IT Supply Chain: National Security-Related Agencies Need to Better Address Risks
Highlights
What GAO Found
Reliance on a global supply chain introduces multiple risks to federal information systems. These risks include threats posed by actorssuch as foreign intelligence services or counterfeiterswho may exploit vulnerabilities in the supply chain and thus compromise the confidentiality, integrity, or availability of an end system and the information it contains. This in turn can adversely affect an agencys ability to effectively carry out its mission. Each of the key threats could create an unacceptable risk to federal agencies.
Although four national security-related departmentsthe Departments of Energy, Homeland Security, Justice, and Defensehave acknowledged these threats, two of the departmentsEnergy and Homeland Securityhave not yet defined supply chain protection measures for department information systems and are not in a position to have implementing procedures or monitoring capabilities to verify compliance with and effectiveness of any such measures. Justice has identified supply chain protection measures, but has not developed procedures for implementing or monitoring compliance with and effectiveness of these measures. Until comprehensive policies, procedures, and monitoring capabilities are developed, documented, and implemented, it is more likely that these national security-related departments will rely on security measures that are inadequate, ineffective, or inefficient to manage emergent information technology supply chain risks. In contrast, Defense has made greater progress through its incremental approach to supply chain risk management. The department has defined supply chain protection measures and procedures for implementing and monitoring these measures. The four national security-related departments also participate in governmentwide efforts to address supply chain security, including the development of technical and policy tools and collaboration with the intelligence community.
Officials at the four departments stated that their respective agencies have not determined or tracked the extent to which their telecommunications networks contain foreign-developed equipment, software, or services. Federal agencies are not required to track this information, and officials from four components of the U.S. national security community believe that doing so would provide minimal security value relative to cost.
Why GAO Did This Study
Federal agencies rely extensively on computerized information systems and electronic data to carry out their operations. The exploitation of information technology (IT) products and services through the global supply chain is an emerging threat that could degrade the confidentiality, integrity, and availability of critical and sensitive agency networks and data.
GAO was asked to identify (1) the key risks associated with the IT supply chains used by federal agencies; (2) the extent to which selected national security-related departments have addressed such risks; and (3) the extent to which those departments have determined that their telecommunication networks contain foreign-developed equipment, software, or services. To do this, GAO analyzed federal acquisition and information security laws, regulations, standards, and guidelines; examined departmental policies and procedures; and interviewed officials from four national security-related departments, the intelligence community, and nonfederal entities.
Recommendations
GAO is recommending that the Departments of Energy, Homeland Security, and Justice take steps, as needed, to develop and document policies, procedures, and monitoring capabilities that address IT supply chain risk. These departments generally concurred with GAOs recommendations.
For more information- contact Gregory C. Wilshusen at 202-512-6244 or wilshuseng@gao.gov.
Recommendations for Executive Action
Agency Affected | Recommendation | Status |
---|---|---|
Department of Energy | To assist the Department of Energy in protecting against IT supply chain threats, the Secretary of Energy should direct the appropriate agency officials to develop and document departmental policy that defines which security measures should be employed to protect against supply chain threats. |
In March 2013, the Department of Energy issued an update to their cyber security program policy that included a requirement to address supply chain risk as a part of risk management activities. The policy identifies specific risk-based items to consider when including supply chain into the risk management activities including, among other things, prioritizing essential components for critical systems and conducting an analysis of supplier assurance practices.
|
Department of Energy | To assist the Department of Energy in protecting against IT supply chain threats, the Secretary of Energy should direct the appropriate agency officials to develop, document, and disseminate procedures to implement the supply chain protection security measures defined in departmental policy. |
To implement its supply chain protection policy (DOE Order 205.1B Chng3), DOE developed the Energy Information Technology Services (EITS) Supply Chain Risk Management (SCRM) Plan that outlines processes and procedures to be implemented across the EITS organization to reduce vulnerabilities in the supply chain process by conducting thorough analysis, identifying weaknesses, and implementing mitigation strategies. It includes, among other things, a checklist to assist system owners and ISSO's in determining if their systems are required to undergo the SCRM processes and security control procurement requirements. The plan was signed in May 2015, went into effect in August 2015, and is to be fully implemented in August 2016. According to the plan, it is maintained and available using the Information Assurance Office's Sharepoint.
