OIG: DOJ Cyber Supply Chain Risk Management Program Lacking

DOJ’s Justice Management Division lacks staff to effectively manage its cyber supply chain risk management (C-SCRM) program, the Office of Inspector General reported Thursday. Lack of “personnel resources” resulted in “widespread noncompliance, outdated guidance, inadequate threat assessments, and insufficient mitigation and monitoring actions,” OIG said. The division needs to “provide communication, outreach, and training to Department components and develop procedures to periodically assess their efforts,” OIG concluded. The FBI’s C-SCRM program is “more modern,” but millions of dollars in IT goods might not have gotten proper inspection based on cyber requirements, OIG said. The office recommended the Drug Enforcement Administration develop its own C-SCRM program, as required by an intelligence community directive.