The Department of Energy (DOE), Department of Justice (DOJ), and the Department of Homeland Security (DHS) need to tighten procedures and controls when it comes to mitigating IT supply chain issues, a recently published GAO report says. The Department of Defense was the only agency to make any progress on the issue.
According to the report, the GAO says that while the four agencies have acknowledged the threats that could exist in the supply chain, the DOE and DHS have no protection measures in place. The Department of Justice has protection measures, but no monitoring, leaving the Defense Department as the only agency with a positive report.
The GAO says that threats to the government’s IT supply chain include malicious logic on hardware or software; the installation of counterfeit hardware or software; failure or disruption in the production or distribution of a critical product or service; reliance upon a malicious or unqualified service-provider for the performance of technical services; and the installation of unintentional vulnerabilities on hardware or software.
Gregory Wilshusen, the GAO's director of information security issues, told lawmakers this week that with purchases being made from all over the world, the agencies need to check them for vulnerabilities that could slip in at any point between the manufacturing and shipping process. “The global IT supply chain introduces risks that, if realized, could jeopardize the confidentiality, integrity and availability of federal information systems," he added.
According to a report prepared by Northrop Grumman for the U.S.-China Economic and Security Review Commission and released in early March, U.S. Critical Infrastructure and supply chains are vulnerable. “Successful penetration of a supply chain such as that for telecommunications industry has the potential to cause the catastrophic failure of systems and networks supporting critical infrastructure for national security or public safety,” the report notes.
Video from the hearing, held by the U.S. House of Representatives Energy and Commerce Committee's oversight subcommittee, is available online here.
The GAO’s report is here.
Related Reading: The Need to Secure the Cyber Supply Chain