|
Department of Energy | To assist the Department of Energy in protecting against IT supply chain threats, the Secretary of Energy should direct the appropriate agency officials to develop and implement a monitoring capability to verify compliance with, and assess the effectiveness of, supply chain protection measures. |
To implement its supply chain protection policy (DOE Order 205.1B Chng3), DOE developed the Energy Information Technology Services (EITS) Supply Chain Risk Management (SCRM) Plan that outlines processes and procedures to be implemented across the EITS organization to reduce vulnerabilities in the supply chain process by conducting thorough analysis, identifying weaknesses, and implementing mitigation strategies. To monitor compliance with the SCRM Plan, DOE has a monthly status report that contains a summary of SCRM-related accomplishments for that month, planned activities for the next 30 days, milestones for the current fiscal year, deliverables for the current/next fiscal year, as well as SCRM-related program risks and issues. Additionally, the monthly report has metrics on the SCRM assessments conducted, including the distribution across DOE entities as well as the percentage of assessments with risk by risk type (i.e. legal, cybersecurity, physical, etc.). Further, in accordance with the SCRM plan, DOE has established and maintains a Sharepoint repository so that the Offices of the Chief Information Officer and the Chief Information Security officers can review assessments.
|
Department of Homeland Security | To assist the Department of Homeland Security in protecting against IT supply chain threats, the Secretary of Homeland Security should direct the appropriate agency officials to develop and document departmental policy that defines which security measures should be employed to protect against supply chain threats. |
In July 2012, the Department of Homeland Security issued an update to their information security program policy that included a requirement to address supply chain risks as a part of its efforts related to the of management and protection of sensitive systems. Specifically, the policy states that effective supply chain risk management requires the analysis of the Business Impact Assessment (BIA) to determine if the supply chain risks represent unacceptable business impact and what the best cost effective counter-measures are. Additionally, the policy also includes a list of specific counter-measures that could be considered.
|
Department of Homeland Security | To assist the Department of Homeland Security in protecting against IT supply chain threats, the Secretary of Homeland Security should direct the appropriate agency officials to develop, document, and disseminate procedures to implement the supply chain protection security measures defined in departmental policy. |
In November 2015, DHS updated its information security policy to include departmental-level procedures for developing and documenting Supply Chain Risk Management (SCRM) Plans. The revised guidance is available on the CISO's inter-agency website for DHS components to access. Additionally, SCRM requirements are required to be included in DHS contracts for all hardware and software to ensure the confidentiality, integrity, and availability of government information. The specific language to be included in the relevant contracts is contained in the Information Technology Acquisition Regulation (ITAR) Unclassified Requests and the ITAR Classified Requests documents, which are also posted on the CISO's inter-agency website.
|
Department of Homeland Security | To assist the Department of Homeland Security in protecting against IT supply chain threats, the Secretary of Homeland Security should direct the appropriate agency officials to develop and implement a monitoring capability to verify compliance with, and assess the effectiveness of, supply chain protection measures. |
To monitor the implementation of its supply chain protection policy, DHS updated its Sensitive Systems Handbook (4300A) in November 2015 to include the agency's approach to monitoring supply chain risk management (SCRM) activities. Specifically, the policy discusses a three-tiered governance structure that requires DHS components to develop a specific SCRM plan that is to articulate the countermeasures best suited to that component's specific mission. Also, each component is to monitor any subordinate program's or system's execution of the plan. The development of monitoring related policy fulfills part of the recommendation; however, DHS could not provide specific evidence of components implementing the policy as described in 4300A. Without evidence of DHS monitoring compliance with its supply chain program, we are unable to close this recommendation as implemented.
|
Department of Justice | To assist the Department of Justice in protecting against IT supply chain threats, the Attorney General should direct the appropriate agency officials to develop, document, and disseminate procedures to implement the supply chain protection security measures defined in departmental policy. |
In April 2014, the Department of Justice issued Procurement Guidance Document 14-03, which includes procedures for the acquisition of high- and moderate-impact information technology systems per NIST's FIPS 199 designations. For those systems, the guidance document provides procedures for implementing supply chain security measures. Among other things, it requires agency officials to complete a risk questionnaire and identify known cyber espionage or sabotage vulnerabilities presented by the procurement.
|
Department of Justice | To assist the Department of Justice in protecting against IT supply chain threats, the Attorney General should direct the appropriate agency officials to develop and implement a monitoring capability to verify compliance with, and assess the effectiveness of, supply chain protection measures. |
In April 2014, the Department of Justice issued Procurement Guidance Document 14-03, which includes procedures for the acquisition of high- and moderate-impact information technology systems including assessments of supply chain security risks of vendor products. DOJ established a capability to monitor compliance with the policy by tracking performance of these assessments. As of August 2016, DoJ indicated that assessments of at least 88 vendor products had been performed.
|