GAO calls out US government agencies: Get your supply chain security act together

In December 2020, the US Government Accounting Office (GAO) made 145 recommendations to 23 federal agencies relating to supply chain risks. In May 2021, the GAO’s director of information technology and cybersecurity, Vijay A. D’Souza, testified before Congress on supply chain risks. His testimony was not pretty and highlighted that “none of the 23 reviewed agencies had fully adopted identified practices to reduce supply chain risks.”

In a nutshell, GAO had identified the existence of the threat to supply chains early on, issued recommendations, and when they came back to check on progress, they found holes in the risk mitigation, many of which had previously been identified. December 2020 was also the month when the SolarWinds compromise was publicly revealed.

GAO on supply chain risk 2012

Let’s step back in time a few years to March 2012, when GAO published its report on National Security Related Agencies Need to Better Address Risks. The report noted, “respective agencies have not determined, and do not currently track the extent to which their telecommunications networks contain foreign-developed equipment, software or services.”

The agencies to which recommendations were made included the Department of Energy (DOE), Department of Homeland Security (DHS) and the Department of Justice (DOJ). The recommendations in the report focused on IT supply chains, according to the GAO, and by April 2014 all these recommendations were implemented:

• DOE/DHS: “Develop and document departmental policy that defines which security measures should be employed to protect against supply chain threats.”
• DOE/DHS/DOJ: “Develop, document, and disseminate procedures to implement the supply chain protection security measures defined in departmental policy.”
• DOE/DHS/DOJ: “Develop and implement a monitoring capability to verify compliance with and assess the effectiveness of supply chain protection measures.”

While the Department of Defense (DOD) was part of the study, it was found to have begun its efforts to mitigate risks to supply chains in 2003 and at the time of the study had “issued and monitors compliance with supply chain measures and implementation procedures.” Subsequently, in 2018, GAO documented how the DHS had fallen short on its efforts in developing or monitoring the identified supply chain risk management (SCRM) measures

GAO on supply chain risk 2018

In July 2018, the GAO revisited supply chain risk and conducted a study about which it testified before Congress on “Supply Chain Risks Affecting Federal Agencies.” In the report, DHS was called out for its miss on the monitoring and implementing side of the supply chain security equation. The 2018 report identified risks similar to those in the 2012 report, yet with more specificity:

• Installation of intentionally harmful hardware or software (i.e., containing “malicious logic”)
• Installation of counterfeit hardware or software
• Failure or disruption in the production or distribution of critical products
• Reliance on malicious or unqualified service providers for the performance of technical services
• Installation of hardware or software containing unintentional vulnerabilities, such as defective code.

GAO noted, “Malicious actors could exploit these vulnerabilities, leading to the loss of the confidentiality, integrity, or availability of federal systems and the information they contain.”

GAO on government supply chain risk December 2020

D’Souza’s testimony of May 25, 2021, highlighted the CISA emergency directive issued with respect to the SolarWinds attack and lamented how that same month 23 civilian agencies had not fully implemented previously provided recommendations, which were:

• Establish executive oversight of information and communications technology (ICT) and SCRM activities (three fully implemented, two partially implemented and 18 no implementation).
• Develop an agency-wide ICT SCRM strategy (one implemented, four partially implemented, and 18 no implementation).
• Establish an approach to identify and document ICT supply chains (three implemented, one partially implemented, and 19 not implemented).
• Establish a process to conduct agency-wide assessments of ICT supply chain risk (23 not implemented).
• Develop organizational ICT SCRM requirements of a potential supplier (two partially implemented, 21 no implementation).
• Develop organizational procedures to detect counterfeit and compromised ICT products prior to deployment (three implemented, 20 no implementation).

D’Souza noted how he had requested an update in mid-May 2021 from all 23 agencies, and only six responded.  

In his testimony, which took place post-Colonial Pipeline ransomware attack, D’Souza said the GAO had displayed a bit of prescience in June 2019. The GAO issued an alert to those companies whose pipelines distributed natural gas, oil, and other hazardous liquids and relied heavily on computer network systems. It called out the 2018 warning given to the Transportation Security Administration (TSA) on its shortcomings in its management of pipeline security efforts. Then in May Colonial Pipeline became the SCRM shortcoming poster-child.

The clear message from D’Souza: Threats to supply chains did not just sneak up on enterprises or government. It’s been a recognized threat for years, yet government agencies opted to invest their efforts elsewhere. The 2017 report, which he referenced in his testimony, notes the number one reason for lack of implementation: “lack of federal SCRM guidance.” This seems to ignore the 2015 National Institute of Standards and Technology (NIST) issuance of ICT-SCRM guidance and the subsequent directive from the Office of Management and Budget (OMB) to implement and the Federal Acquisition Supply Chain Security Act of 2018 guidance.

Time and again, the agencies noted they “have plans to do so,” “have limited insight into subordinate suppliers,” “data on suppliers would quickly become outdated,” “plan to implement (no timeframe provided),” and “had language for specific procurements, but it wasn’t standardized.”

In other words, the priority to drive implementation was absent, and the SCRM implementation plan being followed was the “roundtuit”—they would get around to it. Given the events of 2021 with respect to supply chains affecting the US infrastructure and economy, perhaps SCRM will become a priority within both public and private entities.