“Reliance on a global supply chain introduces multiple risks to federal information systems. These risks include threats posed by actors such as foreign intelligence services or counterfeiters who may exploit vulnerabilities in the supply chain and thus compromise the confidentiality, integrity, or availability of an end system and the information it contains”, the GAO report warned.
Threats to the IT supply chain identified by the GAO include: installation of counterfeit hardware or software or malicious logic on hardware or software, failure or disruption in the production or distribution of a critical product and service, reliance on a malicious or unqualified service provider for the performance of technical services, and installation of unintentional vulnerabilities on hardware and software.
The GAO audit found that the Department of Energy, which oversees the US nuclear stockpile as well as the nuclear energy industry, and the Department of Homeland Security have not defined supply chain protection measures for their IT systems and are not in a position to implement procedures or monitoring capabilities to verify compliance. The Justice Department has at least defined protection measures but has not developed procedures to implement those measures. The good news is the Department of Defense has made “great progress” in protecting its global IT supply chain.
“Until comprehensive policies, procedures, and monitoring capabilities are developed, documented, and implemented, it is more likely that these national security-related departments will rely on security measures that are inadequate, ineffective, or inefficient to manage emergent information technology supply chain risks”, the report warned.
At the same time, none of the four departments have determined to what extent their telecommunications networks might be at risk from insecure equipment, software, or services, the GAO said.