Federal agencies need to pay more attention to risks in the supply chain for the information and communications technology (ITC) that is crucial to their operations, GAO has said.
Many of those products and services “originate from a variety of sources throughout the world,” GAO said, giving as examples cloud computing services hosted in countries ranging from the Netherlands to South Africa to Singapore, and suppliers of computer chips ranging from the Czech Republic to Malta to Vietnam.
Potential threats include those “posed by counterfeiters who may exploit vulnerabilities in the supply chain and, thus, compromise the confidentiality, integrity, or availability of an organization’s systems and the information they contain,” it said in the publicly released version of a sensitive report it issued in October.
GAO said that of the two dozen largest departments and agencies, none had carried out all of seven basic risk-management processes in that area and 14 had carried out none of the seven. Those practices involve executive oversight, agency-wide strategy, identifying and documenting current and potential suppliers, assessments of risks, and steps to detect counterfeit or compromised products prior to deployment.
“As a result of these weaknesses, these agencies are at a greater risk that malicious actors could exploit vulnerabilities in the ICT supply chain causing disruption to mission operations, harm to individuals, or theft of intellectual property,” it said. “Moreover, agencies lack the ability to understand and manage risk and reduce the likelihood that adverse events will occur without reasonable visibility and traceability into supply chains.”
Several agencies told GAO that they were waiting for federal guidance to be issued from the Federal Acquisition Security Council on supply chain risk management, but GAO said that they could be taking actions under existing guidance from OMB and the National Institute of Standards and Technology.
