Share This

NeoSystems Corporation

Blog

3 Critical Cybersecurity Gaps Affecting GovCons

January 21, 2025 | BY: Megin Kennett
Share This

Government contractors handling Controlled Unclassified Information (CUI) for the Department of Defense must navigate complex compliance requirements. Central to these requirements is the Cybersecurity Maturity Model Certification (CMMC), which mandates conformance to NIST SP 800-171 and DFARS 252.204-7012. This framework encompasses 110 security requirements across 14 security domains, including Access Control, Audit and Accountability, Risk Assessment, Incident Response, and several others. 

Complying with these requirements is vital to safeguarding CUI from adversaries and protecting it from threats. From a business perspective, conformance with CMMC enables GovCons to establish eligibility for contract awards, welcome new opportunities, and safely and resiliently grow their organizations. As a defense contractor handling CUI, meeting these standards isn’t optional. 

Still, achieving compliance with complex cybersecurity requirements is often challenging for GovCons — so much so that the DoD investigated and revealed common compliance issues in their ongoing assessments in a special report. It’s key finding: critical cybersecurity gaps are leaving contractors exposed. 

Based on DoD audit reports between 2018 and 2023, we explore the three most critical cybersecurity weaknesses and provide practical tips on how to address them. 

 In this blog, we’ll share information related to: 

  1. The top 3 cybersecurity weaknesses revealed by the report
  2. Their real-world impact on cybersecurity, compliance and your contracts
  3. Actionable steps you can take to mitigate your risk

Not Enforcing Strong Passwords and Multifactor Authentication

The Challenge

Contractor’s handling CUI must implement multifactor authentication (MFA) to comply with the “Identification and Authentication” requirements in NIST SP 800-171. MFA is essential to reducing the risk of a breach if passwords are compromised. NIST SP 800-171 also requires enforcing a minimum password length and complexity so bad actors can’t easily guess login credentials and breach the system. 

Nevertheless, the DoD has found that many GovCons are not enforcing strong passwords and MFA. This issue could stem from numerous causes. For example, employees may not be aware of or underestimate the importance of MFA or password complexity. Some organizations may not have clear policies on implementing MFA or strong passwords, while others might not have the tools, systems, or staff to streamline compliance with these requirements. 

Closing the Gap 

Here are five ways to prevent these common pitfalls.  

  • Implement multi-factor authentication utilizing an enterprise password manager with single sign-on that offers hardware tokens for all CUI system access. This extra layer of security is crucial for protecting sensitive data since it makes it significantly harder for adversaries to gain unauthorized access. 
  • Establish clear policies and procedures that enforce consistent password policies across all users and systems. Think of these as your “house rules.” Instead of letting each person choose any password they want, you set up one system that ensures everyone creates strong passwords that are complex and long enough and get changed regularly. 
  • Deploy a continuous monitoring solution that tracks authentication policies across your environment to detect suspicious patterns and ensure compliance. Think of continuous monitoring like having a security camera system for your login activities, watching 24/7 for anything unusual – like someone trying to log in at odd hours or from strange locations. 
  • Require authentication verification at multiple security boundaries using secure, zero-trust architecture principles. This approach ensures that users must prove their identity at multiple checkpoints, not just at initial access. 
  • Regularly test and patch MFA systems to ensure they are working properly and maintain security effectiveness. 

Not Promptly Identifying and Mitigating Vulnerabilities 

The Challenge

NIST SP 800-171 requires organizations to scan for vulnerabilities in their networks, systems, and applications periodically and develop plans of actions and milestones if they are unable to mitigate the vulnerabilities in a timely manner. 

According to the Cybersecurity and Infrastructure Security Agency (CISA), malicious actors and hackers frequently take advantage of two main security weaknesses: remote code execution capabilities and SSL VPN credential exposure. To protect CUI, contractors must remain vigilant to identify and mitigate vulnerabilities that threat actors may seek to exploit. 

