The exploitation of ICT products and services through the supply chain is an emerging threat. ICT supply chain-related threats can be introduced in the manufacturing, assembly, and distribution of hardware, software, and services. Moreover, these threats can appear at each phase of the system development life cycle, when an agency initiates, develops, implements, maintains, and disposes of an information system. As a result, the compromise of an agency’s ICT supply chain can degrade the confidentiality, integrity, and availability of its critical and sensitive networks, IT-enabled equipment, and data.
Over the past several years, Congress and federal agencies have taken a number of steps aimed at mitigating ICT supply chain risks. Despite these measures, we have previously reported that federal agencies have not effectively managed supply chain risks.
Few Federal Agencies Implemented Foundational Practices for Managing ICT Supply Chain Risks
The recent compromise of SolarWinds highlights the significance of threats to the ICT supply chain. In December 2020, we reported on the 23 civilian agencies’ implementation of foundational practices for managing ICT supply chain risks. In that report, we identified and selected the seven practices from NIST’s guidance that are considered foundational for an organization-wide approach to ICT SCRM. These selected foundational practices are:
However, as we discussed in our report, none of the 23 agencies had fully implemented all of the supply chain risk management practices. Further, 14 of the 23 agencies had not implemented any of the practices. Figure 1 summarizes the extent of the agencies’ implementation of the practices.
As a result of not fully implementing these selected foundational practices, the agencies are at a greater risk that malicious actors could exploit vulnerabilities in the ICT supply chain, causing disruptions to mission operations, harm to individuals, or theft of intellectual property. For example, without establishing executive oversight of SCRM activities, agencies are limited in their ability to make risk decisions across the organization about how to most effectively secure their ICT product and service supply chains. Moreover, agencies lack the ability to understand and manage risk and reduce the likelihood that adverse events will occur without reasonable visibility and traceability into supply chains.
Officials from the 23 agencies cited various factors that had limited their implementation of the selected foundational practices for managing supply chain risks. The most commonly cited factor was the lack of federal SCRM guidance.
Want to read more? Check out the June 2021: SHIELDWatch Newsletter