Vulnerabilities created by the use of unauthorized distributors’ products or parts, “inadequate testing of software updates and patches” and incomplete information on suppliers within an information technology supply chain could create many risks for federal agencies, according to a July 12 report from the Government Accountability Office.
These vulnerabilities could lead to many threats, even potentially allowing “allowing adversaries to take control of system.”
The report specifically notes the risk of installing malware and counterfeit hardware or software as well as “failure or disruption in the production or distribution of critical products.” There even is the threat of creating more risk within the pre-existing risk “through installation of hardware or software containing unintentional vulnerabilities, such as defective code.”
The “supply chain” is defined by the GAO as “the set of organizations, people, activities, and resources that create and move a product from suppliers to end users.” Within IT that chain is described as “complex and global in scope,” which is part of the reason for these vulnerabilities.
Four years ago, the GAO made eight recommendations to the departments of Justice, Energy, and Homeland Security, which they have “generally concurred with.” Seven of the recommendations have been fully implemented except for the recommendation for DHS to “develop and implement a monitoring capability to verify compliance with, and assess the effectiveness of, supply chain protections.”
As of 2016, DHS had created a policy to fit that recommendation but could “not provide evidence that its components had actually implemented the policy.”