Closing the Gap

Fortunately, GovCons can partner with a reputable managed service provider like NeoSystems to implement secure and cost-effective solutions that enable conformance with these security requirements. Here are 4 essential steps to help close these cybersecurity gaps: 

  • Implement a vulnerability scanning program that combines weekly scans of critical systems with comprehensive quarterly assessments using diverse scanning tools. Document scan results to maintain a clear audit trail. 
  • Establish a patch management process that includes regular review of security bulletins, controlled testing environments for patching, and comprehensive documentation of all implementations. Include procedures for addressing critical vulnerabilities. 
  • Deploy continuous monitoring of systems that provide real-time visibility into network traffic, system logs, and security events. Determine and record secure baseline configurations and monitor for deviations. 
  • Establish, track, and test your Incident Response Capability. Define incident handling and reporting procedures and risk mitigation time frames. Train your Incident Response Team on the established protocols regularly.  

Not Generating and Reviewing Audit Logs

The Challenge  

NIST SP 800-171 requires organizations to generate audit records to allow for monitoring, analyzing, investigating, and reporting of unauthorized system activity. Recent assessments have shown that many contractors did not properly generate or review system and user activity reports. Without these activity logs, it’s challenging to identify when a malicious actor attempts to gain access or investigate what happened during an incident. 

Closing the Gap 

Working with a knowledgeable and qualified managed services provider to address these requirements can significantly offset audit-related costs by decreasing your internal team’s workload, optimizing monitoring processes, and ensuring an accelerated path to compliance. Here are key steps to address these common challenges: 

  • Determine the internal and external systems and locations where audit logs are needed to allow monitoring, investigating, and reporting of suspicious activity for all applicable systems. 
  • Define the required information and ensure that audit logs contain these details. 
  • Implement a continuous monitoring strategy and log management solution that creates and retains system audit logs and enables the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity. 
  • Create and retain policies and procedures for generating and retaining audit logs as well as addressing auditable events. Remember: if it’s not documented, it doesn’t count.

The Path to Compliance  

Closing these common compliance and cybersecurity gaps demands technical expertise, systematic implementation, and leadership buy-in with top executives fully committed to the mission. Organizations that successfully navigate these requirements typically combine strong internal governance with highly specialized cybersecurity support. 

The path to compliance requires: 

  • Systematic gap assessment and ongoing remediation 
  • Continuous monitoring and improvement 
  • Security hardening with regular validation of security controls 
  • Documented evidence of compliance 

 While your internal IT team can manage aspects of compliance, most organizations benefit from outsourcing specialized expertise in DFARS and NIST SP 800-171. 

Consider partnering with a qualified external service provider who can demonstrate: 

  • Proven experience navigating defense contractor conformance with DFARS 252-204.7012 and NIST 800-171 
  • Technical capability in implementing the 110 NIST controls 
  • Cybersecurity Maturity Model Certification (CMMC) Level 2 certification or higher 
  • A Customer Responsibility Matrix that clearly addresses how each assessment objective is met and who is responsible for each shared service 
  • Track record of successful NIST 800-171 implementations with ongoing compliance program management 

Why Trust Us 

With over two decades of experience supporting government contractors, NeoSystems specializes in helping organizations achieve and maintain compliance with cybersecurity regulations. Our expertise spans DFARS, NIST SP 800-171, and CMMC, providing partners with practical, efficient paths to compliance. 

Elevate Your Cybersecurity Posture With NeoSystems 

Closing cybersecurity gaps to meet regulatory requirements within a given timeframe is complex and challenging for organizations of any size. As a leader in providing comprehensive managed solutions for the GovCon community for over 20 years, NeoSystems understands the challenges the Defense Industrial Base faces. We have the expertise and experience to address these challenges with an accelerated, affordable, and low-risk path to CMMC compliance. 

Contact our team today to elevate your cybersecurity posture and achieve greater peace of mind.  

elevate your cybersecurity posture with NeoSystems

The investment in proper implementation ultimately protects both organizational assets and contract eligibility. For more information on CMMC compliance requirements, visit the DoD’s CIO Cybersecurity Maturity Model Certification (CMMC) website. Chief Information Officer > U.S. DoD >CMMC  

Software & Industry Partners