Uncontrolled Information: DoD Audit Finds Contractor Lapses in Protecting Controlled Unclassified Information

Client Alert | 1 min read | 08.02.19

The Department of Defense Inspector General has released a much-anticipated audit report regarding the protection of Controlled Unclassified Information (CUI) on contractor networks. Begun last summer at the Defense Secretary’s request, the audits found that contractors are not consistently implementing cybersecurity standard NIST SP 800-171, despite being required to do so under DFARS 252.204-7012. The report calls particular attention to common shortcomings regarding multifactor authentication, strong passwords, vulnerability management, and removable media, among others.

The report recommends that DoD:

Verify that contractors are identifying, responding to, and reporting cyber incidents involving CUI;
Assess contractors’ ability to protect CUI as part of the solicitation process; and
Validate, at least annually, that contractors are complying with their contractual cybersecurity requirements.

These recommendations are consistent with recent DoD efforts to establish a “Cybersecurity Maturity Model Certification” that would require contractors to be certified compliant with contractually-specified cybersecurity requirements to be eligible for award.

Contacts

Evan D. Wolff
Partner
He/Him/His
- Washington, D.C.
  - D | +1.202.624.2615
ZXdvbGZmQGNyb3dlbGwuY29t
Maida Oringher Lerner
Senior Counsel
She/Her/Hers
- Washington, D.C.
  - D | +1.202.624.2596
bWxlcm5lckBjcm93ZWxsLmNvbQ==
Michael G. Gruden
Partner
- Washington, D.C.
  - D | +1.202.624.2545
bWdydWRlbkBjcm93ZWxsLmNvbQ==

Insights

Client Alert | 4 min read | 04.10.25

Hikma and Amici Curiae Ask Supreme Court to Revisit Induced Infringement by Generic “Skinny Labels”

In Amarin Pharma, Inc. v. Hikma Pharms. USA Inc., C.A. No. 20-1630 (D. Del.), brand manufacturer Amarin brought an induced infringement claim against Hikma’s generic icosapent ethyl product, which lists Amarin’s Vascepa® as the reference listed drug. Vascepa was originally approved by the U.S. Food and Drug Administration (“FDA”) to treat severe hypertriglyceridemia, and later, Amarin obtained patents and approval for Vascepa as a treatment to reduce cardiovascular risk in certain patient populations. Hikma’s Abbreviated New Drug Application (“ANDA”) for generic icosapent ethyl included a Section viii statement that Hikma was not seeking approval for the patented cardiovascular indication along with a “skinny label” that included only the indication for severe hypertriglyceridemia....

Client Alert | 1 min read | 04.09.25
DCAA Announces Reorganization Plans
Client Alert | 12 min read | 04.09.25
The Month in International Trade – March 2025
Client Alert | 4 min read | 04.07.25
From Capone to Corporations: Supreme Court Ruling on Civil RICO Claims Could Create Uptick in Personal Injury Lawsuits

View All Insights