Watchdog finds just two DOJ agencies adhering to supply chain risk requirements

The DOJ’s Office of Inspector General carried out an audit of cyber-supply chain risk management compliance across the department.
The Department of Justice seal is seen on a lectern ahead of a press conference in Washington, DC on November 28, 2018. (Photo by MANDEL NGAN / AFP)

Only two agencies within the Department of Justice have followed supply chain risk requirements over the last six years, according to an agency watchdog.

In a report published Thursday, the DOJ’s Office of the Inspector General found that only the Bureau of Alcohol, Firearms and Tobacco (ATF) and the Drug Enforcement Agency were compliant with cyber-supply chain risk management (C-SCRM) guidelines intended to ensure IT purchases do not introduce vulnerabilities into government networks.

“We assessed C-SCRM compliance by several of the largest non-FBI DOJ components … [and] concluded that only ATF and the DEA were compliant with the JMD C-SCRM requirements, including submitting applicable IT purchases for a C-SCRM review,” the watchdog said.

The IG’s audit generally covered the DOJ’s supply chain management activities from October 2016 through January 2022.


Supply chain risk within federal agencies’ IT procurement processes has received enhanced scrutiny since the SolarWinds attack in 2020 during which software supply chains were used to breach cybersecurity defenses and steal information across government and the private sector.

At the Department of Justice, that cyber breach resulted in the exposure and presumed theft of unclassified information from approximately 3% of email accounts across the agency.

In its report, the DOJ IG found also that the Justice Management Division had just one individual tasked with overseeing its supply chain risk management program.

“Overall, JMD lacked the personnel resources necessary to effectively manage this critical program. JMD needs to provide communication, outreach, and training to Department components and develop procedures to periodically assess their efforts,” the IG added. “Without such efforts, C-SCRM controls could be bypassed and high-risk IT could be installed without JMD authorization or a risk mitigation plan.”

In May, the National Institute of Standards and Technology published updated guidance meant to help agencies and organizations protect against cyberthreats in the supply chain, a major focus of the Biden administration’s cybersecurity executive order last year.


The revised publication on cybersecurity supply chain risk management gives acquirers and users of software and other technologies key practices, processes and controls to consider as they look to protect against such threats that can emerge from that tangled web of global suppliers and manufacturers from which companies develop technology products.

Latest Podcasts