Only two of the Justice Department’s (DoJ) larger component organizations have been following cyber supply chain risk management requirements over the past six years, according to new DoJ Office of Inspector General (OIG) report published this week.
The report found that only the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) and the Drug Enforcement Administration (DEA) were in compliance with the Cyber Supply Chain Risk Management (C-SCRM) rules.
C-SCRM was implemented by DoJ as an “organizational supply chain risk management program that identifies, assesses, mitigates, and responds to supply chain risk throughout the information technology (IT) lifecycle,” the OIG report says.
“We assessed C-SCRM compliance by several of the largest non-FBI DOJ components,” the OIG said. “We concluded that only ATF and the DEA were compliant with the … requirements, including submitting applicable IT purchases for a C-SCRM review.”
The report also explains that the Justice Management Division (JMD) has been lacking in resources needed to manage the C-SCRM program, which has resulted “in widespread noncompliance, outdated (C-SCRM) guidance, inadequate threat assessments, and insufficient mitigation and monitoring actions.”
Those kinds of weaknesses could result in putting in place products and services that could harm DoJ’s IT environment, and compromise supply chain security, OIG said.
The report features 17 different recommendations, including:
- JMD should coordinate with other department components that are subject to C-SCRM requirements and who compliance statuses are unknown, to ensure they maintain or develop the procedures and controls necessary to comply with the requirements;
- The Federal Bureau of Investigation (FBI) needs to improve procurement risk assessment for mission-critical ICT products by incorporating necessary information from vendor threat product vulnerability assessments;
- FBI needs to designate a senior official from Office of the CIO as its representative for to participate in the Supply Chain and Counterintelligence Risk Management Task Force.