of information from a DoD contracting office.
DoD OIG recommended the DTRA's director for contract policy and oversight to modify protocols in tracking DoD data-related security incidents. The inspection office also advises revision of security policies for DoD contracting offices as well as performance assessments on contractors.