October 21, 2021

News

News Network

Information Technology: Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks

13 min read
<div>Few of the 23 civilian Chief Financial Officers Act agencies had implemented seven selected foundational practices for managing information and communications technology (ICT) supply chain risks. Supply chain risk management (SCRM) is the process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of ICT product and service supply chains. Many of the manufacturing inputs for these ICT products and services originate from a variety of sources throughout the world. (See figure 1.) Figure 1: Examples of Locations of Manufacturers or Suppliers of Information and Communications Technology Products and Services None of the 23 agencies fully implemented all of the SCRM practices and 14 of the 23 agencies had not implemented any of the practices. The practice with the highest rate of implementation was implemented by only six agencies. Conversely, none of the other practices were implemented by more than three agencies. Moreover, one practice had not been implemented by any of the agencies. (See figure 2.) Figure 2: Extent to Which the 23 Civilian Chief Financial Officers Act Agencies Implemented Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Practices As a result of these weaknesses, these agencies are at a greater risk that malicious actors could exploit vulnerabilities in the ICT supply chain causing disruption to mission operations, harm to individuals, or theft of intellectual property. For example, without establishing executive oversight of SCRM activities, agencies are limited in their ability to make risk decisions across the organization about how to most effectively secure their ICT product and service supply chains. Moreover, agencies lack the ability to understand and manage risk and reduce the likelihood that adverse events will occur without reasonable visibility and traceability into supply chains. Officials from the 23 agencies cited various factors that limited their implementation of the foundational practices for managing supply chain risks. The most commonly cited factor was the lack of federal SCRM guidance. For example, several agencies reported that they were waiting for federal guidance to be issued from the Federal Acquisition Security Council—a cross-agency group responsible for providing direction and guidance to executive agencies to reduce their supply chain risks—before implementing one or more of the foundational practices. According to Office of Management and Budget (OMB) officials, the council expects to complete this effort by December 2020. While the additional direction and guidance from the council could further assist agencies with the implementation of these practices, federal agencies currently have guidance to assist with managing their ICT supply chain risks. Specifically, the National Institute of Standards and Technology (NIST) issued ICT SCRM-specific guidance in 2015 and OMB has required agencies to implement ICT SCRM since 2016. Until agencies implement all of the foundational ICT SCRM practices, they will be limited in their ability to address supply chain risks across their organizations effectively. Federal agencies rely extensively on ICT products and services (e.g., computing systems, software, and networks) to carry out their operations. However, agencies face numerous ICT supply chain risks, including threats posed by counterfeiters who may exploit vulnerabilities in the supply chain and, thus, compromise the confidentiality, integrity, or availability of an organization's systems and the information they contain. For example, in September 2019, the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency reported that federal agencies faced approximately 180 different ICT supply chain-related threats. To address threats such as these, agencies must make risk-based ICT supply chain decisions about how to secure their systems. GAO was asked to conduct a review of federal agencies' ICT SCRM practices. The specific objective was to determine the extent to which federal agencies have implemented foundational ICT SCRM practices. To do so, GAO identified seven practices from NIST guidance that are foundational for an organization-wide approach to ICT SCRM and compared them to policies, procedures, and other documentation from the 23 civilian Chief Financial Officers Act agencies. This is a public version of a sensitive report that GAO issued in October 2020. Information that agencies deemed sensitive was omitted and GAO substituted numeric identifiers that were randomly assigned for the names of the agencies due to sensitivity concerns. The foundational practices comprising ICT SCRM are: establishing executive oversight of ICT activities, including designating responsibility for leading agency-wide SCRM activities; developing an agency-wide ICT SCRM strategy for providing the organizational context in which risk-based decisions will be made; establishing an approach to identify and document agency ICT supply chain(s); establishing a process to conduct agency-wide assessments of ICT supply chain risks that identify, aggregate, and prioritize ICT supply chain risks that are present across the organization; establishing a process to conduct a SCRM review of a potential supplier that may include reviews of the processes used by suppliers to design, develop, test, implement, verify, deliver, and support ICT products and services; developing organizational ICT SCRM requirements for suppliers to ensure that suppliers are adequately addressing risks associated with ICT products and services; and developing organizational procedures to detect counterfeit and compromised ICT products prior to their deployment. GAO also interviewed relevant agency officials. In the sensitive report, GAO made a total of 145 recommendations to the 23 agencies to fully implement foundational practices in their organization-wide approaches to ICT SCRM. Of the 23 agencies, 17 agreed with all of the recommendations made to them; two agencies agreed with most, but not all of the recommendations; one agency disagreed with all of the recommendations; two agencies neither agreed nor disagreed with the recommendations, but stated they would address them; and one agency had no comments. GAO continues to believe that all of the recommendations are warranted, as discussed in the sensitive report. For more information, contact Carol C. Harris at (202) 512-4456 or harrisCC@gao.gov.</div>

