Watchdog: Justice Dept. Lags on Implementing Tech, Supply Chain Recommendations

The Justice Department's office of the inspector general has taken a tally of recommendations that have yet to be put in place by the agency in a report released Thursday, noting that 745 remain open as of Nov. 30. 

According to the report, 500 of the open recommendations were issued within the last 18 months, but up to 90 of them date back to more than three years ago

Among the open recommendations listed in the report are those seeking to address issues with the department's management of shared information technology costs through its central working capital fund and work on its cyber supply chain risk. 

The bulk of these recommendations are considered resolved, meaning that the Justice Department has agreed to implement the recommendation or proposed actions to address it. However, the OIG said it doesn't consider a recommendation closed until it has been fully implemented. 

The shared IT costs recommendations date back to a September 2022 audit of the Justice Management Division's use of its working capital fund. 

The audit found that while the fund can be used to provide the department's centralized services such as enterprisewide IT capabilities, a lack of policy outlining how to apply those services had caused confusion among DOJ component agencies "over the scope of their participation in WCF IT services and how JMD has assigned costs that are ultimately approved by the WCF Board of Directors." 

The OIG issued 11 recommendations, including reviewing cost allocation methodologies and improving decision documentations for transparency.   

According to Thursday's report, all 11 recommendations were deemed resolved, but remained open. 

Recommendations for a July 2022 audit of the Justice Department's cyber supply chain risk remained open as well, after the OIG found that the JMD "lacked the personnel resources to effectively manage" one of two programs — the other managed by the FBI — "resulting in widespread noncompliance, outdated C-SCRM guidance, inadequate threat assessments and insufficient mitigation and monitoring actions." 

The audit also found that while the FBI had worked to modernize its risk management program, FBI procurement officials often "improperly bypassed its C-SCRM program entirely, due in part to a misunderstanding or unawareness of the C-SCRM requirements,"

The audit offered 17 recommendations, with Thursday's report noting that all remained resolved, but open. 

The OIG did offer that some of the 745 recommendations listed in the report may now be closed and that "DOJ has provided updates for certain recommendations prior to the date of this report that are still under review."