In order to carry out their operations, federal agencies often rely on IT components manufactured overseas. But, a new report from the Government Accountability Office (GAO) warns that this growing dependence on a global IT supply chain introduces multiple risks to sensitive federal information systems.
For example, the report says federal agencies are vulnerable to:
- Installation of malicious logic on hardware or software
- Installation of counterfeit hardware or software
- Failure or disruption in the production or distribution of a critical product or service
- Reliance upon a malicious or unqualified service-provider for the performance of technical services
- Installation of unintentional vulnerabilities on hardware or software
Although four US national security-related departments—the Departments of Energy, Homeland Security, Justice and Defense—have acknowledged these threats, responses so far have been spotty.
Two of the departments—Energy and Homeland Security— have not even taken critical first steps to mitigate risks, such as identifying supply chain protection measures for department information systems. Justice has made some initial progress, but it has not developed procedures for implementing or monitoring compliance with and effectiveness of any such measures, according to the report.
By contrast, the GAO says the Department of Defense has made greater progress through its incremental approach to supply chain risk management. The department has defined supply chain protection measures and procedures for implementing and monitoring these measures.
Still, officials at the four departments stated that their respective agencies have not determined or tracked the extent to which their telecommunications networks contain foreign-developed equipment, software, or services. Federal agencies are not required to track this information, and officials from four components of the US national security community believe that doing so would provide minimal security value relative to cost. (The four national security-related departments do participate in government-wide efforts to address supply chain security, including the development of technical and policy tools and collaboration with the intelligence community.)
GAO recommends the Departments of Energy, Homeland Security and Justice take steps, as needed, to develop and document policies, procedures and monitoring capabilities that address IT supply chain risk. According to the report, these departments generally concurred with GAO’s recommendations.
“Until comprehensive policies, procedures, and monitoring capabilities are developed, documented, and implemented, it is more likely that these national security-related agencies will rely on security measures that are inadequate, ineffective, or inefficient to manage emergent information technology supply chain risks,” the report concludes.
The full report, which includes detailed recommendations for executive action, is available here.