National Security-Related Agencies Need to Better Address Risks
March 23, 2012
What GAO Found
Reliance on a global supply chain introduces multiple risks to federal information systems. These risks include threats posed by actors—such as foreign intelligence services or counterfeiters—who may exploit vulnerabilities in the supply chain and thus compromise the confidentiality, integrity, or availability of an end system and the information it contains. This in turn can adversely affect an agency’s ability to effectively carry out its mission. Each of the key threats could create an unacceptable risk to federal agencies.
Although four national security-related departments—the Departments of Energy, Homeland Security, Justice, and Defense—have acknowledged these threats, two of the departments—Energy and Homeland Security—have not yet defined supply chain protection measures for department information systems and are not in a position to have implementing procedures or monitoring capabilities to verify compliance with and effectiveness of any such measures. Justice has identified supply chain protection measures, but has not developed procedures for implementing or monitoring compliance with and effectiveness of these measures. Until comprehensive policies, procedures, and monitoring capabilities are developed, documented, and implemented, it is more likely that these national security-related departments will rely on security measures that are inadequate, ineffective, or inefficient to manage emergent information technology supply chain risks.