Four major federal agencies need to take steps to develop procedures and policies to negate risks in the information technology supply chain, the General Accountability Office said in a new report.
Reliance on a global supply chain introduces multiple risks to federal information systems, the GAO said, and these risks include threats posed by actors, such as foreign intelligence services or counterfeiters, who may exploit vulnerabilities in the supply chain and thus compromise the confidentiality, integrity, or availability of an end system and the information it contains. This, in turn, can adversely affect an agency’s ability to effectively carry out its mission.
Although the four national security-related departments—the Departments of Energy, Homeland Security, Justice and Defense—have acknowledged these threats, two of the departments—Energy and Homeland Security—have not yet defined supply chain protection measures for department information systems and are not in a position to have implementing procedures or monitoring capabilities to verify compliance with and effectiveness of any such measures.
GAO is recommending that the Departments of Energy, Homeland Security and Justice take steps, as needed, to develop and document policies, procedures and monitoring capabilities that address IT supply chain risk. These departments generally concurred with GAO’s recommendations.