Audit of the Department's Cyber Supply Chain Risk Management Efforts

Date Issued

Thursday, July 7, 2022

Submitting OIG

Department of Justice OIG

Other Participating OIGs

Department of Justice OIG

Agencies Reviewed/Investigated

Department of Justice

Components

Other DOJ Components

Federal Bureau of Investigation

Report Number

22-087

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 2 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use	Additional Details
11	No	$0	$0	Status as of August 31, 2025
Ensure mitigation actions for ICT products, especially mission-critical ICT products or services, are descriptive, actionable, and tailored to the user environment and operational contexts (including its anonymity of procurement statement); and work with OCIO and the SCRM Unit to create and resource a continuous monitoring program that monitors C-SCRM risks across the FBI, ensures that users understand and follow C-SCRM mitigations identified in the product vulnerability and procurement risk assessments, and develops procedures to periodically monitor and assess user compliance with its C-SCRM mitigation actions.
6	No	$0	$0	Status as of August 31, 2025
Enhance its policies, procedures, training and communication, and/or internal controls for the requisition and government purchase card systems to better ensure that purchasing officials understand the C-SCRM requirements and so that applicable requisitions and purchase requests undergo C-SCRM procedures, as required; and develop policies, procedures, and/or internal controls to periodically monitor FBI compliance by identifying and remedying purchases that improperly bypassed the process.