IT and communications technologies use parts and services from around the globe. Emerging threats in the supply chain for these technologies can put federal agencies—including the Department of Defense (DOD)—at risk. For example, communications hardware with compromised components could lead to the loss of sensitive data.
A new report from the Government Accountability Office (GAO) says DOD has fully implemented four and partially implemented three of seven selected foundational practices for managing information and communications technology (ICT) supply chain risks. These risks include threats posed by counterfeiters who may exploit vulnerabilities in the supply chain. Supply chain risk management is the process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of ICT product and service supply chains.
By fully implementing four of the foundational practices, GAO says DOD has taken steps to mitigate potential threats and secure its ICT supply chain. Regarding the three partially implemented practices, the department has begun several efforts that are not yet complete. For example, the department has developed a risk management strategy but has not approved guidance for implementing it. DOD has also piloted the use of several tools to review potential suppliers but the review of the results is ongoing. However, DOD did not specify time frames for when these actions would be completed. Fully implementing the three remaining practices would enhance the department’s understanding and management of supply chain risks.
GAO’s review found that DOD provided leadership and support for several government-wide efforts to protect the ICT supply chain. For example, the department offered a course and assisted small businesses in protecting their supply chains. Additionally, the department developed an action plan to facilitate cyber threat sharing and briefed a federal acquisition community of practice on performing cyber test and evaluations. DOD also shared ICT supply chain responsibilities as a member of the Federal Acquisition Security Council. Further, the council has the authority to issue exclusion orders to prevent purchasing from suppliers that may be compromised.
GAO is making three recommendations to DOD to commit to time frames for fully implementing the remaining foundational practices in its ICT supply chain risk management efforts. DOD concurred with the recommendations. DOD expects to finalize the draft of its enterprise-wide ICT supply chain risk management strategy in September 2023.