What GAO Found

Few of the 23 civilian Chief Financial Officers Act agencies had implemented seven selected foundational practices for managing information and communications technology (ICT) supply chain risks. Supply chain risk management (SCRM) is the process of identifying, assessing, and mitigating the risks associated with the global and distributed nature of ICT product and service supply chains. Many of the manufacturing inputs for these ICT products and services originate from a variety of sources throughout the world. (See figure 1.)

Figure 1: Examples of Locations of Manufacturers or Suppliers of Information and Communications Technology Products and Services

None of the 23 agencies fully implemented all of the SCRM practices and 14 of the 23 agencies had not implemented any of the practices. The practice with the highest rate of implementation was implemented by only six agencies. Conversely, none of the other practices were implemented by more than three agencies. Moreover, one practice had not been implemented by any of the agencies. (See figure 2.)

Figure 2: Extent to Which the 23 Civilian Chief Financial Officers Act Agencies Implemented Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Practices

\vdifs02FR_DataWatsonADesktopBar.tiff

As a result of these weaknesses, these agencies are at a greater risk that malicious actors could exploit vulnerabilities in the ICT supply chain causing disruption to mission operations, harm to individuals, or theft of intellectual property. For example, without establishing executive oversight of SCRM activities, agencies are limited in their ability to make risk decisions across the organization about how to most effectively secure their ICT product and service supply chains. Moreover, agencies lack the ability to understand and manage risk and reduce the likelihood that adverse events will occur without reasonable visibility and traceability into supply chains.

Officials from the 23 agencies cited various factors that limited their implementation of the foundational practices for managing supply chain risks. The most commonly cited factor was the lack of federal SCRM guidance. For example, several agencies reported that they were waiting for federal guidance to be issued from the Federal Acquisition Security Council—a cross-agency group responsible for providing direction and guidance to executive agencies to reduce their supply chain risks—before implementing one or more of the foundational practices. According to Office of Management and Budget (OMB) officials, the council expects to complete this effort by December 2020.

While the additional direction and guidance from the council could further assist agencies with the implementation of these practices, federal agencies currently have guidance to assist with managing their ICT supply chain risks. Specifically, the National Institute of Standards and Technology (NIST) issued ICT SCRM-specific guidance in 2015 and OMB has required agencies to implement ICT SCRM since 2016. Until agencies implement all of the foundational ICT SCRM practices, they will be limited in their ability to address supply chain risks across their organizations effectively.

Why GAO Did This Study

Federal agencies rely extensively on ICT products and services (e.g., computing systems, software, and networks) to carry out their operations. However, agencies face numerous ICT supply chain risks, including threats posed by counterfeiters who may exploit vulnerabilities in the supply chain and, thus, compromise the confidentiality, integrity, or availability of an organization’s systems and the information they contain. For example, in September 2019, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency reported that federal agencies faced approximately 180 different ICT supply chain-related threats. To address threats such as these, agencies must make risk-based ICT supply chain decisions about how to secure their systems.

GAO was asked to conduct a review of federal agencies’ ICT SCRM practices. The specific objective was to determine the extent to which federal agencies have implemented foundational ICT SCRM practices. To do so, GAO identified seven practices from NIST guidance that are foundational for an organization-wide approach to ICT SCRM and compared them to policies, procedures, and other documentation from the 23 civilian Chief Financial Officers Act agencies.

