The negligence is pretty gross and pretty provable.
For example, the IT security administrator simply did not install the anti virus because a professor did not want it. The claim was that this wouldn’t be a problem since the Georgia tech network had security. This is a problem for 2 reasons. 1, the Georgia Tech network did not have the claimed security. 2. The laptops were allowed to and were taken and used off the network.
Note that even the Georgia Tech response is not disputing the security facts. It’s simply stating that there wasn’t anything confidential about this because the government published the research. Which of course has no bearing on whether or not they lived up to their contractual security and confidentiality requirements.
Your example would be a failure on a DIBCAC high audit, if they sampled the professor's system. In DIBCAC medium audit, the only thing they look at is your System Security Plan (SSP). The article sounds like it referred to a Basic, self-assessment, because it was self-entered.
Self-assessment are attested to that the information provided are in good faith, that the SSP is developed, documented, and maintained, and that for identified missing or failing controls there are plan of action and milestones (POA&Ms) are created.
> Note that even the Georgia Tech response is not disputing the security facts. It’s simply stating that there wasn’t anything confidential about this because the government published the research. Which of course has no bearing on whether or not they lived up to their contractual security and confidentiality requirements.
This is exactly what I was trying to explain. My apologies I failed. Compliance with NIST SP 800-171, as required under DFARS clause 252.204-7012, is primarily focused on systems that store, process, or transmit CUI. However, intermediary systems that could impact the security of those systems or the CUI they handle are also in scope.
Although contracts can call out additional things to be treated as CUI, it have never seen it. Too much paperwork on the Gov side, and creates headaches for contractors.
And, this is where the rub comes in. Primary systems and resources no one argues about. The problem of scope comes in with intermediary systems, shared services and infrastructure, and boundary systems.
For example, if the CUI data is encrypted in transit, traveling through a private WAN, managed by a third party, does the third party needs to also comply? When remote government workers connect to a government site with their government furnished equipment on public WiFi accessing CUI, where is the edge of that environment that is in scope for audit?
Again, if they were clearly negligent, let's pillory them. My conjecture is that this a low hanging fruit to be vengeful. The rules and regs are so convoluted and out of order, there are entire industries (plural) just for getting to understand the requirements.
And, if we really want to get into a mess, I am going to be crude but mention the four letter word - CMMC.
The government is unserious about this stuff in their own networks, this really sounds like somebody got a bee under their bonnet and is trying to make an example.
You need antivirus on security research laptops? How does that work exactly? I've worked .gov for decades and in many systems we don't put AV on them because we're working with things the AV will destroy while we work on them.
The facts will come out, GTRI has the money to fight this, and we'll see, but my general position when the gov starts talking about cyber security is they're probably full of shit.
For example, the IT security administrator simply did not install the anti virus because a professor did not want it. The claim was that this wouldn’t be a problem since the Georgia tech network had security. This is a problem for 2 reasons. 1, the Georgia Tech network did not have the claimed security. 2. The laptops were allowed to and were taken and used off the network.
Note that even the Georgia Tech response is not disputing the security facts. It’s simply stating that there wasn’t anything confidential about this because the government published the research. Which of course has no bearing on whether or not they lived up to their contractual security and confidentiality requirements.