U.S. GAO – Information and facts Technology: Federal Companies Require to Consider Urgent Motion to Take care of Offer Chain Hazards

What GAO Uncovered

Number of of the 23 civilian Main Fiscal Officers Act companies experienced executed 7 selected foundational methods for taking care of information and communications technologies (ICT) provide chain pitfalls. Source chain possibility management (SCRM) is the method of identifying, examining, and mitigating the hazards related with the international and distributed character of ICT merchandise and assistance provide chains. A lot of of the producing inputs for these ICT merchandise and providers originate from a selection of sources in the course of the earth. (See determine 1.)

Figure 1: Illustrations of Locations of Companies or Suppliers of Information and facts and Communications Technological know-how Goods and Solutions

Figure 1: Examples of Locations of Manufacturers or Suppliers of Information and Communications Technology Products and Services

None of the 23 organizations completely carried out all of the SCRM methods and 14 of the 23 companies had not executed any of the methods. The observe with the greatest level of implementation was applied by only 6 agencies. Conversely, none of the other procedures ended up carried out by much more than three companies. Furthermore, one particular observe had not been implemented by any of the organizations. (See determine 2.)

Figure 2: Extent to Which the 23 Civilian Chief Monetary Officers Act Agencies Applied Information and facts and Communications Engineering (ICT) Source Chain Threat Management (SCRM) Procedures


As a final result of these weaknesses, these agencies are at a greater threat that malicious actors could exploit vulnerabilities in the ICT offer chain triggering disruption to mission functions, damage to people, or theft of mental home. For example, without the need of developing government oversight of SCRM activities, organizations are minimal in their capacity to make risk selections throughout the group about how to most successfully protected their ICT product and provider provide chains. Also, businesses lack the capability to realize and regulate risk and minimize the likelihood that adverse activities will come about with out sensible visibility and traceability into source chains.

Officers from the 23 agencies cited many things that restricted their implementation of the foundational methods for running provide chain risks. The most normally cited component was the absence of federal SCRM steering. For example, several businesses noted that they had been waiting around for federal advice to be issued from the Federal Acquisition Protection Council—a cross-company team accountable for giving direction and guidance to government organizations to lower their supply chain risks—before applying one or much more of the foundational methods. According to Office environment of Management and Spending budget (OMB) officials, the council expects to total this exertion by December 2020.

While the extra route and steering from the council could more assist companies with the implementation of these methods, federal agencies at present have assistance to guide with handling their ICT supply chain challenges. Exclusively, the National Institute of Expectations and Technological know-how (NIST) issued ICT SCRM-unique guidance in 2015 and OMB has necessary companies to put into action ICT SCRM given that 2016. Till companies employ all of the foundational ICT SCRM procedures, they will be constrained in their ability to address offer chain challenges throughout their businesses proficiently.

Why GAO Did This Review

Federal organizations depend extensively on ICT products and companies (e.g., computing techniques, computer software, and networks) to have out their operations. Having said that, organizations encounter a lot of ICT supply chain pitfalls, including threats posed by counterfeiters who could exploit vulnerabilities in the source chain and, therefore, compromise the confidentiality, integrity, or availability of an organization’s systems and the information they comprise. For example, in September 2019, the Division of Homeland Security’s Cybersecurity and Infrastructure Protection Agency documented that federal businesses faced approximately 180 distinct ICT source chain-linked threats. To handle threats these types of as these, companies must make chance-based mostly ICT provide chain choices about how to protected their programs.

GAO was asked to carry out a critique of federal agencies’ ICT SCRM tactics. The distinct goal was to decide the extent to which federal agencies have carried out foundational ICT SCRM practices. To do so, GAO identified 7 procedures from NIST direction that are foundational for an business-extensive approach to ICT SCRM and compared them to guidelines, methods, and other documentation from the 23 civilian Main Economical Officers Act agencies.

This is a public edition of a sensitive report that GAO issued in October 2020. Details that agencies deemed sensitive was omitted and GAO substituted numeric identifiers that were being randomly assigned for the names of the agencies due to sensitivity worries.

The foundational procedures comprising ICT SCRM are:

setting up executive oversight of ICT pursuits, together with designating duty for main agency-broad SCRM functions

establishing an company-large ICT SCRM method for delivering the organizational context in which risk-primarily based decisions will be made

creating an tactic to establish and document company ICT supply chain(s)

creating a process to carry out company-large assessments of ICT supply chain hazards that recognize, aggregate, and prioritize ICT provide chain risks that are existing throughout the business

developing a approach to conduct a SCRM review of a possible supplier that might incorporate testimonials of the processes used by suppliers to style, acquire, take a look at, implement, verify, deliver, and help ICT products and solutions and solutions

developing organizational ICT SCRM prerequisites for suppliers to assure that suppliers are sufficiently addressing risks linked with ICT merchandise and services and

developing organizational techniques to detect counterfeit and compromised ICT solutions prior to their deployment.

GAO also interviewed applicable agency officers.

What GAO Endorses

In the delicate report, GAO manufactured a total of 145 suggestions to the 23 businesses to fully put into practice foundational tactics in their group-extensive methods to ICT SCRM. Of the 23 organizations, 17 agreed with all of the suggestions built to them two companies agreed with most, but not all of the recommendations one agency disagreed with all of the tips two companies neither agreed nor disagreed with the suggestions, but stated they would handle them and one particular agency had no comments. GAO carries on to consider that all of the tips are warranted, as reviewed in the delicate report.

For far more info, make contact with Carol C. Harris at (202) 512-4456 or [email protected].