GAO Urges DOD to Fully Implement ICT Supply Chain Risk Management Practices

A Government Accountability Office report revealed that the Department of Defense has only partially implemented three of seven foundational practices for managing information and communication technology supply chain risks.

The partially implemented practices are developing an agency-wide ICT risk management strategy, executing a process to conduct a risk management review of a potential supplier and establishing organizational procedures to detect counterfeit and compromised ICT products prior to deployment, GAO said.

According to the watchdog, counterfeiters may exploit vulnerabilities in the supply chain to obtain sensitive information, taking advantage of the federal agencies’ increased reliance on ICT products and services, including computing systems, software and networks.

GAO recommended having the DOD’s chief information officer commit to a time frame to fully implement an agency-wide ICT supply chain risk management strategy, among other actions. The watchdog noted that the department has already created a risk management strategy but has yet to approve guidance for its execution.

GAO said fully implementing the three practices will enhance the DOD’s understanding and management of supply chain risks. The Defense Department, meanwhile, has complied with the four other recommended ICT supply chain risk management practices, including establishing oversight of ICT risk management activities and developing organizational ICT risk management requirements for suppliers.