Management Advisory: The National Information Assurance Partnership’s Evaluation and Certification Process for Commercial Off-the-Shelf Products (Report No. DODIG-2025-165)

Management Advisory: The National Information Assurance Partnership's Evaluation and Certification Process for Commercial Off-the-Shelf Products (Report No. DODIG-2025-165)

Audit

The purpose of this management advisory is to inform responsible DoD officials of concerns identified during the DoD Office of Inspector General's "Audit of the DoD's Actions to Mitigate Ivanti Connect Secure and Ivanti Policy Secure Vulnerabilities," announced on March 11, 2024. These concerns relate to the National Information Assurance Partnership's process for evaluating and certifying commercial off-the-shelf products.

We prepared this advisory in accordance with generally accepted government auditing standards except for the requirement to include a detailed methodology, which we omitted for conciseness. Those standards require that we plan and perform the project to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our project objective. We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our project objective. Further details about the methodology are available on request.

Related Documents