GAO calls on feds to better address supply chain risk
GAO calls on feds to better address supply chain risk

As federal agencies charged with national security or critical infrastructure protection grow their reliance on the global supply chain, they must do a better job of recognizing the risks that come along with it, said a new report from the U.S. Government Accountability Office (GAO).

The GAO, which performs audits, evaluations and investigations on behalf of Congress, examined four agencies whose duties relate to national security: the Energy, Homeland Security, Justice and Defense departments.

The report found that these agencies face five major risks when it comes to interacting with the global supply chain for the purchase of IT equipment, software and services, and they must ensure that these threats don't outweigh the benefits, which include cost and competitive advantage gains.

The report cited malware, bogus hardware or software, buggy hardware or software, service disruptions, and malicious or untrained personnel as the top five threats presented by globalization and outsourcing.

"These threats can have a range of impacts, including allowing attackers to take control of systems or decreasing the availability of critical materials needed to develop systems," the report said. "These vulnerabilities could be exploited by malicious actors, leading to the loss of the confidentiality, integrity or availability of federal systems and the information they contain."

Each agency reviewed received varying marks depending on its adherence to security management guidelines in the supply chain. The Departments of Energy and Homeland Security, in particular, were found to lag in defining supply chain protection measures for their information systems, and implementing procedures and monitoring capabilities.

"Until these agencies develop comprehensive policies, procedures and monitoring capabilities, increased risk exists that they will be vulnerable to IT supply chain threats," the report said.

The Department of Defense, on the other hand, was found to have made substantial progress in defining its supply chain protection measures, formalizing procedures and initiating steps to observe compliance and effectiveness.

Congress asked the GAO to identify the primary risks associated with the supply chains used by federal agencies to procure IT equipment, software and services. To achieve its mandate, the GAO analyzed federal acquisition and information security laws, regulations, standards and guidelines. Further, it investigated departmental policies and procedures, and interviewed officials from the four agencies.

The finding concludes with a number of recommendations. These include developing and documenting policies, procedures and monitoring capabilities that address IT supply chain risk, the report said.

The agencies now are working to implement the guidance.