According to GAO testimony attached below, IT SUPPLY CHAIN: Additional Efforts Needed by National Security-Related Agencies to Address Risks, monitoring is crucial to securing the federal government’s IT supply chain. GAO explained that at three of the four national security-related agencies studied, “risks highlight the importance of national security-related agencies fully addressing supply chain security by defining measures and implementation procedures for supply chain protection and monitoring compliance with and the effectiveness of these measures.”
Specifically, GAO’s recommendations to Departments of Energy, Justice and Homeland Security inlcude: “develop and implement a monitoring capability to verify compliance with, and assess the effectiveness of, supply chain protection measures.”
The GAO recommendations were in light of their finding that “Reliance on a global supply chain introduces multiple risks to federal information systems and underscores the importance of threat assessments and mitigation.” Examples GAO provided of supply chain threats included: “installation of intentionally harmful hardware or software (i.e., containing “malicious logic”)” and “installation of counterfeit hardware or software.”
GAO determined that the “Energy and Homeland Security had not yet defined supply chain protection measures for department information systems and are not in a position to develop implementing procedures and monitoring capabilities. Justice has defined supply chain protection measures but has not developed implementation procedures or monitoring capabilities.”
However, GAO also found that “the Department of Defense has made greater progress: it has defined supply chain protection measures and implementing procedures and initiated efforts to monitor compliance and effectiveness.”
Leave a Reply