Subscribe to our newsletter.
Stay connected
The Ministry of Defence has met the cyber criteria it entrusts to its subcontractors when it comes to securing sensitive but unclassified information. But they are running on it.
A recent Government Accountability Office published on May 19 highlights how the DOD has unevenly implemented certain requirements for its unclassified controlled data systems, direct controls to operational authorization systems.
“Our investigation of knowledge reported through DOD led us to think that DOD parties took steps to implement some cybersecurity requirements for CUI systems, but none fully complied,” the report said in January.
DOD’s systems with unclassified controlled data (CUI) met only 78 percent of the 110 security needs that are part of its unified cybersecurity for contractors, the adult-style cybersecurity certification program, according to the report. To get certified, contractors would want to comply with all of those controls, which align with NIST SP 800-171 s.
The DOD is not required to comply with the CMMC standard, the report notes, however, the CIO has taken steps to make certain parties its cybersecurity posture, issuing rules outlining the needs of CUI systems with a March 2022 compliance deadline.
Help us personalize the particular content for you: