2024-2025 Global AI Trends Guide
On February 22, 2022, the U.S. Department of Defense (DoD) Office of Inspector General (OIG) issued a report centered on ten academic and research institutions that develop military technologies. The OIG report focused on compliance with cybersecurity requirements under NIST Special Publication (SP) 800-171 and DoD’s lax oversight of research institutions’ adherence to cybersecurity protocols. Research security programs – including cybersecurity – are an increasing focus of government audit and enforcement activity.
Institutions that conduct sensitive research on behalf of the military may be subject to Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, which addresses contractor cybersecurity responsibilities for implementing NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and for reporting cyber incidents. NIST SP 800-171 provides information security requirements for safeguarding Controlled Unclassified Information (CUI) on non-Federal information systems and networks. The requirements specifically focus on user access, incident response, media protection, confidentiality of information, and vulnerability management, among other items. The 7012 clause requires DoD contractors that handle CUI to: (1) Safeguard covered defense information; (2) Report cyber incidents within 72 hours; (3) Isolate and submit malicious software to DoD; and (4) Facilitate damage assessment.
The OIG report, “Audit of the Protection of Military Research Information and Technologies Developed by Department of Defense Academic and Research Contractors”, found that universities and research contractors omitted to consistently implement the necessary cybersecurity protocols to protect CUI stored on their networks from internal and external cyber threats.
The OIG report made eight findings on research contractor protocols used to store, process, and transmit CUI. Out of the ten contractors reviewed, the OIG specifically found that:
The OIG cited DoD contracting officers (COs) for failure to confirm whether contractors complied with NIST SP 800-171’s cybersecurity requirements. Although Interim DFARS Rule 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements, which was published at 85 Fed. Reg. 61505 (Sept. 29, 2020) (Interim Rule), requires DoD COs to verify contractor compliance with NIST 800-171, the Interim Rule only applies to new DoD contracts, delivery orders, and task orders awarded after November 30, 2020, or contracts amended after November 30, 2020, that extend the period of performance. The Interim Rule does not apply to the existing contracts that the OIG audited, but it established the NIST SP 800-171 DoD Assessment Methodology (NIST Assessment Methodology), which provides for the assessment of a contractor’s implementation of NIST SP 800-171 security requirements as required by DFARS clause 252.204-7012. The NIST Assessment Methodology has been formally implemented through DFARS clauses 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements and 252.204-7020, NIST SP 800-171 DoD Assessment Requirements (see our analysis of the NIST Assessment Methodology here).
In reaction to the findings listed above and the gap in oversight left by the Interim Rule, the OIG recommended that the Principal Director of Defense Pricing and Contracting (DPC) direct contracting officers to use their authority to evaluate contractor compliance with NIST SP 800-171 for contracts awarded prior to November 30, 2020.
DPC disagreed with the OIG’s recommendation, asserting that such activity would require additional rulemaking and negotiations. The OIG then clarified that COs already possessed requisite authority to require additional cybersecurity assessments as detailed in the NIST SP 800-171 DoD Assessment Methodology.
According to the OIG, the NIST Assessment Methodology allows DoD to assess contractor compliance if risk factors necessitate such an assessment. The OIG argues that the audit’s findings “support the need” for DoD to invoke its authority under the NIST Assessment Methodology.
The OIG also urged COs to verify that research institutions implement controls regarding:
At a minimum, academic and research organizations that contract with the Federal government should be mindful of the information system security requirements of FAR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems”, which applies to institutions that process, store, or transmit “Federal contract information” (defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”).
Moreover, institutions that contract with DoD and that also process, store, or transmit CUI must meet the requirements of DFARS clauses 252.204-7012, 252.204-7019, and 252.204-7020, as explained above.
And given high profile security incidents in recent years involving federally sponsored research, the Federal government continues to prioritize cybersecurity. For example, under National Security Presidential Memorandum 33 (NSPM-33), research organizations awarded in excess of $50 million per year in Federal research funding will soon need to certify to implementation of a research security program that includes cybersecurity protocols (see our analysis of the research security programs and NSPM-33 here). Moreover, the Department of Justice has announced a Civil Cyber-Fraud Initiative through which it will use the False Claims Act (FCA) to target cybersecurity related fraud by government contractors and grant recipients (see our discussion of the Civil Cyber-Fraud Initiative here).
The current regulations, cyber initiatives, and OIG report make clear that research institutions must not only develop proper cybersecurity protocols, but actually use them. Institutions may wish to consider the following actions:
Federal scrutiny of contractor cybersecurity compliance is surging. Our team is guiding many research organizations as they develop and implement the requisite cybersecurity compliance programs and respond to cyber incidents. Please contact us at any point.
Authored by William Ferreira, Michael Scheimer, Stacy Hadeka, and Will Crawford.
1 The OIG report defines an incident response plan as “a set of instructions or procedures to help information technology (IT) personnel detect, respond to, and limit the effects of a malicious cyberattack.”