Management Advisory: The National Information Assurance Partnership’s Evaluation and Certification Process for Commercial Off-the-Shelf Products

Date Issued

Tuesday, September 23, 2025

Submitting OIG

Department of War OIG

Agencies Reviewed/Investigated

Department of War

Report Number

DODIG-2025-165

Report Type

Audit

Agency Wide

Yes

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 2 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
D-2025-0165-D000CU-0001-0001.b	No	$0	$0
(U) Rec. 1.b: The DoD OIG recommended that the National Information Assurance Partnership Director, in coordination with the National Security Agency Cybersecurity Director revise the National Information Assurance Partnership Product Compliant List website to include, at a minimum: the core features for each product, the full name of the protection profiles for each product, a list of features of each product that have been tested and certified for use on National Security Systems, and a list of features of each product that have not been tested and not certified for use on National Security Systems.
D-2025-0165-D000CU-0001-0001.c	No	$0	$0
(U) Rec. 1.c: The DoD OIG recommended that the National Information Assurance Partnership Director, in coordination with the National Security Agency Cybersecurity Director immediately remove Ivanti Policy Secure and Ivanti Connect Secure from the Product Compliant List.