IT Supply Chain:

National Security-Related Agencies Need to Better Address Risks

GAO-12-361: Published: Mar 23, 2012. Publicly Released: Mar 23, 2012.

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-3000
wilshuseng@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Reliance on a global supply chain introduces multiple risks to federal information systems. These risks include threats posed by actors—such as foreign intelligence services or counterfeiters—who may exploit vulnerabilities in the supply chain and thus compromise the confidentiality, integrity, or availability of an end system and the information it contains. This in turn can adversely affect an agency’s ability to effectively carry out its mission. Each of the key threats could create an unacceptable risk to federal agencies.

Although four national security-related departments—the Departments of Energy, Homeland Security, Justice, and Defense—have acknowledged these threats, two of the departments—Energy and Homeland Security—have not yet defined supply chain protection measures for department information systems and are not in a position to have implementing procedures or monitoring capabilities to verify compliance with and effectiveness of any such measures. Justice has identified supply chain protection measures, but has not developed procedures for implementing or monitoring compliance with and effectiveness of these measures. Until comprehensive policies, procedures, and monitoring capabilities are developed, documented, and implemented, it is more likely that these national security-related departments will rely on security measures that are inadequate, ineffective, or inefficient to manage emergent information technology supply chain risks. In contrast, Defense has made greater progress through its incremental approach to supply chain risk management. The department has defined supply chain protection measures and procedures for implementing and monitoring these measures. The four national security-related departments also participate in governmentwide efforts to address supply chain security, including the development of technical and policy tools and collaboration with the intelligence community.

Officials at the four departments stated that their respective agencies have not determined or tracked the extent to which their telecommunications networks contain foreign-developed equipment, software, or services. Federal agencies are not required to track this information, and officials from four components of the U.S. national security community believe that doing so would provide minimal security value relative to cost.

Why GAO Did This Study

Federal agencies rely extensively on computerized information systems and electronic data to carry out their operations. The exploitation of information technology (IT) products and services through the global supply chain is an emerging threat that could degrade the confidentiality, integrity, and availability of critical and sensitive agency networks and data.

GAO was asked to identify (1) the key risks associated with the IT supply chains used by federal agencies; (2) the extent to which selected national security-related departments have addressed such risks; and (3) the extent to which those departments have determined that their telecommunication networks contain foreign-developed equipment, software, or services. To do this, GAO analyzed federal acquisition and information security laws, regulations, standards, and guidelines; examined departmental policies and procedures; and interviewed officials from four national security-related departments, the intelligence community, and nonfederal entities.

What GAO Recommends

GAO is recommending that the Departments of Energy, Homeland Security, and Justice take steps, as needed, to develop and document policies, procedures, and monitoring capabilities that address IT supply chain risk. These departments generally concurred with GAO’s recommendations.

For more information- contact Gregory C. Wilshusen at 202-512-6244 or wilshuseng@gao.gov.

Recommendations for Executive Action

  1. Status: Closed - Implemented

    Comments: In March 2013, the Department of Energy issued an update to their cyber security program policy that included a requirement to address supply chain risk as a part of risk management activities. The policy identifies specific risk-based items to consider when including supply chain into the risk management activities including, among other things, prioritizing essential components for critical systems and conducting an analysis of supplier assurance practices.

    Recommendation: To assist the Department of Energy in protecting against IT supply chain threats, the Secretary of Energy should direct the appropriate agency officials to develop and document departmental policy that defines which security measures should be employed to protect against supply chain threats.

    Agency Affected: Department of Energy

  2. Status: Open

    Comments: The Department of Energy has developed, documented, and disseminated some procedures related to the supply chain protection security measures found in policy. For example, documentation for the department's supply chain resource center identifies how the center will operate in areas such as coordinating with various stakeholders, developing awareness training, conducting open source assessments, and identifying best practices in information technology supply chain risk management to follow when developing procedures, among other things. A department official stated in June 2014 that the resource center has sample procedures that can be used by senior Department of Energy officials to guide their risk management activities that have not yet been developed. In August 2015, the official noted that review procedures are being refined, and noted that the supply chain risk management program target for full operational capability is fiscal year 2016.

