Just days after the US government learned of a widespread hack via a third-party provider's software, the US Government Accountability Office (GAO) has issued a report criticizing 23 civilian agencies for poor risk management in their information and communications technology (ICT) supply chains.
The GAO report, “Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks,” examined how federal government agencies managed risks from third-party hardware, software, and services. It examined multiple organizations, including the Departments of Agriculture, Commerce, Education, and Energy. The Office of Personnel Management, which suffered a massive data breach in 2015, was also in the review.
"Over several years, we have reported that the growing dependence on a globally distributed supply chain — and the lack of control over and visibility into how ICT products and services are developed, integrated, and deployed — presents an increasing amount of risk to federal agencies," the report warned.
It identified ICT supply chain risks, including the introduction of counterfeit products and the compromise of legitimate ones before delivery.
"Threat actors attack all tiers of the supply chain and at each phase of the system development life cycle and, thus, pose significant risk to federal agencies," it continued.
Auditors examined how agencies implemented seven foundational supply chain risk management (SCRM) practices, including executive oversight, creating an agency-wide strategy, and creating SCRM requirements for suppliers.
"None of the 23 agencies fully implemented all of the SCRM practices and 14 of the 23 agencies had not implemented any of the practices," it warned, highlighting the security risks involved.
Not a single agency had established a process to conduct agency-wide ICT supply chain risk assessments, and 19 of them had no method to document their ICT supply chains.
Agencies complained they had no federal guidance on SCRM, the report noted. A federal organization dedicated to managing supply chain risk, the Federal Acquisition Security Council, was scheduled to issue guidance this month.
However, the National Institute of Standards and Technology (NIST) already issued SCRM guidance in 2015 and updated its cyber security framework to cover supply chain risk in April 2018, the report noted. The Office of Management and Budget (OMB) required agencies to tackle SCRM since 2016.
The GAO made 145 recommendations to the agencies, including making someone responsible for leading agency-wide SCRM activities and creating a strategy to secure ICT supply chains. Seventeen agencies agreed with all the recommendations, but one unidentified organization agreed with none.
Already released privately in October, the report's public release came in the wake of a widespread government hack. Attackers compromised several government departments via the SolarWinds IT monitoring system in a hack so serious the FBI, CISA, and the ODNI coordinated a government-wide response.
Some of the government departments compromised in the attack, including the Department of the Treasury, Department of Commerce, and Homeland Security, were among those covered in the GAO report.
-
Cleo attack victim list grows as Hertz confirms customer data stolenNews Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
-
Lateral moves in tech: Why leaders should support employee mobilityIn-depth Encouraging staff to switch roles can have long-term benefits for skills in the tech sector
-
UK cyber experts on red alert after Salt Typhoon attacks on US telcosAnalysis The UK could be next in a spate of state-sponsored attacks on telecoms infrastructure
-
Healthcare data breaches are out of control – here's how the US plans to beef up security standardsNews Changes to HIPAA security rules will require organizations to implement MFA, network segmentation, and more
-
The US could be set to ban TP-Link routersNews US authorities could be lining up the largest equipment proscription since the 2019 ban on Huawei networking infrastructure
-
US government IT contractor could face death penalty over espionage chargesNews The IT pro faces two espionage charges, each of which could lead to a death sentence or life imprisonment, prosecutors said
-
US identifies and places $10 million bounty on LockBit, Hive ransomware kingpinNews Mikhail Pavlovich Matveev was linked to specific ransomware attacks, including a 2021 raid on the DC police department
-
Breach at US Transportation Department exposes 240,000 employee recordsNews An investigation is underway into the breach, which affected former and current employee data
-
Using APIs to rewire supply chains in 2023In-depth Supply chains are on the mend after breaking down recently, and APIs are helping stakeholders get a better handle on data
-
IRS mistakenly publishes 112,000 taxpayer records for the second timeNews A contractor is thought to be responsible for the error, with the agency reportedly reviewing its relationship with Accenture
