26
suppliers, vendors, or partners. Such attacks can lead to
devastating consequences, including data breaches,
supply chain disruptions, intellectual property theft, and
potential harm to end-users. To help the Department
better confront the challenge presented by cyber supply
chain risks, the Office of the Inspector General (OIG)
released an audit report
in July 2022 that found, among
other things, that the Justice Management Division (JMD)
lacked the personnel resources needed for an effective
cyber supply chain risk management (C-SCRM) program,
as well as widespread non-compliance with C-SCRM
requirements, outdated C-SCRM guidance, inadequate
threat assessments, and insufficient mitigation and
monitoring actions. The OIG also found that Federal
Bureau of Investigation (FBI) procurement officials often
improperly bypassed the FBI’s C-SCRM program due, in
part, to misunderstanding or unawareness of C-SCRM
requirements. As of August 31, 2023, 15 of the
17 recommendations made by the OIG to assist the
Department in managing cyber supply chain risks
remained open. Addressing the open
recommendations will help JMD and the FBI enhance
risk mitigation and monitoring of the risk across all
DOJ components.
Safeguarding Data and Information Systems
An important part of cybersecurity is ensuring the data and information systems are secured and protected.
The Department has a responsibility to appropriately safeguard its data and information systems. The
importance of data security was illustrated in February 2023, when the
U.S. Marshals Service suffered a
major security breach. Hackers broke into and stole data from a computer system that included law
enforcement sensitive information such as information related to “ongoing investigations, employee
personal data, and internal processes” as well as “sensitive files, including information about investigative
targets.” The Department responded to this incident by conducting an inventory of all components’ systems
with the goal of ensuring that all were properly approved and in compliance or could be brought into
compliance with DOJ requirements. DOJ’s response is ongoing.
Pursuant to the Federal Information Security Modernization Act (FISMA), the OIG regularly tests the
effectiveness of Department components’ information security policies, procedures, and practices and the
security of their systems. These audits identify weaknesses in controls that may need to be strengthened to
ensure systems and data are adequately protected. In FY 2022, the OIG assessed many different
component-specific information systems, specifically, those belonging to the
Environment and Natural
Resources Division, Office of Justice Programs, Federal Bureau of Prisons, Civil Division, FBI, and JMD. A
majority of the FY 2022 FISMA audits led to at least one recommendation designed to strengthen
component-specific information systems. As a member of the law enforcement and intelligence
community, and as custodian of highly sensitive law enforcement and national security information, it is
imperative the Department ensure its systems are secure. An aspect of doing so is giving high priority to
National Institute of Standards and
Technology (NIST) Critical Success Factor:
Supply Chain Information Sharing
NIST states that an effective information-
sharing process helps to ensure enterprises
can gain access to information critical to
understanding and mitigating cybersecurity risk
in the supply chain, and also share relevant
information to others that may benefit from or
require awareness of these risks. NIST’s key
practices for establishing and participating in
supply chain risk information sharing
relationships include:
• establishing information-sharing goals and
objectives, specifying the scope of
information sharing, and establishing
information-sharing rules;
• using secure, automated workflows to
publish, consume, analyze, and act upon
supply chain risk information;
• participating in information-sharing efforts;
and,
• proactively establishing supply chain risk
information-sharing agreements.