GAO Wants Agencies to Improve Supply Chain Risk Management
GAO urged 23 federal agencies under the Chief Financial Officers Act “to designate responsibility for leading agency-wide” supply information and communications technology (ICT) supply chain risk management activities “and define SCRM roles and responsibilities for senior leaders who participate in…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
supply chain activities.” Tuesday's report said no agency fully implemented “foundational practices for managing” telecom supply chain risks and 14 hadn’t implemented even one. “As a result of these weaknesses, these agencies are at a greater risk that malicious actors could exploit vulnerabilities in the ICT supply chain causing disruption to mission operations, harm to individuals, or theft of intellectual property,” GAO said. The auditor sought “agency-wide” telecom supply chain risk management “strategy that makes explicit the agency’s risk tolerance and identifies how the agency intends to assess, respond to, and monitor ICT supply chain risks across the life cycle.” The agencies should “develop organizational ICT” supply chain risk management “requirements for inclusion in contracts that are tailored to the type of contract and business needs” and “develop organizational procedures to detect counterfeit and compromised ICT products prior to their deployment,” GAO said. Seventeen agreed with all recommendations, while the other six agreed and disagreed to varying degrees. The Department of Homeland Security, one of the few covered agencies identified, agreed that agencies ‘face numerous ICT supply chain risks” and noted its Federal Acquisition Security Council’s collaboration with the ICT Supply Chain Risk Management Task Force.