A new report from the Government Accountability Office (GAO) finds that most large agencies had not implemented any supply chain risk management practices from the National Institute of Standards and Technology (NIST) – publicly acknowledging weaknesses on the heels of the attack on SolarWinds’ software that led to breaches at multiple Federal agencies.
The report, released publicly today, compares agency policies against seven “foundational practices” for supply chain risk management (SCRM) in different NIST guidance documents, and finds that most CFO Act agencies aren’t taking them into account. The identified practices include executive oversight of SCRM activities, an agency-wide strategy, organizational requirements for the supply chain, and procedures to detect compromised products prior to deployment.
“None of the 23 agencies fully implemented all of the SCRM practices and 14 of the 23 agencies had not implemented any of the practices. The practice with the highest rate of implementation was implemented by only six agencies. Conversely, none of the other practices were implemented by more than three agencies,” GAO found.
The main roadblock agencies cited to GAO is the wait for Federal SCRM guidance, particularly from the Federal Acquisition Security Council. GAO noted that while this additional guidance could help, agencies are still supposed to implement NIST guidance, which would put foundational practices for supply chain security in place. Agencies also noted the roadblocks of federated organizational structures and a lack of resources.
The report was publicly released today, but a sensitive version of the report was released in October, prior to the recent breach of Federal agencies through SolarWinds’ software. The sensitive version of the report made 145 recommendations in total, addressing the deficiencies at each CFO Act agency. Most agencies concurred with the report, with one agency disagreeing with all recommendations and several offering no concurrence or dissent. Given the timing of the report’s public release, it is likely to draw more attention to the needed work to secure the supply chain from attackers.
“Successful attacks by threat actors can have a range of impacts that, if realized, could jeopardize the confidentiality, integrity, and availability of federal information systems. Thus, the potential exists for serious adverse impact on an agency’s operations, assets, and employees,” the report concludes.