What GAO found
Federal agencies continue to face software supply chain threats. In December 2020, the Department of Homeland Security’s Cyber Security and Infrastructure Agency issued an emergency directive requiring agencies to take action on a threatening actor who had been observed taking advantage of a supply chain commitment. software from a widely used enterprise network management software package: SolarWinds Orion. Subsequently, National Security Council staff formed a cyber coordination group to coordinate the government’s response to the cyberattack. The group took several steps, including gathering information and developing tools and guidance, to help organizations identify and eliminate the threat.
During the same month that the SolarWinds commitment was discovered, GAO reported that none of the 23 civilian agencies had fully implemented selected core practices to manage information and communication technology (ICT) supply chain risks. known as supply chain risk management (SCRM) (see figure).
Implementation of twenty-three civilian agencies for information management practices in the supply chain (SCRM) of information and communication technologies (ICT)
GAO stressed that as a result of the non-implementation of core practices, agencies had a higher risk that malicious agents could exploit ICT supply chain vulnerabilities, causing disruptions in mission operations, damage to persons or theft of intellectual property. Accordingly, GAO recommended that each of the 23 agencies fully implement these core practices. In May 2021, GAO received updates from six of the 23 agencies on actions taken or planned to address their recommendations. However, none of the agencies had fully implemented the recommendations. Until they do, agencies will have limited capacity to effectively address supply chain risks to their organizations.
Why GAO did this study
Federal agencies rely heavily on ICT products and services (e.g., computer systems, software, and networking) to conduct their operations. However, agencies face numerous ICT supply chain risks, including threats posed by malicious actors that can exploit supply chain vulnerabilities and therefore compromise confidentiality, integrity or the availability of an organization’s systems and the information they contain. Recent events involving a commitment to the SolarWinds Orion software supply chain, a network management software package, and the shutdown of a major U.S. fuel pipeline due to a cyberattack put highlights the importance of these threats.
GAO was asked to testify about the efforts of federal agencies to manage ICT supply chain risks. Specifically, GAO (1) describes the federal government’s actions in response to SolarWinds ’commitment and (2) summarizes its previous report on the extent to which federal agencies implemented basic ICT supply chain risk management practices. . To do so, GAO reviewed previously published reports and related information. GAO has work in progress to examine federal agencies’ responses to SolarWinds and plans to issue a report on this in the fall of 2021.