This is a public version of a sensitive report that GAO issued in October 2020. Information that agencies deemed sensitive was omitted and GAO substituted numeric identifiers that were randomly assigned for the names of the agencies due to sensitivity concerns.

The foundational practices comprising ICT SCRM are:

establishing executive oversight of ICT activities, including designating responsibility for leading agency-wide SCRM activities;

developing an agency-wide ICT SCRM strategy for providing the organizational context in which risk-based decisions will be made;

establishing an approach to identify and document agency ICT supply chain(s);

establishing a process to conduct agency-wide assessments of ICT supply chain risks that identify, aggregate, and prioritize ICT supply chain risks that are present across the organization;

establishing a process to conduct a SCRM review of a potential supplier that may include reviews of the processes used by suppliers to design, develop, test, implement, verify, deliver, and support ICT products and services;

developing organizational ICT SCRM requirements for suppliers to ensure that suppliers are adequately addressing risks associated with ICT products and services; and

developing organizational procedures to detect counterfeit and compromised ICT products prior to their deployment.

GAO also interviewed relevant agency officials.

What GAO Recommends

In the sensitive report, GAO made a total of 145 recommendations to the 23 agencies to fully implement foundational practices in their organization-wide approaches to ICT SCRM. Of the 23 agencies, 17 agreed with all of the recommendations made to them; two agencies agreed with most, but not all of the recommendations; one agency disagreed with all of the recommendations; two agencies neither agreed nor disagreed with the recommendations, but stated they would address them; and one agency had no comments. GAO continues to believe that all of the recommendations are warranted, as discussed in the sensitive report.

For more information, contact Carol C. Harris at (202) 512-4456 or harrisCC@gao.gov.

More from:

