Lee Lofthus, assistant attorney general for administration at Justice, detailed the results of an inquiry into security risks in its vendor pool. (Rick Kozak/ / Federal Times)
The Justice Department last year evaluated more than 1,000 contractors tied to acquisitions for its national security and enterprise IT systems, with the intent of weeding out risks for cyber espionage or sabotage.
The reviews uncovered seven IT procurements with vendors tied to “questionable foreign ownership, control or influence, criminal activities, financial, counterintelligence or counterrorism,” Lee Lofthus, assistant attorney general for administration at Justice, said in a March 27 letter to a key lawmaker.
By law, NASA, Justice, Commerce and the National Science Foundation must submit reports to Congress describing assessments of cyber espionage or sabotage associated with acquisition of agency IT systems. This includes risks of acquiring hardware and software that are produced, manufactured or assembled by countries identified as potential cyber threats, such as China.
“Although the administration was not initially supportive of this effort to restrict purchases questionable IT hardware, I appreciate that the department appears to be taking the new requirements seriously,” Rep. Frank Wolf, R-Va., said at a recent hearing.
The department is coordinating with the FBI to build out its risk assessment program.
“I believe this report demonstrates that the policy this committee directed was both necessary and constructive, and it will help bolster the department’s cybersecurity,” Wolf added.
Justice did not provide an immediate response on what IT procurements were canceled, but the department did pursue “alternative means to fulfill the desired IT capability,” Lofthus said in the letter.