Federal agencies rely on information and communications technology (ICT) products and services from around the world to carry out their operations. The global supply chain for this technology faces threats, including from intelligence services and others who may seek to steal intellectual property or compromise the integrity of the systems.
Many of the manufacturing inputs for these ICT products and services—whether physical materials or knowledge—originate from a variety of sources throughout the world. As a result, the federal government has also increased its reliance on complex, interconnected, and globally distributed supply chains that can include multiple tiers of outsourcing.
Dependence on the global supply chain can significantly limit federal agencies’ visibility into, understanding of, and control over how the technology they acquire is developed, distributed, and deployed.
Typically, a federal agency will only know about the participants directly connected to it in the supply chain. For example, a program office at a federal agency may rely on a prime contractor to acquire, develop, and maintain an information system. In turn, the prime contractor may obtain the equipment, software, and services that constitute the system through various means, including the reuse of existing equipment or legacy software; outsourcing of system development to an additional supplier; development of the capability in-house; or acquisition of the capability directly from a supplier or commercial off-the-shelf vendor, or through open source means.
A Government Accountability Office (GAO) review has identified seven practices for providing an agency-wide approach to managing supply chain risks, such as reviewing potential suppliers. But the watchdog says few agencies implement these practices.
GAO looked at 23 civilian Chief Financial Officers Act agencies to study their supply chain risk management (SCRM) – the process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of ICT product and service supply chains. None of the 23 agencies fully implemented all of the SCRM practices and 14 of the 23 agencies had not implemented any of the practices. The practice with the highest rate of implementation (establish a process to conduct a SCRM review of a potential supplier) was implemented by only six agencies. Conversely, none of the other practices were implemented by more than three agencies. Moreover, one practice (establish a process to conduct agency-wide assessments of ICT supply chain risks) had not been implemented by any of the agencies.
As a result of these weaknesses, GAO says these agencies are at a greater risk from malicious actors that could exploit vulnerabilities in the ICT supply chain causing disruption to mission operations, harm to individuals, or theft of intellectual property. For example, without establishing executive oversight of SCRM activities, agencies are limited in their ability to make risk decisions across the organization about how to most effectively secure their ICT product and service supply chains. Moreover, GAO found agencies lack the ability to understand and manage risk and reduce the likelihood that adverse events will occur without reasonable visibility and traceability into supply chains.
Officials from the 23 agencies cited various factors that limited their implementation of the foundational practices for managing supply chain risks. The most commonly cited factor was the lack of federal SCRM guidance. For example, several agencies reported that they were waiting for federal guidance to be issued from the Federal Acquisition Security Council—a cross-agency group responsible for providing direction and guidance to executive agencies to reduce their supply chain risks—before implementing one or more of the foundational practices. According to Office of Management and Budget (OMB) officials, the council expects to complete this effort by the end of December 2020.
While the additional direction and guidance from the council could further assist agencies with the implementation of these practices, GAO pointed out that federal agencies currently have guidance to assist with managing their ICT supply chain risks. Specifically, the National Institute of Standards and Technology (NIST) issued ICT SCRM-specific guidance in 2015 and OMB has required agencies to implement ICT SCRM since 2016.
In its sensitive report, released on December 15, GAO made a total of 145 recommendations to the 23 agencies to fully implement foundational practices in their organization-wide approaches to ICT SCRM. Of the 23 agencies, 17 agreed with all of the recommendations made to them; two agencies agreed with most, but not all of the recommendations; one agency disagreed with all of the recommendations; two agencies neither agreed nor disagreed with the recommendations, but stated they would address them; and one agency had no comments.