News Network

  • Department Press Briefing – July 7, 2021
    In Crime Control and Security News
    Ned Price, Department [Read More…]
  • Opening Remarks by Secretary of State Antony J. Blinken Before the House Committee on Foreign Affairs
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Department Of Justice Acts To Stop Sale Of “Nano Silver” Product As Treatment For Covid-19
    In Crime News
    The United States filed suit to halt the sale by a New Jersey entity of an unapproved “nano silver” product previously touted as a COVID-19 treatment, the Department of Justice announced today.
    [Read More…]
  • Private Security Contractors: DOD Needs to Better Identify and Monitor Personnel and Contracts
    In U.S GAO News
    What GAO Found The Department of Defense (DOD) has been unable to comprehensively identify private security contractor (PSC) contracts and personnel supporting contingency, humanitarian, peace-keeping, or other similar operations, limiting DOD's ability to readily and accurately identify the use of PSCs. DOD uses PSCs, which include companies and their personnel, hired to provide security services for the U.S. government. However, neither DOD nor GAO was able to use DOD's three PSC data sources to readily determine the universe of PSCs, the type of operation or exercise they support, or their functions, activities, and armed or unarmed status. For example, queries of DOD databases using the term “security guard” to identify PSC personnel excluded eight other job titles that may also perform private security functions. DOD has not comprehensively determined and communicated the contracted activities that fall within its definition of private security functions. Further, DOD does not have a means of readily identifying the contracts and personnel performing those activities in data sources. Without better identifying and tracking its PSC contracts and personnel, DOD will not be able to accurately determine its use of PSCs. Since 2009, DOD has established an oversight framework for its use of PSC contracts, but has not fully monitored the implementation of this framework. DOD's framework distributes oversight functions across the department as well as to organizations outside the department (see fig.). Roles and Functions of Entities to Oversee DOD's Use of Private Security Contractor (PSC) Contracts and Personnel However, DOD has not fully monitored whether and how it and the other entities have carried out their PSC oversight roles and functions. For example, GAO reviewed data for deployed contractor personnel with the job title of “security guard” and found that about 12 percent of those individuals were employed by companies not on a DOD list of certified PSC companies. Independent, third-party certification is a key oversight mechanism DOD relies on to ensure it contracts with companies that use approved personnel hiring, screening, training, and reporting practices. DOD lacks a single, senior-level position assigned to fully monitor whether DOD and various entities are carrying out their respective PSC oversight roles and functions. Without assigning this position, DOD increases the risk of incidents that its framework aims to prevent.  Why GAO Did This Study During Operation Enduring Freedom in 2001–2014 and Operation Iraqi Freedom in 2003–2011, DOD significantly increased its use of PSCs. In 2008, the Swiss Government and the Red Cross issued the Montreux Document, which generally reaffirmed the obligation nations have to ensure that their PSCs respect international humanitarian law. PSCs supporting DOD have faced international attention resulting from incidents allegedly involving their personnel. The National Defense Authorization Act for Fiscal Year 2020 included a provision for GAO to review DOD's use of PSCs. GAO assessed the extent to which DOD has (1) identified PSC contracts and personnel used to support contingency operations and (2) established a framework to oversee the department's use of PSC contracts. GAO analyzed DOD contract and personnel data for PSCs from 2009 through 2019, reviewed DOD guidance on PSC use, and conducted interviews with DOD officials and representatives from standards organizations.
    [Read More…]
  • Antarctica Travel Advisory
    In Travel
    Exercise increased [Read More…]
  • Lesotho Travel Advisory
    In Travel
    Reconsider travel [Read More…]
  • Former Florida Resident Indicted for Tax Evasion and Failing to Report Foreign Bank Accounts
    In Crime News
    A federal grand jury returned an indictment today charging Lucia Andrea Gatta, a former resident of Palm Beach County, Florida, with tax evasion and failing to file Reports of Foreign Bank and Financial Accounts (FBARs), among other offenses, announced Acting Deputy Assistant Attorney General Stuart M. Goldberg of the Justice Department’s Tax Division and U.S. Attorney Ariana Fajardo Orshan for the Southern District of Florida.
    [Read More…]
  • Judiciary Supplements Judgeship Request, Prioritizes Courthouse Projects
    In U.S Courts
    The Judiciary’s policy-making body today recommended that Congress create new judgeships because of a rapid and substantial rise in felony prosecutions in two districts.
    [Read More…]
  • Texas Clinic Owner and Clinic Employee Sentenced to Prison for Conspiring to Unlawfully Prescribe Hundreds of Thousands of Opioids
    In Crime News
    A Houston-area pain clinic owner and a clinic employee who posed as a physician were sentenced to 240 months and 96 months in prison, respectively, today for their roles at a “pill mill” where they and their co-conspirator illegally prescribed hundreds of thousands of doses of opioids and other controlled substances.
    [Read More…]
  • Department of Justice Announces the Use of Body-Worn Cameras on Federal Task Forces
    In Crime News
    Today, the Justice Department announced that it will permit state, local, territorial, and tribal task force officers to use body-worn cameras on federal task forces around the nation.  The department’s policy will permit federally deputized officers to activate a body-worn camera while serving arrest warrants, or during other planned arrest operations, and during the execution of search warrants.  The policy is the result of a pilot program launched by the department last October.
