GAO: Pentagon hasn’t fully implemented key practices for managing ICT supply chain risks
The Department of Defense isn’t where it needs to be in implementing “foundational” practices for managing risks related to its information and communications technology (ICT) supply chains, according to the Government Accountability Office.
Uncle Sam relies heavily on products and services such as computing systems, software and networks, to perform its missions, the GAO noted in a report published Thursday.
“Federal agencies have rapidly increased their reliance on commercially available products, contractor support for custom-built systems, and external service providers for a multitude of ICT solutions,” the watchdog wrote. “Many of the manufacturing inputs for these ICT products and services — whether physical materials or knowledge — originate from a variety of sources throughout the world. As a result, the federal government has also increased its reliance on complex, interconnected, and globally distributed supply chains that can include multiple tiers of outsourcing.”
Threats posed by foreign intelligence services or counterfeiters who could try to exploit vulnerabilities in the supply chain, are among the “numerous ICT risks that can compromise the confidentiality, integrity, or availability of an organization’s systems and the information they contain,” according to the GAO.
Of the seven “foundational” practices for managing supply chain risks that GAO focused on in its report, the Pentagon has fully implemented four but only partially implemented three, the watchdog found.
The partially implemented risks management practices include developing an agencywide ICT risk management strategy, establishing a process to conduct a risk management review of a potential supplier, and developing organizational procedures to detect counterfeit and compromised ICT products before they’re deployed.
The fully implanted risk management practices include establishing oversight of ICT risk management activities, establishing an approach to identify and document agency ICT supply chains, establishing a process to conduct agencywide assessments of ICT supply chain risks, and developing organizational ICT risk management requirements for suppliers.
“Regarding the three partially implemented practices, the department has begun several efforts that are not yet complete. For example, the department has developed a risk management strategy but has not approved guidance for implementing it. DOD has also piloted the use of several tools to review potential suppliers but the review of the results is ongoing. However, DOD did not specify time frames for when these actions would be completed. Fully implementing the three remaining practices would enhance the department’s understanding and management of supply chain risks,” the watchdog said in its assessment, which was mandated by Congress in the fiscal 2022 National Defense Authorization Act.
The GAO made three recommendations to the Pentagon: have its chief information officer commit to a time frame to fully implement an agencywide ICT supply chain risk management strategy; have the undersecretary of defense for acquisition and sustainment and the CIO commit to a time frame to fully implement a process to conduct risk management reviews of potential suppliers; and have the undersecretary for A&S and the CIO commit to a time frame to fully implement organizational counterfeit detection procedures for products prior to deployment.
The Defense Department concurred with all three recommendations, according to the GAO.
The Pentagon expects to finalize the draft of an enterprise ICT supply chain risk strategy in September, per the report.
“Regarding our second recommendation stating that the Undersecretary of Defense for Acquisition and Sustainment and DOD CIO commit to a time frame to fully implement a process to conduct ICT SCRM reviews of potential suppliers … the department identified several key policies it is in the process of updating to incorporate relevant policies and procedures, as appropriate,” the GAO wrote.
The department also told the watchdog that it expected to complete its pilot efforts to evaluate various ICT counterfeit detection tools and development of related policies and procedures in fiscal 2023, and to incorporate those policies and procedures into departmentwide policy by the end of March 2024.
“If implemented effectively, the actions DOD described in its comments would address our recommendations,” the GAO stated.