The Government Accounting Office (GAO) said that of 23 federal agencies it audited for a new report only a handful have implemented seven “foundational” practices for managing security risks in their supply chain.
Release of the government watchdog’s report, fittingly entitled Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks, is remarkably timely in its proximity to the recently disclosed cyber espionage attack on government agencies, critical infrastructure and industry worldwide in which hackers exploited SolarWinds’ supply chain. Russian-backed operatives are thought to have perpetrated the attacks.
Best practices the GAO identified include:
- Establishing executive oversight of supply chain management activities, including designating responsibility for leading agency-wide activities.
- Developing an agency-wide supply chain management strategy for providing the organizational context in which risk-based decisions will be made.
- Establishing an approach to identify and document agency supply chains.
- Establishing a process to conduct agency-wide assessments of supply chain risks present across the organization.
- Establishing a process to conduct a supply chain management review of a potential supplier.
- Developing organizational supply chain management requirements for suppliers to ensure that suppliers are adequately addressing risks associated with technology products and services.
- Developing organizational procedures to detect counterfeit and compromised technology products prior to their deployment.
Among agencies the GAO reviewed, none had fully implemented all of the practices and 14 had not implemented any. One practice had not been implemented by any of the agencies. The GAO did not identify any of the 23 agencies audited in its report.
“Supply chains are being targeted by increasingly sophisticated threat actors, including foreign cyber threat nations such as Russia, China, Iran and North Korea,” the report states. “Attacks by such entities are often especially sophisticated and difficult to detect,” the report said. “As a result of these weaknesses, these agencies are at a greater risk that malicious actors could exploit vulnerabilities in the ICT supply chain causing disruption to mission operations, harm to individuals, or theft of intellectual property.”
The GAO’s report, which was completed in October, was not made public until last week. Agency officials pointed to a number of factors that impeded adopting the practices, including some who said they were waiting for the cross-agency Federal Acquisition Security Council to issue direction and guidance on reducing supply chain risk. According to the Office of Management and Budget, the council expects to complete the task by December 2020.
Federal guidance notwithstanding, the GAO pushed back on the agencies’ failure to follow through with the practices, citing supply chain instruction the National Institute of Standards and Technology issued in 2015. OMB has required agencies to implement supply chain management practices since 2016.
“Until agencies implement all of the foundational practices, they will be limited in their ability to address supply chain risks across their organizations effectively,” the report said. “As a result, these agencies are at a greater risk that malicious actors could exploit vulnerabilities in the ICT supply chain. Securing the supply chain and the information it contains is essential to protecting key agency mission operations, including those related to energy, economic, transportation, communications, and financial services.”
