For our audit of the U.S. Department of Commerce’s (the Department’s) Enterprise Continuous Diagnostics and Mitigation (ECDM) program, our objective was to assess the effectiveness of the program. To address this objective, we assessed data quality, data security, and aspects of program management in a recent ECDM tool procurement decision. We found that I. ECDM data quality does not fully support Department oversight and reporting needs; II. The National Institute of Standards and Technology does not consistently control and thoroughly test the ECDM program’s information system changes; III. The ECDM program’s information system is relatively secure but has some internal security weaknesses; IV. Deficiencies in ECDM program management place future enterprise cybersecurity tool deployments at risk; and V. The Department does not fully incorporate bureau-incurred costs in its ECDM project cost tracking.
Report File
Date Issued
Submitting OIG
Department of Commerce OIG
Agencies Reviewed/Investigated
Department of Commerce
Report Number
OIG-25-006-A
Report Description
Report Type
Audit
Agency Wide
Yes
Number of Recommendations
7
Questioned Costs
$0
Funds for Better Use
$5,619,299
Report updated under NDAA 5274
No
Additional Details
External Link