    Recommendation: To assist the Department of Energy in protecting against IT supply chain threats, the Secretary of Energy should direct the appropriate agency officials to develop, document, and disseminate procedures to implement the supply chain protection security measures defined in departmental policy.

    Agency Affected: Department of Energy

  3. Status: Open

    Comments: Once we confirm that the Department of Energy has developed and implemented a monitoring capability to verify compliance with, and assess effectiveness of, supply chain protection measures defined in an updated departmental order, we will update this recommendation.

    Recommendation: To assist the Department of Energy in protecting against IT supply chain threats, the Secretary of Energy should direct the appropriate agency officials to develop and implement a monitoring capability to verify compliance with, and assess the effectiveness of, supply chain protection measures.

    Agency Affected: Department of Energy

  4. Status: Closed - Implemented

    Comments: In July 2012, the Department of Homeland Security issued an update to their information security program policy that included a requirement to address supply chain risks as a part of its efforts related to the of management and protection of sensitive systems. Specifically, the policy states that effective supply chain risk management requires the analysis of the Business Impact Assessment (BIA) to determine if the supply chain risks represent unacceptable business impact and what the best cost effective counter-measures are. Additionally, the policy also includes a list of specific counter-measures that could be considered.

    Recommendation: To assist the Department of Homeland Security in protecting against IT supply chain threats, the Secretary of Homeland Security should direct the appropriate agency officials to develop and document departmental policy that defines which security measures should be employed to protect against supply chain threats.

    Agency Affected: Department of Homeland Security

  5. Status: Open

    Comments: When we verify the Department of Homeland Security has taken actions to address this recommendation, we will provide a status update. As of 7/27/15 we are still waiting to hear on the status of this recommendation.

    Recommendation: To assist the Department of Homeland Security in protecting against IT supply chain threats, the Secretary of Homeland Security should direct the appropriate agency officials to develop, document, and disseminate procedures to implement the supply chain protection security measures defined in departmental policy.

    Agency Affected: Department of Homeland Security

  6. Status: Open

    Comments: When we verify the Department of Homeland Security has taken actions to address this recommendation, we will provide a status update. As of 7/27/15 we are still waiting to hear on the status of this recommendation.

    Recommendation: To assist the Department of Homeland Security in protecting against IT supply chain threats, the Secretary of Homeland Security should direct the appropriate agency officials to develop and implement a monitoring capability to verify compliance with, and assess the effectiveness of, supply chain protection measures.

    Agency Affected: Department of Homeland Security

  7. Status: Open

    Comments: When we verify the Department of Justice has taken actions to address this recommendation, we will provide a status update. DOJ provided an update on 8/10/15, but more information is needed to close out the recommendation.

    Recommendation: To assist the Department of Justice in protecting against IT supply chain threats, the Attorney General should direct the appropriate agency officials to develop, document, and disseminate procedures to implement the supply chain protection security measures defined in departmental policy.

    Agency Affected: Department of Justice

  8. Status: Open

    Comments: When we verify the Department of Justice has taken actions to address this recommendation, we will provide a status update. DOJ provided an update on 8/10/15, but more information is needed to close out the recommendation.

    Recommendation: To assist the Department of Justice in protecting against IT supply chain threats, the Attorney General should direct the appropriate agency officials to develop and implement a monitoring capability to verify compliance with, and assess the effectiveness of, supply chain protection measures.

    Agency Affected: Department of Justice

 

Explore the full database of GAO's Open Recommendations »

Apr 25, 2016

Apr 19, 2016

Apr 15, 2016

Apr 14, 2016

Apr 12, 2016

Mar 31, 2016

Mar 16, 2016

Mar 11, 2016

Mar 10, 2016

Looking for more? Browse all our products here