    [Read More…]
  • Attorney General Merrick B. Garland Delivers Remarks Announcing a Pattern or Practice Investigation in into the City of Phoenix and the Phoenix Police Department
    In Crime News
    Good afternoon.  I am joined here today by Assistant Attorney General for Civil Rights Kristen Clarke.
    [Read More…]
  • Judges, Lawyers Bring Life Skills to Virtual Classroom Activities for Home and School
    In U.S Courts
    High school teachers can bring real-life civics into their virtual lessons when they invite federal judges and volunteer attorneys to facilitate a civil discourse and decision-making simulation with students at home or in the classroom this fall.
    [Read More…]
  • Priority Open Recommendations: Environmental Protection Agency
    In U.S GAO News
    What GAO Found In April 2020, GAO identified 21 priority recommendations for the Environmental Protection Agency (EPA). Since then, EPA has implemented six of those recommendations by, among other things, taking actions to better track and promote water utilities' implementation of asset management and updating its guidance on testing for lead in drinking water at schools. In June 2021, GAO identified seven additional priority recommendations for EPA, bringing the total number to 22. These recommendations involve the following areas: assessing and controlling toxic chemicals; reducing pollution in the nation's waters; ensuring cybersecurity at EPA; addressing data, cybersecurity, and risk communication issues for drinking water and wastewater infrastructure; managing climate change risks; and protecting the nation's air quality. EPA's continued attention to these issues could lead to significant improvements in government operations. Why GAO Did This Study Priority open recommendations are the GAO recommendations that warrant priority attention from heads of key departments or agencies because their implementation could save large amounts of money; improve congressional and/or executive branch decision-making on major issues; eliminate mismanagement, fraud, and abuse; or ensure that programs comply with laws and funds are legally spent, among other benefits. Since 2015 GAO has sent letters to selected agencies to highlight the importance of implementing such recommendations. For more information, contact Mark Gaffigan at (202) 512-3841 or gaffiganm@gao.gov.
    [Read More…]
  • Department of State Offers Reward Increase for Information to Bring Transnational Criminal to Justice
    In Crime Control and Security News
    Ned Price, Department [Read More…]
  • K-12 Education: Observations on States’ School Improvement Efforts
    In U.S GAO News
    Many states use flexibilities in the Elementary and Secondary Education Act (ESEA), as amended, in identifying low-performing schools and student subgroups (e.g., students from major racial and ethnic groups and low-income students) that need support and improvement. For example, states must identify all public high schools failing to graduate at least one-third of their students. According to GAO's state plan analysis, four states used ESEA's flexibilities to set higher graduation rates (i.e., 70-86 percent) for purposes of state accountability. Similarly, while ESEA requires states to identify schools in which students in certain subgroups are consistently underperforming, 12 states assess the performance of additional student subgroups. Although states are generally required to set aside a portion of their federal education funding for school improvement activities (see figure), states have some discretion in how they allocate these funds to school districts. According to GAO's survey, 27 states use a formula to allocate funds. GAO also found that in at least 34 states, all school districts that applied for federal funds received them in school year 2018-2019, but states had discretion regarding which schools within those districts to fund and at what level. Funding for School Improvement through the Elementary and Secondary Education Act (ESEA) Title I, Part A Note: For more details, see figure 2 in GAO-21-199. A majority of the 50 states and the District of Columbia responding to our survey reported having at least moderate capacity to support school districts' school improvement activities. Education provides various types of technical assistance to build local and state capacity such as webinars, in-person training, guidance, and peer networks. About one-half of states responding to GAO's survey sought at least one type of technical assistance from Education's program office and various initiatives, and almost all of those found it helpful. For example, Education's Regional Educational Laboratories (REL) help states use data and evidence, access high-quality research to inform decisions, identify opportunities to conduct original research, and track progress over time using high-quality data and methods. Several states most commonly reported finding the following assistance by RELs to be helpful: in-person training (26), webinars (28), and reviews of existing research studies to help select interventions (24). The Elementary and Secondary Education Act (ESEA) requires states to have statewide accountability systems to help provide all children significant opportunity to receive a fair, equitable, and high-quality education, and to close educational achievement gaps high-quality education. These systems must meet certain federal requirements, but states have some discretion in how they design them. For example, ESEA requires states to identify low-performing schools and student subgroups for support and improvement. Senate Report 115-289 accompanying the Departments of Labor, Health and Human Services, and Education, and Related Agencies Appropriations Bill, 2019, includes a provision for GAO to review states' school improvement activities. This report addresses (1) how states identify and allocate funds for schools identified for support and improvement; and (2) the extent to which states have capacity to support districts' school improvement activities and how helpful states find Education's technical assistance. GAO analyzed the most current approved state accountability plans from all 50 states and the District of Columbia as of September 2020. The information in these plans predates the COVID-19 pandemic and represents a baseline from which to compare school improvement activities going forward. GAO also surveyed and received responses from all 50 states and the District of Columbia. GAO also conducted follow-up interviews with officials in three states selected based on variation in reported capacity and geographic diversity. For more information, contact Jacqueline M. Nowicki at (617) 788-0580 or nowickij@gao.gov.
