Cybersecurity capabilities are now an expected part of every government contractor’s operation.  While standards may vary from agency to agency and may increase depending on the sensitivity of a given project, no company doing business with the government today should ignore the requirement to have at least basic cybersecurity practices in place.  Most cyber requirements flow from standards issued by the National Institute of Standards and Technology (NIST), specifically NIST SP 800-171.  While the government has extensive tools to audit contractor compliance with cyber requirements, the largest risk for most companies still comes from whistleblower cases brought under the federal False Claims Act.  As a recent article from Akin Gump states, “cybersecurity-centric False Claims Act (FCA) enforcement is becoming an increasing risk for government contractors and grantees, particularly since the DoJ Civil Cyber-Fraud Initiative was initiated in the fall of 2021.”  The Department of Defense Office of the Inspector General, however, recently issued a “special” audit report highlighting six specific NIST compliance requirements where contractors may want to give special emphasis.  Common sense issues such as using multi-factor identification or strong passwords, disabling inactive accounts, and scanning for malicious viruses are three areas.  The others are correcting network system vulnerabilities, ensuring physical security of technology assets, and generating regular systems and user activity reports.  While these may seem obvious to some companies, there is a reason why the DOD IG highlighted them:  Some companies don’t pay attention.  The six focus areas are intended to be a place for companies to start their cybersecurity compliance practices.  There are 14 total NIST SP 800-171 requirements, meaning that companies should check their contracts to ensure compliance in specific cases.  Make sure that your company makes cybersecurity compliance a top resolution for 2024.