Management Advisory: The National Information Assurance Partnership’s Evaluation and Certification Process for Commercial Off-the-Shelf Products

View Report

Date Issued

Tuesday, September 23, 2025

Submitting OIG

Department of Defense OIG

Agencies Reviewed/Investigated

Department of Defense

Report Number

DODIG-2025-165

Report Type

Audit

Agency Wide

Yes

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

Open Recommendations

This report has 5 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
D-2025-0165-D000CU-0001-0001.a1	No	$0	$0
(U) Rec. 1.a.1: The DoD OIG recommended that the National Information Assurance Partnership Director, in coordination with the National Security Agency Cybersecurity Director, revise the product evaluation process to require National Information Assurance Partnership officials to conduct a search of public records for any vulnerabilities disclosed after the Common Criteria Testing Laboratory's last vulnerability search and, if a new vulnerability is discovered, return the product to the Common Criteria Testing Laboratory for additional testing before certifying a product for inclusion on the Product Compliant List.
D-2025-0165-D000CU-0001-0001.a2	No	$0	$0
(U) Rec. 1.a.2: The DoD OIG recommended that the National Information Assurance Partnership Director, in coordination with the National Security Agency Cybersecurity Director, revise the product evaluation process to require National Information Assurance Partnership officials to conduct a review of statutes, executive orders, and other directives applicable to National Security System owners, including National Security Agency directives, to determine whether the product has been prohibited from use before certifying a product for inclusion on the Product Compliant List.
D-2025-0165-D000CU-0001-0001.b	No	$0	$0
(U) Rec. 1.b: The DoD OIG recommended that the National Information Assurance Partnership Director, in coordination with the National Security Agency Cybersecurity Director revise the National Information Assurance Partnership Product Compliant List website to include, at a minimum: the core features for each product, the full name of the protection profiles for each product, a list of features of each product that have been tested and certified for use on National Security Systems, and a list of features of each product that have not been tested and not certified for use on National Security Systems.
D-2025-0165-D000CU-0001-0001.c	No	$0	$0
(U) Rec. 1.c: The DoD OIG recommended that the National Information Assurance Partnership Director, in coordination with the National Security Agency Cybersecurity Director immediately remove Ivanti Policy Secure and Ivanti Connect Secure from the Product Compliant List.
D-2025-0165-D000CU-0001-0001.d2	No	$0	$0
(U) Rec. 1.d.2: The DoD OIG recommended that the National Information Assurance Partnership Director, in coordination with the National Security Agency Cybersecurity Director develop and implement policy and procedures to require National Information Assurance Partnership officials to disclose that a product has been suspended or removed, including the reason for the suspension or removal, on the Product Compliant List website.