GAO: Pentagon hasn’t fully implemented key practices for managing ICT supply chain risks

Of the seven “foundational” practices for managing supply chain risks, the Pentagon has fully implemented four but only partially implemented three, the watchdog found.

By Jon Harper

May 18, 2023

Close-up of the Government Accountability Office (GAO) sign outside its main headquarters in Washington, DC. (Getty Images)

The Department of Defense isn’t where it needs to be in implementing “foundational” practices for managing risks related to its information and communications technology (ICT) supply chains, according to the Government Accountability Office.

Uncle Sam relies heavily on products and services such as computing systems, software and networks, to perform its missions, the GAO noted in a report published Thursday.

“Federal agencies have rapidly increased their reliance on commercially available products, contractor support for custom-built systems, and external service providers for a multitude of ICT solutions,” the watchdog wrote. “Many of the manufacturing inputs for these ICT products and services — whether physical materials or knowledge — originate from a variety of sources throughout the world. As a result, the federal government has also increased its reliance on complex, interconnected, and globally distributed supply chains that can include multiple tiers of outsourcing.”

Threats posed by foreign intelligence services or counterfeiters who could try to exploit vulnerabilities in the supply chain, are among the “numerous ICT risks that can compromise the confidentiality, integrity, or availability of an organization’s systems and the information they contain,” according to the GAO.

Of the seven “foundational” practices for managing supply chain risks that GAO focused on in its report, the Pentagon has fully implemented four but only partially implemented three, the watchdog found.

The partially implemented risks management practices include developing an agencywide ICT risk management strategy, establishing a process to conduct a risk management review of a potential supplier, and developing organizational procedures to detect counterfeit and compromised ICT products before they’re deployed.

The fully implanted risk management practices include establishing oversight of ICT risk management activities, establishing an approach to identify and document agency ICT supply chains, establishing a process to conduct agencywide assessments of ICT supply chain risks, and developing organizational ICT risk management requirements for suppliers.

“Regarding the three partially implemented practices, the department has begun several efforts that are not yet complete. For example, the department has developed a risk management strategy but has not approved guidance for implementing it. DOD has also piloted the use of several tools to review potential suppliers but the review of the results is ongoing. However, DOD did not specify time frames for when these actions would be completed. Fully implementing the three remaining practices would enhance the department’s understanding and management of supply chain risks,” the watchdog said in its assessment, which was mandated by Congress in the fiscal 2022 National Defense Authorization Act.

The GAO made three recommendations to the Pentagon: have its chief information officer commit to a time frame to fully implement an agencywide ICT supply chain risk management strategy; have the undersecretary of defense for acquisition and sustainment and the CIO commit to a time frame to fully implement a process to conduct risk management reviews of potential suppliers; and have the undersecretary for A&S and the CIO commit to a time frame to fully implement organizational counterfeit detection procedures for products prior to deployment.

The Defense Department concurred with all three recommendations, according to the GAO.

The Pentagon expects to finalize the draft of an enterprise ICT supply chain risk strategy in September, per the report.

“Regarding our second recommendation stating that the Undersecretary of Defense for Acquisition and Sustainment and DOD CIO commit to a time frame to fully implement a process to conduct ICT SCRM reviews of potential suppliers … the department identified several key policies it is in the process of updating to incorporate relevant policies and procedures, as appropriate,” the GAO wrote.

The department also told the watchdog that it expected to complete its pilot efforts to evaluate various ICT counterfeit detection tools and development of related policies and procedures in fiscal 2023, and to incorporate those policies and procedures into departmentwide policy by the end of March 2024.

“If implemented effectively, the actions DOD described in its comments would address our recommendations,” the GAO stated.

GAO: Pentagon hasn’t fully implemented key practices for managing ICT supply chain risks

More Like This

Navy to unveil new ‘structured piloting’ framework for IT modernization

Oracle cloud regions approved to handle secret-level data for Pentagon

Chandra Donelson to serve as acting Air Force chief data and AI officer

Top Stories

SDA eyes commercial capabilities, services for future ground segment operations

Anduril, General Atomics move into next phase of Air Force CCA drone program

No nominee to fill top Marine Corps information post after former pick assigned to different job

Army rethinks its approach to AI-enabled risks via Project Linchpin

Navy announces new top cyber adviser

Air Force issues call for cyber, electromagnetic, sensing capabilities to support ABMS

Latest Podcasts

How the Navy is reducing workforce friction to improve mission outcomes

How DARPA is looking to AI to fend off cyber vulnerabilities through a challenge program

How the DOD protects national security interests by monitoring climate change

Google’s Scott Frohman Talks AI Innovation at Google Cloud Next

Weapons

Cyber

IT

AI