    [Read More…]
  • Andorra’s National Day
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Guild Mortgage Company to Pay $24.9 Million to Resolve Allegations it Knowingly Caused False Claims for Federal Mortgage insurance
    In Crime News
    Guild Mortgage Company has agreed to pay the United States $24.9 million to resolve allegations that it violated the False Claims Act by knowingly breaching material program requirements when it originated and underwrote mortgages insured by the Department of Housing and Urban Development’s (HUD) Federal Housing Administration (FHA), the Department of Justice announced today.  Guild Mortgage Company is headquartered in San Diego, California, with branches across the United States.
    [Read More…]
  • Investing in Diversity and Inclusion at State
    In Crime Control and Security News
    Antony J. Blinken, [Read More…]
  • Intellectual Property: Additional Agency Actions Can Improve Assistance to Small Businesses and Inventors
    In U.S GAO News
    The U.S. Patent and Trademark Office (USPTO) offers multiple programs that help small businesses and inventors with acquiring intellectual property protections, which can help protect creative works or ideas. These programs, such as the Inventors Assistance Center, are aimed at assisting the public, especially small businesses and inventors, with intellectual property protections. Several stakeholders GAO interviewed said that USPTO programs have been helpful, but they were also not aware of some USPTO programs. Although these programs individually evaluate how they help small businesses and inventors, the agency does not collect and evaluate overall information on whether these programs are effectively reaching out to and meeting the needs of these groups. Under federal internal control standards, an agency should use quality information to achieve its objectives. Without an agency-wide approach to collect information to help evaluate the extent to which its programs serve small businesses and inventors, USPTO may not have the quality information needed to fully evaluate the effectiveness of its outreach and assistance for these groups and thus make improvements where necessary. Although the Small Business Administration (SBA) coordinates with USPTO through targeted efforts to provide intellectual property training to small businesses, it has not fully implemented some statutory requirements that can further enhance this coordination. While SBA and the Small Business Development Centers (SBDCs) coordinate with USPTO programs at the local level to train small businesses on intellectual property protection (see figure), this coordination is inconsistent. For example, two of the 12 SBDCs that GAO interviewed reported working primarily with USPTO to help small businesses protect their intellectual property, but the other 10 did not. The Small Business Innovation Protection Act of 2017 requires SBA and USPTO to coordinate and build on existing intellectual property training programs, and requires that SBA's local partners, specifically the SBDCs, provide intellectual property training, in coordination with USPTO. SBA officials reported that they are in the process of implementing requirements of this act. Incorporating selected leading practices for collaboration, such as documenting the partnership agreement and clarifying roles and responsibilities, could help SBA and USPTO fully and consistently communicate their existing resources to their partners and programs, enabling them to refer these resources to small businesses and inventors. Figure: The Small Business Administration (SBA) and the U.S. Patent and Trademark Office (USPTO) Coordinate at the Local Level, but Are Inconsistent Small businesses employ about half of the U.S. private workforce and create approximately two-thirds of the nation's jobs. For many small businesses, intellectual property aids in building market share and creating jobs. Among the federal agencies assisting small businesses with intellectual property are USPTO, which grants patents and registers trademarks, and SBA, which assists small businesses on a variety of business development issues, including intellectual property. GAO was asked to review resources available to help small businesses and inventors protect intellectual property, and their effectiveness. This report examines, among other things, (1) the extent to which USPTO evaluates the effectiveness of its efforts to assist small businesses and (2) SBA's coordination with USPTO to assist small businesses. GAO analyzed agency documents and interviewed officials who train and assist small businesses. GAO also interviewed stakeholders, including small businesses, and, among other things, reviewed federal internal control standards and selected leading practices for enhancing interagency collaboration. GAO is making four recommendations, including that USPTO develop an agency-wide approach to evaluate the effectiveness of its efforts to help small businesses and inventors, and that SBA document its partnership agreement with USPTO and clarify roles and responsibilities for coordinating with USPTO to provide training. Both agencies agreed with GAO's recommendations. For more information, contact John Neumann, (202) 512-6888, NeumannJ@gao.gov. 
    [Read More…]
  • Woman Sentenced to 198 Months in Prison for Teaching and Distributing Information About Weapons of Mass Destruction
    In Crime News
    A New York woman was sentenced today to 198 months, about 16 and a half years, in prison for her role in planning a terrorist attack in the United States.
    [Read More…]
Network News © 2005 Area.Control.Network™ All rights reserved.