The Department of the Interior (DOI) failed to properly classify and approve millions of dollars in IT purchases, according to a new report from the agency’s Office of Inspector General (OIG), warning that those mistakes could have costly cybersecurity consequences.
After reviewing 167 purchases totaling about $52 million, the OIG said in its Sept. 23 report that 98 of those purchases – nearly $40 million, or 77% of the total amount spent – were associated with IT-related purchase requests that were incorrectly classified as non-IT.
Because of the misclassification, those purchases didn’t receive the required IT approval within DOI’s Financial and Business Management System (FBMS), which processes purchases and transactions and ensures oversight to support strategic planning and cybersecurity compliance.
“DOI relies on IT to accomplish its mission, requiring extensive investments to both update existing IT investments and purchase new IT solutions,” said OIG officials. “Selecting the wrong classification in FBMS has an adverse and cascading effect on DOI’s IT acquisition and security. Because the purchases were misclassified, they were not routed as required for IT approval.”
“The wrong classification accordingly impedes the Office of the Chief Information Officer’s (OCIO’s) ability to accurately track IT purchases across DOI, which could result in DOI investing in redundant or unnecessary IT solutions and increase the risk of breaches and other vulnerabilities if IT purchases do not meet cybersecurity requirements,” continued the OIG.
Specifically, the DOI OIG found that IT purchases weren’t compliant with FITARA and DOI policies and didn’t receive official approvals.
The report pointed to several reasons for the incorrect system identification, including a large number of codes, as well as a lack of training and guidance.
“This has resulted in a lack of awareness of DOI’s IT purchases as well as inaccurate tracking of IT spending at the OCIO [Office of the Chief Information Officer] level,” the OIG said.
“Allowing this issue to persist may also increase the risk of malicious software if IT purchases installed on DOI networks go unapproved and could potentially lead to duplicated IT solution purchases across DOI,” it continued.
OIG officials recommended that DOI update its IT-related user product code (UPC) list and develop a guide with examples of IT-related purchases tied to these codes. Other recommendations included training purchase request creators and approvers on how to correctly identify UPCs for IT purchases, and requiring all DOI bureaus and offices to establish a review process to examine and reclassify any purchase requests that may have been incorrectly categorized.
The DOI OCIO agreed with all recommendations and said it would aim to complete them by March 2026.