Most large federal agencies have not implemented supply chain risk management (SCRM) practices that the National Institute of Standards and Technology (NIST) recommends, according to a new Government Accountability Office report released Tuesday.
The report compares whether or not 23 civilian Chief Financial Officers Act agencies have implemented seven foundational practices for risk management — policies from developing an agencywide information and communications SCRM policy to creating SCRM standards for potential suppliers.
Six agencies have established a process to conduct an SCRM review of a potential supplier, the highest adoption rate of any of the seven practices. On the flip side, none of the agencies has established a process to conduct an agency-wide assessment of their information and communications technology supply chain risks, and 14 agencies hadn’t established any of the suggested practices.
“As a result of these weaknesses, these agencies are at a greater risk that malicious actors could exploit vulnerabilities in the ICT supply chain causing disruption to mission operations, harm to individuals, or theft of intellectual property,” the report reads.
Agency officials cited a lack of federal SCRM guidance for the limited implementation, particularly from the Federal Acquisition Security Council. Even without that, however, there is existing guidance on how to manage information and communications technology supply chain risks: NIST issued ICT SCRM-specific guidance in 2015 and the Office of Management and Budget has required since 2016 that agencies implement ICT SCRM.
The report is especially relevant after the revelation earlier this week of security breaches in multiple agencies through vulnerabilities in SolarWinds IT management software Orion. The report notes that supply chains are being targeted by “increasingly sophisticated and well-funded threat actors” from countries like Russia, China, Iran, and North Korea.
“Attacks by such entities are often especially sophisticated and difficult to detect. In addition, threat actors attack all tiers of the supply chain and at each phase of the system development life cycle and, thus, pose significant risk to federal agencies,” the report reads.
While the public report came out Tuesday, GAO released a sensitive version of the report in October and made 145 recommendations to the agencies. Of the 23 agencies, 17 agreed with all of the recommendations. Several agencies offered no concurrence or dissent, but one disagreed with all of the recommendations.